Phil Skentelbery
dd85917988
Architect analysis identified the root cause of 'client_id is not registered' error: h-app microformat is hidden from parsers. Includes: - Complete diagnosis of IndieAuth client registration issue - ADR-006: IndieAuth Client Identification decision record - Implementation guidelines for developer Developer task: Remove hidden attributes from h-app div. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
4.0 KiB
IndieAuth Client Registration Issue - Diagnosis Report
Date: 2025-11-19 Issue: IndieLogin.com reports "This client_id is not registered" Client ID: https://starpunk.thesatelliteoflove.com
Executive Summary
The issue is caused by the h-app microformat on StarPunk being hidden with both hidden and aria-hidden="true" attributes. This makes the client identification invisible to IndieAuth parsers.
Analysis Results
1. Identity Domain (https://thesatelliteoflove.com) ✅
Status: PROPERLY CONFIGURED
The identity page has all required IndieAuth elements:
<!-- IndieAuth endpoints are correctly declared -->
<link rel="authorization_endpoint" href="https://indieauth.com/auth">
<link rel="token_endpoint" href="https://tokens.indieauth.com/token">
<!-- h-card is properly structured -->
<div class="h-card">
<h1 class="p-name">Phil Skents</h1>
<p class="identity-url">
<a class="u-url u-uid" href="https://thesatelliteoflove.com">
https://thesatelliteoflove.com
</a>
</p>
</div>
2. StarPunk Client (https://starpunk.thesatelliteoflove.com) ❌
Status: MISCONFIGURED - Client identification is hidden
The h-app microformat exists but is invisible to parsers:
<!-- PROBLEM: hidden and aria-hidden attributes -->
<div class="h-app" hidden aria-hidden="true">
<a href="https://starpunk.thesatelliteoflove.com" class="u-url p-name">StarPunk</a>
</div>
Root Cause
IndieAuth clients must be identifiable through visible h-app or h-x-app microformats. The hidden attribute makes the element completely invisible to:
- Microformat parsers
- Screen readers
- Search engines
- IndieAuth verification services
When IndieLogin.com attempts to verify the client_id, it cannot find any client identification because the h-app is hidden from the DOM.
IndieAuth Client Verification Process
- User initiates auth with client_id=https://starpunk.thesatelliteoflove.com
- IndieLogin fetches the client URL
- IndieLogin parses for h-app/h-x-app microformats
- FAILS: No visible h-app found due to
hiddenattribute - Returns error: "This client_id is not registered"
Solution
Remove the hidden and aria-hidden="true" attributes from the h-app div:
Current (Broken):
<div class="h-app" hidden aria-hidden="true">
<a href="https://starpunk.thesatelliteoflove.com" class="u-url p-name">StarPunk</a>
</div>
Fixed:
<div class="h-app">
<a href="https://starpunk.thesatelliteoflove.com" class="u-url p-name">StarPunk</a>
</div>
If visual hiding is desired, use CSS instead:
.h-app {
position: absolute;
left: -9999px;
width: 1px;
height: 1px;
overflow: hidden;
}
However, best practice is to keep it visible as client identification, possibly styled as:
<footer>
<div class="h-app">
<p>
<a href="https://starpunk.thesatelliteoflove.com" class="u-url p-name">StarPunk</a>
<span class="p-version">v0.6.1</span>
</p>
</div>
</footer>
Verification Steps
After fixing:
- Deploy the updated HTML without
hiddenattributes - Test at https://indiewebify.me/ - verify h-app is detected
- Clear any caches (CloudFlare, browser, etc.)
- Test authentication flow at https://indielogin.com/
Additional Recommendations
-
Add more client metadata for better identification:
<div class="h-app"> <img src="/static/logo.png" class="u-logo" alt="StarPunk logo"> <a href="https://starpunk.thesatelliteoflove.com" class="u-url p-name">StarPunk</a> <p class="p-summary">A minimal IndieWeb CMS</p> </div> -
Consider adding redirect_uri registration if using fixed callback URLs
-
Test with multiple IndieAuth parsers: