Title: IndieAuth
Author: IndieWeb
Published: <strong>16 سپتامبر 2013</strong>
Last modified: 25 اکتبر 2025

---

جستجوی افزونه‌ها

![](https://ps.w.org/indieauth/assets/banner-772x250.png?rev=3085462)

![](https://ps.w.org/indieauth/assets/icon.svg?rev=3113792)

# IndieAuth

 توسط [IndieWeb](https://profiles.wordpress.org/indieweb/)

[دانلود](https://downloads.wordpress.org/plugin/indieauth.4.5.5.zip)

 * [جزئیات](https://fa.wordpress.org/plugins/indieauth/#description)
 * [نقد و بررسی‌ها](https://fa.wordpress.org/plugins/indieauth/#reviews)
 *  [نصب](https://fa.wordpress.org/plugins/indieauth/#installation)
 * [توسعه](https://fa.wordpress.org/plugins/indieauth/#developers)

 [پشتیبانی](https://wordpress.org/support/plugin/indieauth/)

## توضیحات

The plugin turns WordPress into an IndieAuth endpoint. This can be used to act as
an authentication mechanism for WordPress and its REST API, as well as an identity
mechanism for other sites. It uses the URL from the profile page to identify the
blog user or your author url. We recommend your site be served over https to use
this.
 measure then updates must be made.You can also install this plugin to enable
web sign-in for your site using your domain.

## نصب

 1. Upload the `indieauth` directory to your `/wp-content/plugins/` directory
 2. Activate the plugin through the ‘Plugins’ menu in WordPress
 3. That’s it

## سوالات متداول

### What is IndieAuth?

[IndieAuth](https://indieauth.net) is a way for doing Web sign-in, where you use
your own homepage or author post URL( usually /author/authorname ) to sign in to
other places. It is built on top of OAuth 2.0, which is used by many websites.

### Why IndieAuth?

IndieAuth is an extension to OAuth. If you are a developer, you have probably used
OAuth to get access to APIs. As a user, if you have given an application access 
to your account on a service, you probably used OAuth. One advantage of IndieAuth
is how easily it allows everyone’s website to be their own OAuth Server without 
needing applications to register with each site.

### How is IndieAuth different from OAuth?

IndieAuth was built on top of OAuth 2.0 and differs in that users and clients are
represented by URLs. Clients can verify the identity of a user and obtain an OAuth
2.0 Bearer token that can be used to access user resources.

You can read the [specification](https://indieauth.spec.indieweb.org/) for implementation
details.

### How is Web Sign In different from OpenID?

The goals of OpenID and Web Sign In are similar. Both encourage you to sign in to
a website using your own domain name. However, OpenID has failed to gain wide adoption.
Web sign-in prompts a user to enter a URL to sign on. Upon submission, it tries 
to discover the URL’s authorization endpoint, and authenticate to that. If none 
is found, it falls back on other options.

This plugin only supports searching an external site for an authorization endpoint,
allowing you to log into one site with the credentials of another site if that site
is listed as the website URL in your user profile.

### What is IndieAuth.com?

[Indieauth.com](https://indieauth.com) is the reference implementation of the IndieAuth
Protocol. If you activate this plugin you do not need to use this site. IndieAuth.
com uses rel-me links on your website to determine your identity for authentication,
but this is not required to use this plugin which uses your WordPress login to verify
your identity.

### How does the application know my name and avatar?

As of version 3.2, the endpoints return the display name, avatar, and URL from your
user profile.

### Does this require each user to have their own unique domain name?

No. When you provide the URL of the WordPress site and authenticate to WordPress,
it will return the URL of your author profile as your unique URL. Only one user 
may use the URL of the site itself.
 This setting is set in the plugin settings 
page, or if there is only a single user, it will default to them.

### How do I authenticate myself to an Indieauth server?

That, as mentioned, depends on the server. By default, the built-in IndieAuth server
uses the WordPress login.

By adding Indieauth support, you can log into sites simply by providing your URL.

### How secure is this?

We recommend your site uses HTTPS to ensure your credentials are not sent in cleartext.
As of Version 4.5.5, this plugin requires Proof Key for Code Exchange(PKCE), whether
or not the client supports it.

