Authorio 0.8.3 has been released.
This release adds user profiles. In the latest spec clients can request and receive user profile data. Authorio lets you specify that data and optionally send it upon request.
I’m not sure how useful this is. I wanted to implement this because it is in the spec, but after I completed it I found that there aren’t actually any clients in the wild that use this data. I have unit tests, of course, and it looks like Authorio is “doing the right thing,” but I can’t test it with a real-life IndieAuth client because there are none. I was a little disappointed to discover that.
This will probably be the last release of Authorio for a while. It does what I wanted it to do originally. The code is fairly clean and as a first open-source project I felt it went rather smoothly. Some of that may be due to the fact that no one is using it.
There’s three features I’d like to add eventually, if there’s renewed interest.
Multi-user support. I designed the schemas for Authorio to be able to handle authentication for multiple users on one site, so the backend support is there. But there’s no UI yet for adding additional users. The single-user use case handles 90% of IndieAuth endpoints, though.
Refresh tokens. As part of OAuth, it should be possible for a client to ask for a refresh token and use that token to unexpire an access token. Refresh tokens are something that IndieAuth is a little muddled on. The spec doesn’t explicitly mention them, although some other implementations handle them. I’m not sure if there’s any extant clients that use IndeiAuth refresh tokens though.
Plug-ins for additional authentication schemes. It would be nice to set up an abstract class to handle authentication, so people could subclass that to implement authentication like WebAuthn or GitHub auth. Currently authentication is done only through passwords.