Authorio 0.8.0 Released

So what is Authorio? It started when I wanted to add comments to this blog. This blog is built using Jekyll, which is a static website builder, and that makes adding comments a little tricky. I could try and roll my own, but that’s been done so many times it felt like a waste. There’s the ‘big tech’ commenting solutions like Disqus, but Disqus is super slow and it adds a ton of bloat to the site which didn’t appeal to me. A little more research led me to the IndieWeb community, and I appreciated their approach which is trying to wean people off “silo” sites like Facebook and Twitter and enable users to own their own data.

Webmentions are the IndieWeb protocol for managing comments. With Webmentions, you don’t handle your comments yourself so much as you keep track of the comments people make in other parts of the web. If someone wants to comment on an article, they can make a post on their own website (or a Twitter or Facebook post), and then notify you through the webmention protocol. It’s kind of like Pingbacks if you remember that sort of thing.

Another point in favor of webmentions is you don’t have to do comment moderation. No worries about people spamming the site with trash comments trying to put a link up on your page about their amazing weight loss system.

I want to enable webmentions on this blog, and a first step there is to sign in to Webnention.io. That’s a nifty service that handles collecting webmentions for you (although I think I’d eventaully want to do it myself).

Webmention.io handles login via IndieAuth, which is another piece of the IndieWeb that handles authentication – passwords, logging in, etc. IndieAuth is an attempt to solve the “password problem”.

Everyone hates passwords, and there have been many attempts to get rid of them over the years. Some people just use the same password everywhere, but that’s a huge security risk. The security people say you should have a different password for every site, and each password should be a kajillion letters long and basically look like gibberish. No one can remember all that so that’s where you get password managers, but that introduces a whole other level of frustration and complexity in your web browsing. Then there’s two-factor authentication and security keys and… ugh.

With IndieAuth, you use your URL as your identity. So I can just say, I am reiterate.app and log in as this site (or the person who controls this site). The the client (the place I’m logging in to) will go check with https://reiterate.app, which will verify my identity, and confirm it to the client site. I only need one password, which is okay because I’m not storing that password at every remote site I’m logging in to. It’s only stored one, in a place I control.

(There’s still some increased risk because if that one password is somehow compromised then it would compromise my entire identity. But again, not having it in multiple places reduces that risk somewhat. And I since I control reiterate.app I can enhace the authentication I use here to make it so that if the password is somehow compromised it won’t compromise my entire identity).

Since I already have my own site, Reiterate, I can use that as my IndieAuth identity. I only needed to enable the site as an IndieAuth authentication endpoint. Reiterate is built on Rails, so the obvious first step is to browse the RubyGems archive for a gem I could plug in to make my site an authentication endpoint.

Except, there wasn’t any.

That’s what motivated me to create Authorio. As long as I was adding authentication enpoint functionality, I thought it wouldn’t be too much more effort to do it as a Rails Engine, isolating those parts into their own subsystem. I’ve wanted to try my hand at open source for a while and this seemed like a good place to start. It meant I had to try and follow the IndieAuth spec as closely as possible, and follow the conventions for making a Ruby Gem, and put my code up on GitHub for everyone to see.

I have to say that so far the IndieWeb community has been great. One of my worries was that I’d be doing something that someone else had already done (and I just hadn’t seen it), or I was doing it wrong somehow, but so far everyone has shown nothing but encouragement.

If you have a Rails site and want to use it to login with IndieAuth, give Authorio a try! Let me know what you think of it. You can contact me via the Contacts page.