### What is a token endpoint?

Once you have proven your identity, the token endpoint issues a token, which applications
can use to authenticate as you to your site.

You can manage and revoke tokens under User->Manage Tokens. You will only see tokens
for the currently logged in user.

### How do I incorporate this into my plugin?

The WordPress function, `get_current_user_id` works to retrieve the current user
ID if logged in via IndieAuth. The plugin offers the following functions to assist
you in using IndieAuth for your service. We suggest you check on activation for 
the IndieAuth plugin by asking `if ( class_exists( 'IndieAuth_Plugin') )`

 * `indieauth_get_scopes()` – Retrieves an array of scopes for the auth request.
 * `indieauth_check_scope( $scope )` – Checks if the provided scope is in the current
   available scopes
 * `indieauth_get_response()` – Returns the entire IndieAuth token response
 * `indieauth_get_client_id()` – Returns the client ID
 * `indieauth_get_me()` – Return the me property for the current session.
 * `new IndieAuth_Client_Discovery( $client_id )` – Class that allows you to discover
   information about a client
    - `$client->get_name()` – Once the class is instantiated, retrieve the name
    - `$client->get_icon()` – Once the class is instantiated, retrieve an icon

If any of these return null, the value was not set, and IndieAuth is not being used.
Scopes and user permissions are not enforced by the IndieAuth plugin and must be
enforced by whatever is using them. The plugin does contain a list of permission
descriptions to display when authorizing, but this is solely to aid the user in 
understanding what the scope is for.

The scope description can be customized with the filter `indieauth_scope_description(
$description, $scope )`

### What if I just want to use the REST API without OAuth exchange?

The plugin allows you to generate a token under User->Manage Tokens with access.
You can provide this to an application manually.

### I keep getting the response that my request is Unauthorized

Many server configurations will not pass bearer tokens. The plugin attempts to work
with this as best possible, but there may be cases we have not encountered. The 
first step is to try running the diagnostic script linked to in the settings page.
It will tell you whether tokens can be passed.

Temporarily enable [WP_DEBUG](https://codex.wordpress.org/Debugging_in_WordPress)
which will surface some errors in your logs.

If you feel comfortable with command line entries, you can request a token under
Users->Manage Tokens and use curl or similar to test logins. Replace example.com
with your site and TOKEN with your bearer token.

    ```
    curl -i -H 'Authorization: Bearer TOKEN' 'https://example.com/wp-json/indieauth/1.0/test
    curl -i -H 'Authorization: Bearer test' 'https://tiny.n9n.us/wp-json/indieauth/1.0/test?access_token=TOKEN'
    ```

This will quickly test your ability to authenticate to the server. Additional diagnostic
tools may be available in future.

If this does not work, you can add `define( 'INDIEAUTH_TOKEN_ERROR', true );` to
your wp-config.php file. The `INDIEAUTH_TOKEN_ERROR` flag will return an error if
there is not a token passed allowing you to troubleshoot this issue, however it 
will require authentication for all REST API functions even those that do not require
them, therefore this is off by default.

If your Micropub client includes an `Authorization` HTTP request header but you 
still get an HTTP 401 response with body `missing access token`, your server may
be stripping the `Authorization` header. If you’re on Apache, [try adding this line to your `.htaccess` file](https://github.com/indieweb/wordpress-micropub/issues/56#issuecomment-299202820):

    ```
    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
    ```

If you are not running the latest version of WordPress, [try this line](https://github.com/georgestephanis/application-passwords/wiki/Basic-Authorization-Header----Missing).
It is added automatically as of 5.6:

    ```
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    ```

You can also try:

    ```
    CGIPassAuth On
    ```

If that doesn’t work either, you may need to ask your hosting provider to whitelist
the `Authorization` header for your account. If they refuse, you can [pass it through Apache with an alternate name](https://github.com/indieweb/wordpress-micropub/issues/56#issuecomment-299569822).
The plugin searches for the header in REDIRECT_HTTP_AUTHORIZATION, as some FastCGI
implementations store the header in this location.

