Phil Skentelbery
cebd3fb71e
Resolved all duplicate ADR numbers by renumbering based on chronological order: ADR Renumbering Map: - ADR-006-indieauth-client-identification.md → ADR-023 - ADR-010-static-identity-page.md → ADR-024 - ADR-019-indieauth-pkce-authentication.md → ADR-025 - ADR-022-indieauth-token-exchange-compliance.md → ADR-026 - ADR-022-indieauth-authentication-endpoint-correction.md → ADR-027 Files Kept Original Numbers (earliest chronologically): - ADR-006-python-virtual-environment-uv.md (2025-11-18 19:21:31) - ADR-010-authentication-module-design.md (2025-11-18 20:35:36) - ADR-019-indieauth-correct-implementation.md (2025-11-19 15:43:38) - ADR-022-auth-route-prefix-fix.md (2025-11-22 18:22:08) Updated: - ADR titles inside each renamed file - Cross-references in implementation reports - CHANGELOG.md references to ADR-025 - Renamed associated report files to match new ADR numbers
3.3 KiB
ADR-023: IndieAuth Client Identification Strategy
Status
Accepted
Context
StarPunk needs to identify itself as an IndieAuth client when initiating authentication flows. The current implementation uses a hidden h-app microformat which causes IndieAuth services to reject the client_id with "This client_id is not registered" errors.
IndieAuth specification requires clients to provide discoverable information about themselves using microformats. This allows authorization endpoints to:
- Display client information to users
- Verify the client is legitimate
- Show what application is requesting access
Decision
StarPunk will use visible h-app microformats in the footer of all pages to identify itself as an IndieAuth client.
The h-app will include:
- Application name (p-name)
- Application URL (u-url)
- Version number (p-version)
- Optional: logo (u-logo)
- Optional: description (p-summary)
Implementation:
<footer>
<div class="h-app">
<p>
Powered by <a href="https://starpunk.thesatelliteoflove.com" class="u-url p-name">StarPunk</a>
<span class="p-version">v0.6.1</span>
</p>
</div>
</footer>
Rationale
- Specification Compliance: IndieAuth spec requires client information to be discoverable via microformats parsing
- Transparency: Users should see what software they're using
- Simplicity: No JavaScript or complex rendering needed
- Debugging: Visible markup is easier to verify and debug
- SEO Benefits: Search engines can understand the application structure
Consequences
Positive
- IndieAuth flows will work correctly
- Client identification is transparent to users
- Easier to debug authentication issues
- Follows IndieWeb principles of visible metadata
- Can be styled to match site design
Negative
- Takes up visual space in the footer (minimal)
- Cannot be completely hidden from view
- Must be maintained on all pages that might be used as client_id
Alternatives Considered
1. Hidden h-app with display:none
Rejected: Some microformat parsers ignore display:none elements
2. Off-screen positioning
Rejected: Considered deceptive by some services, accessibility issues
3. Separate client information endpoint
Rejected: Adds complexity, not standard practice
4. HTTP headers
Rejected: Not part of IndieAuth specification, wouldn't work
5. Meta tags
Rejected: IndieAuth uses microformats, not meta tags
Implementation Guidelines
- Placement: Always in the footer, consistent across all pages
- Styling: Subtle but visible, matching site design
- Content: Minimum of name and URL, optional logo and description
- Testing: Verify with microformats parsers before deployment
Testing Checklist
- h-app is visible in HTML source
- No hidden, display:none, or visibility:hidden attributes
- Validates at https://indiewebify.me/
- Parses correctly at https://microformats.io/
- IndieAuth flow works at https://indielogin.com/
References
Related ADRs
- ADR-003: Authentication Strategy (establishes IndieAuth as auth method)
- ADR-004: Frontend Architecture (defines template structure)