StarPunk/docs/reports/indieauth-fix-summary.md

IndieAuth Authentication Fix - Quick Summary

Status: Solution Identified, Ready for Implementation Priority: CRITICAL Estimated Fix Time: 1-2 hours Confidence: 95%

The Problem

IndieLogin.com rejects authentication with:

This client_id is not registered (https://starpunk.thesatelliteoflove.com)

Root Cause

StarPunk is using an outdated client discovery approach. The IndieAuth specification evolved in 2022 from HTML microformats (h-app) to JSON metadata documents. IndieLogin.com now requires the modern JSON approach.

What we have: h-app microformats in HTML footer What IndieLogin expects: JSON metadata document at a well-known URL

The Solution

Implement OAuth Client ID Metadata Document endpoint.

Quick Implementation

1. Add new route in your Flask app:

@app.route('/.well-known/oauth-authorization-server')
def oauth_client_metadata():
    """OAuth Client ID Metadata Document for IndieAuth discovery."""
    metadata = {
        'issuer': current_app.config['SITE_URL'],
        'client_id': current_app.config['SITE_URL'],
        'client_name': 'StarPunk',
        'client_uri': current_app.config['SITE_URL'],
        'redirect_uris': [
            f"{current_app.config['SITE_URL']}/auth/callback"
        ],
        'grant_types_supported': ['authorization_code'],
        'response_types_supported': ['code'],
        'code_challenge_methods_supported': ['S256'],
        'token_endpoint_auth_methods_supported': ['none']
    }

    response = jsonify(metadata)
    response.cache_control.max_age = 86400  # Cache 24 hours
    response.cache_control.public = True
    return response

2. Add discovery link to templates/base.html in <head>:

<link rel="indieauth-metadata" href="/.well-known/oauth-authorization-server">

3. Keep existing h-app in footer for backward compatibility

Testing

# Test endpoint exists and returns JSON
curl -s https://starpunk.thesatelliteoflove.com/.well-known/oauth-authorization-server | jq .

# Verify client_id matches URL (should return: true)
curl -s https://starpunk.thesatelliteoflove.com/.well-known/oauth-authorization-server | \
  jq '.client_id == "https://starpunk.thesatelliteoflove.com"'

Critical Requirements

1. client_id field MUST exactly match the URL where document is served
2. Use current_app.config['SITE_URL'] - never hardcode URLs
3. redirect_uris must be an array, not a string
4. Return Content-Type: application/json (jsonify does this automatically)

Why This Will Work

1. Specification Compliant: Implements current IndieAuth spec (2022+) exactly
2. Matches Error Behavior: IndieLogin.com is checking for client registration/metadata
3. Industry Standard: All modern IndieAuth clients use this approach
4. Low Risk: Purely additive, no breaking changes
5. Observable: Can verify endpoint before testing auth flow

What Changed in IndieAuth

Version	Method	Status
2020	h-app microformats	Legacy (supported for compatibility)
2022+	JSON metadata document	Current standard

IndieAuth spec now says servers "SHOULD" fetch metadata document and "SHOULD abort if fetching fails" - this explains the rejection.

Documentation

Full details in:

• /home/phil/Projects/starpunk/docs/reports/indieauth-client-discovery-root-cause-analysis.md (comprehensive analysis)
• /home/phil/Projects/starpunk/docs/decisions/ADR-017-oauth-client-metadata-document.md (architecture decision)

Next Steps

1. Implement the JSON metadata endpoint
2. Add discovery link to HTML
3. Deploy to production
4. Test authentication flow with IndieLogin.com
5. Verify successful login
6. Update version to v0.6.2
7. Update CHANGELOG

Rollback Plan

If this doesn't work (unlikely):

1. Contact IndieLogin.com for clarification
2. Consider alternative IndieAuth provider
3. Implement self-hosted IndieAuth server

---

Analysis Date: 2025-11-19 Architect: StarPunk Architect Agent Reviewed: IndieAuth spec, OAuth spec, IndieLogin.com behavior