### I get an error that parameter redirect_uri is missing but I see it in the URL

Some hosting providers filter this out using mod_security. For one user, they needed
[Rule 340162](https://wiki.atomicorp.com/wiki/index.php/WAF_340162) whitelisted 
as it detects the use of a URL as an argument.

### What is the Ticketing extension and how do I enable it?

[Ticketing for IndieAuth](https://indieweb.org/Ticketing_for_IndieAuth) is a developing
extension to OAuth2/IndieAuth. It creates a ticket endpoint on your site where other
sites can send you a ticket, which can be redeemed
 for a token to access private
resources on that other site. You can enable the experimental endpoint functionality
by adding the below to your wp-config.php. If this becomes more established, it 
will be added in the settings page.

define( ‘INDIEAUTH_TICKET_ENDPOINT’, true );

At this time, the functionality is limited to the receiving of tickets, not the 
sending of same. It enables a new tab under the User called Manage External Tokens,
which allows you to see which external tokens
 are stored. Tokens are stored per
user.

Since the extension is developing, there is currently not a specified way to transfer
this token to a client to be used.

## نقد و بررسی‌ها

![](https://secure.gravatar.com/avatar/2f88c80005db8d6bc27301a3023cc557e267ae64b6ccd8dd5773120511910312?
s=60&d=retro&r=g)

### 󠀁[It works as expected](https://wordpress.org/support/topic/it-works-as-expected-18/)󠁿

 [Khürt Williams](https://profiles.wordpress.org/khurtwilliams/) 10 آگوست 2019

What can be better than registering and logging into a website with nothing except
my website URL? Nothing!

![](https://secure.gravatar.com/avatar/7d31fea3c2abcb6a65b3cee791807cd8ac61afbf1fc1a49e9a84ee66bdc9c418?
s=60&d=retro&r=g)

### 󠀁[Easy to setup](https://wordpress.org/support/topic/easy-to-setup-49/)󠁿

 [Prateek Saxena](https://profiles.wordpress.org/prtksxna/) 3 آگوست 2019

Works perfectly! Guides you on how to setup your .htaccess too.

![](https://secure.gravatar.com/avatar/d154b20651839159323d696efd712f67de7d47c969a9787760f8b4f06d107548?
s=60&d=retro&r=g)

### 󠀁[Simple easier method for logging into my WordPress install](https://wordpress.org/support/topic/simple-easier-method-for-logging-into-my-wordpress-install/)󠁿

 [Chris Aldrich](https://profiles.wordpress.org/chrisaldrich/) 26 ژانویه 2017

I love the fact that I can use my own domain name to login to WordPress. It also
takes me far less time to log in and delegates well to Twitter, Github, Flickr, 
SMS, e-mail, and even Clef.

 [ خواندن تمامی 4 نقد و بررسی‌ ](https://wordpress.org/support/plugin/indieauth/reviews/)

## توسعه دهندگان و همکاران

“IndieAuth” نرم افزار متن باز است. افراد زیر در این افزونه مشارکت کرده‌اند.

مشارکت کنندگان

 *   [ IndieWeb ](https://profiles.wordpress.org/indieweb/)
 *   [ Matthias Pfefferle ](https://profiles.wordpress.org/pfefferle/)
 *   [ David Shanske ](https://profiles.wordpress.org/dshanske/)

[ترجمه “IndieAuth” به زبان شما.](https://translate.wordpress.org/projects/wp-plugins/indieauth)

### علاقه‌ مند به توسعه هستید؟

[Browse the code](https://plugins.trac.wordpress.org/browser/indieauth/), check 
out the [SVN repository](https://plugins.svn.wordpress.org/indieauth/), or subscribe
to the [development log](https://plugins.trac.wordpress.org/log/indieauth/) by [RSS](https://plugins.trac.wordpress.org/log/indieauth/?limit=100&mode=stop_on_copy&format=rss).

## گزارش تغییرات

Project and support maintained on github at [indieweb/wordpress-indieauth](https://github.com/indieweb/wordpress-indieauth).

#### 4.5.5

 * Security: Fix CSRF vulnerability in authorization endpoint
 * Security: PKCE mandatory in the IndieAuth spec is no longer optional in the plugin.
   If your client does not support this security measure then updates must be made.

