# IndieAuth Authentication Fix - Quick Summary **Status**: Solution Identified, Ready for Implementation **Priority**: CRITICAL **Estimated Fix Time**: 1-2 hours **Confidence**: 95% ## The Problem IndieLogin.com rejects authentication with: ``` This client_id is not registered (https://starpunk.thesatelliteoflove.com) ``` ## Root Cause StarPunk is using an outdated client discovery approach. The IndieAuth specification evolved in 2022 from HTML microformats (h-app) to JSON metadata documents. IndieLogin.com now requires the modern JSON approach. **What we have**: h-app microformats in HTML footer **What IndieLogin expects**: JSON metadata document at a well-known URL ## The Solution Implement OAuth Client ID Metadata Document endpoint. ### Quick Implementation 1. **Add new route** in your Flask app: ```python @app.route('/.well-known/oauth-authorization-server') def oauth_client_metadata(): """OAuth Client ID Metadata Document for IndieAuth discovery.""" metadata = { 'issuer': current_app.config['SITE_URL'], 'client_id': current_app.config['SITE_URL'], 'client_name': 'StarPunk', 'client_uri': current_app.config['SITE_URL'], 'redirect_uris': [ f"{current_app.config['SITE_URL']}/auth/callback" ], 'grant_types_supported': ['authorization_code'], 'response_types_supported': ['code'], 'code_challenge_methods_supported': ['S256'], 'token_endpoint_auth_methods_supported': ['none'] } response = jsonify(metadata) response.cache_control.max_age = 86400 # Cache 24 hours response.cache_control.public = True return response ``` 2. **Add discovery link** to `templates/base.html` in ``: ```html ``` 3. **Keep existing h-app** in footer for backward compatibility ### Testing ```bash # Test endpoint exists and returns JSON curl -s https://starpunk.thesatelliteoflove.com/.well-known/oauth-authorization-server | jq . # Verify client_id matches URL (should return: true) curl -s https://starpunk.thesatelliteoflove.com/.well-known/oauth-authorization-server | \ jq '.client_id == "https://starpunk.thesatelliteoflove.com"' ``` ### Critical Requirements 1. `client_id` field MUST exactly match the URL where document is served 2. Use `current_app.config['SITE_URL']` - never hardcode URLs 3. `redirect_uris` must be an array, not a string 4. Return `Content-Type: application/json` (jsonify does this automatically) ## Why This Will Work 1. **Specification Compliant**: Implements current IndieAuth spec (2022+) exactly 2. **Matches Error Behavior**: IndieLogin.com is checking for client registration/metadata 3. **Industry Standard**: All modern IndieAuth clients use this approach 4. **Low Risk**: Purely additive, no breaking changes 5. **Observable**: Can verify endpoint before testing auth flow ## What Changed in IndieAuth | Version | Method | Status | |---------|--------|--------| | 2020 | h-app microformats | Legacy (supported for compatibility) | | 2022+ | JSON metadata document | Current standard | IndieAuth spec now says servers "SHOULD" fetch metadata document and "SHOULD abort if fetching fails" - this explains the rejection. ## Documentation Full details in: - `/home/phil/Projects/starpunk/docs/reports/indieauth-client-discovery-root-cause-analysis.md` (comprehensive analysis) - `/home/phil/Projects/starpunk/docs/decisions/ADR-017-oauth-client-metadata-document.md` (architecture decision) ## Next Steps 1. Implement the JSON metadata endpoint 2. Add discovery link to HTML 3. Deploy to production 4. Test authentication flow with IndieLogin.com 5. Verify successful login 6. Update version to v0.6.2 7. Update CHANGELOG ## Rollback Plan If this doesn't work (unlikely): 1. Contact IndieLogin.com for clarification 2. Consider alternative IndieAuth provider 3. Implement self-hosted IndieAuth server --- **Analysis Date**: 2025-11-19 **Architect**: StarPunk Architect Agent **Reviewed**: IndieAuth spec, OAuth spec, IndieLogin.com behavior