#### 4.5.4

 * Fix error on settings page reported via wordpress.org forums

#### 4.5.3

 * Fix issue with uninitialized variables

#### 4.5.2

 * Fix issue with loop on adding new clients
 * Store client_uri and last modified date for new clients.

#### 4.5.1

 * Fix issue with failure if logo_uri is not a URL
 * Fix conflict with Jetpack plugin due not returning error property (props @janboddez)

#### 4.5.0

 * Remove experimental manifest searching code for client discovery
 * Add support for client json metadata files recently added to specification with
   fallback to MF2 HTML
 * Fix declaration issue(props @janboddez)

#### 4.4.2

 * Prevent returning 401 for other successful OAuth2 plugins

#### 4.4.1

 * Add MF2 Parser for Client Information Discovery
 * Fix ticket endpoint and add additional checks
 * Fix issue with discovery not checking html links if there were any http links
 * Add hooks for Ticket redemption flow
 * Add email notification when ticket received

#### 4.4.0

 * Remove remote endpoint functionality already disabled
 * Rearrange so each endpoint is more independent and registers its own parameters
 * Add way to register new grant types.
 * Rewrite Web Signin to support latest version of flow.
 * Add PKCE support to websignin flow
 * Fix issue with PKCE support where it would not actually verify PKCE for token
   flow because PKCE is optional
 * Invert PKCE message to highlight when PKCE is not being used over it being used.
 * Do not do client discovery on a non-retrievable URL
 * Validate identifiers to IndieAuth Spec
 * Remove URL plus password login as part of effort to simplify code.
 * Fix error message surfacing in websignin form
 * Fix CSS on websignin and authorization forms to not misrender the language bar.

#### 4.3.0

 * Introduce Client Taxonomy to store client data so it is not stored individually
 * Sideload Client Application icons

#### 4.2.1

 * Fix issue with not loading User Token library with old remote endpoint code
 * Fix issue with not loading metadata endpoint when not logging in

#### 4.2.0

 * Add Server Metadata Endpoint
 * Add Issuer Property to Authorization Response
 * In 4.1.0, introspection endpoint was introduced and shared an endpoint with the
   token endpoint. This approach was abandoned with the metadata endpoint and the
   introspection endpoint no longer shares. As this was only in for a short time
   deprecation is immediate.
 * Revocation endpoint added. Old revocation method will remain until metadata endpoint
   adoption is sufficient.
 * User Info Endpoint added. This returns the user profile offered during the authorization
   flow.

#### 4.1.1

 * Fix issue where class from ticket auth was being called even though ticket auth
   was not enabled.

#### 4.1.0

 * Add experimental ticket auth endpoint
 * Bug fix on endpoint discovery discovered during ticket auth development
 * Introduce Token Introspection Endpoint as per proposal to integrate RFC7662. 
   For now, will exist concurrently with the older token verification response until
   it is deprecated.
 * Ensure profile responses are returned when appropriate.
 * Misc Bug Fixes discovered in unit testing
 * Updating of settings configuration
 * Improved default for user who gets to identify as root of site.
 * Introduce Refresh Token Functionality
 * Create was not pre-checked in new selections when offered as an option.

#### 4.0.0

 * Add default expiry time.
 * Ensure tokens expire at their proper time.
 * Cleanup related to expiry

#### 3.6.2

 * Fix missing argument, props @chee
 * Fix issue with new sanitization, props @akirk
 * Fix issue with improperly encoded HTML in JSON
 * Switch test token to mirror length of real token to properly test servers who
   may use mod_security.

#### 3.6.1

 * Clean up template pages in order to remove HTML from i18n strings.

#### 3.6.0

 * Adopt changes to the living spec as of the November 26, 2020 version.
 * Drop explicit support for response_type=id. Endpoint will convert to type code
   for backcompat until further notice.
 * Change experimental profile return behavior to match newly documented behavior
   in spec.
 * Support profile and email scopes, to be handled within this plugin.
 * Add additional code comments
 * Remove unique URL code as looking for user URLs is no longer supported
 * Add UUID to tokens as used in the WP5.6 Application Password feature.
 * Add Last IP Accessed to storage as used in the WP5.6 Application Password feature.

#### 3.5.1

 * Make Site Health More Explicit
 * Update scope descriptions
 * Adjust scope capabilities to be more consistent

#### 3.5.0

 * Restore ability to use a remote endpoint but keep this feature hidden for now.
 * Add load function and config setting in order to load the files appropriate for
   your configuration
 * Create Authorization plugin base class that can be used to create different IndieAuth
   configurations
 * Add Site Health Check for SSL and Unique Users
 * Create local and remote classes that can be instantiated depending on configuration

#### 3.4.2

 * Repair issue with other flow caused by function name issue

#### 3.4.1

 * Add setting to set the user who will be using the site URL as their URL as opposed
   to their author URL which removes dependency on Indieweb plugin for this.

#### 3.4.0

 * Enforce unique URLs for user accounts
 * Add user url to user table
 * Redo association for URL to user account. At this time, only the root path and
   the author archive URLs are allowed as a return. Hoping to add more options in
   future
 * Add Site Health Check
 * Improve text and links for authorization failure

#### 3.3.2

 * Add new diagnostic script that will nag you until you run it at least once
 * Add cache control headers on return from endpoint
 * Verifying the token at the token endpoint did not use REDIRECT_HTTP_AUTHORIZATION
   now added
 * Add header check to settings page
 * Add option to generate tokens on the backend with any scope
 * Add option to bulk expire tokens
 * Add cleanup option

#### 3.3.1

 * Add definition of profile scope
 * Improve documentation in README

#### 3.3

 * Switch to SHA256 hashing from built in salted hash used by WordPress passwords
 * Add PKCE Support

#### 3.2

 * Only add headers to front page and author archive pages
 * Return basic profile data in returns so the client can display the name and avatar
   of the user

#### 3.1.11

 * Fix issue with silent conversion when not array
 * Add client name and icon automatically on setting token

#### 3.1.10

 * Fixed PHP notice with icon determination
 * Silently convert requests for the post scope to the create update scope
 * Update tagline

#### 3.1.9

 * Fixed PHP warnings

#### 3.1.8

 * When local verification is performed the code was not updating the profile URL
   and passing through the URL from the original request. This code was in the remote
   verification portion of the token endpoint and is now mirrored in the verify 
   local code.

#### 3.1.7

 * Add authdiag.php script written by @Zegnat

#### 3.1.6

 * Add ability to generate a token on the backend
 * Added a test endpoint that tests whether the authentication provider for the 
   REST API is working and tries to return useful errors

#### 3.1.5

 * Add Client Information Discovery to search for names and icon for clients
 * Add icon and client name to Manage Token page
 * Add action to refresh icon and other information in the Manage Token interface

#### 3.1.4

 * Rearrange token logic so that if a token is provided the system will fail if 
   it is invalid
 * Add last accessed field to token and add that to token management table

#### 3.1.3

 * Allow selection of scopes and add stock descriptions
 * Update Manage Token Page to use WP_List_Table

#### 3.1.2

 * Fix issue with scope encoding
 * Fix issue where function returned differently than parent function

#### 3.1.1

 * Fixed PHP error with version < PHP 5.4

#### 3.1.0

 * Fixed `state` param handling

#### 3.0.4

 * Fixed admin settings

#### 3.0.3

 * Verify user ID directly from the token endpoint rather than mapping URL.
 * Display $me parameter instead of user_url on authenticate screen
 * Remove deprecated functions and parameters

#### 3.0.2

 * Automatically rewrite local URLs to https if the local site is site to SSL

#### 3.0.1

 * In previous version fixed issue where error message was not returned if there
   was a missing bearer token. This was needed due fact that some servers filter
   tokens. However, this meant that it would do this for all API requests, even 
   ones not requiring authentication such as webmentions. Reverted change with flag
 * Added constant `INDIEAUTH_TOKEN_ERROR` which if set to true will return an error
   if it cannot find a token.

#### 3.0.0

 * Major refactor to abstract out and improve token generation code
 * Set one cookie with the state instead of multiple cookies.
 * Store other parameters as a transient
 * Remove extra settings

#### 2.1.1

 * Bug Fix

#### 2.1.0

 * Refactor to change load order
 * Textual fix
 * Add defaults when core functions not yet enabled
 * Rework of the admin-interface

#### 2.0.3

 * Add improved getallheaders polyfill
 * Check for missing cookie
 * Check for alternate authorization location

#### 2.0.2

 * If using local endpoint verify token locally without making remote call
 * Add filters for scope and response so they can be accessed elsewhere
 * urlencode state as some encode information into state that was being lost
 * Switch from failure to warning message for different domains for redirect
 * Hide token endpoint management page if local endpoint not enabled

#### 2.0.1

 * Improve error handling if null endpoint sent through
 * Adjust cookie to GMT
 * Add whitepace to form

#### 2.0.0

 * Support author profiles in addition to user URLs
 * Change token verification method to match current Indieauth specification
 * Add support for token verification to act as a WordPress authentication mechanism.
 * Add ability to set any token or authorization endpoint
 * Add authorization and token endpoint headers to the site
 * Discover and use authorization endpoint for provided URL when logging in
 * Allow login using URL
 * Add built-in token endpoint ( props to @aaronpk for support on this )
 * Add built-in authorization endpoint ( props to @aaronpk for support on this )
 * Hide option to login with your domain by default
 * Option to sign into your domain is now a separate form
 * Automatically add trailing slash to user_url

#### 1.1.3

 * update README

#### 1.1.2

 * fixed redirect URL

#### 1.1.1

 * WordPress coding style

#### 1.1.0

 * fixed critical bug

#### 1.0.0

 * initial

## افزونه‌ی انجمنی

این افزونه توسط یک انجمن توسعه یافته و پشتیبانی شده است. [مشارکت در این افزونه](https://github.com/indieweb/wordpress-indieauth)

## اطلاعات

 *  نگارش **4.5.5**
 *  Last updated **6 ماه پیش**
 *  نصب‌های فعال **400+**
 *  نگارش وردپرس ** 6.2 یا بالاتر **
 *  Tested up to **6.7.5**
 *  نگارش PHP ** 7.4 یا بالاتر **
 *  زبان
 * [English (US)](https://wordpress.org/plugins/indieauth/)
 * Tags
 * [IndieAuth](https://fa.wordpress.org/plugins/tags/indieauth/)[indieweb](https://fa.wordpress.org/plugins/tags/indieweb/)
   [login](https://fa.wordpress.org/plugins/tags/login/)[oauth](https://fa.wordpress.org/plugins/tags/oauth/)
 *  [نمایش پیشرفته](https://fa.wordpress.org/plugins/indieauth/advanced/)

## امتیازها

 5 از 5 ستاره.

 *  [  امتیاز 4 5-ستاره     ](https://wordpress.org/support/plugin/indieauth/reviews/?filter=5)
 *  [  امتیاز 0 4-ستاره     ](https://wordpress.org/support/plugin/indieauth/reviews/?filter=4)
 *  [  امتیاز 0 3-ستاره     ](https://wordpress.org/support/plugin/indieauth/reviews/?filter=3)
 *  [  امتیاز 0 2-ستاره     ](https://wordpress.org/support/plugin/indieauth/reviews/?filter=2)
 *  [  امتیاز 0 1-ستاره     ](https://wordpress.org/support/plugin/indieauth/reviews/?filter=1)

[Your review](https://wordpress.org/support/plugin/indieauth/reviews/#new-post)

[مشاهده همه بررسی‌ها](https://wordpress.org/support/plugin/indieauth/reviews/)

## مشارکت کنندگان

 *   [ IndieWeb ](https://profiles.wordpress.org/indieweb/)
 *   [ Matthias Pfefferle ](https://profiles.wordpress.org/pfefferle/)
 *   [ David Shanske ](https://profiles.wordpress.org/dshanske/)

## پشتیبانی

چیزی برای گفتن دارید؟ نیاز به کمک دارید؟

 [مشاهده انجمن پشتیبانی](https://wordpress.org/support/plugin/indieauth/)

## کمک مالی

آیا تمایل دارید از پیشرفت این افزونه حمایت کنید؟

 [ کمک مالی به این افزونه ](https://opencollective.com/indieweb)