IndieID not supporting Facebook

indieid logo

I have not really discussed it yet on my site, but I have been working on a new IndieAuth compatible service. is now up and available for use by anyone using indieauth! The code is not terribly clean yet.  I spun this project out of a RelMeAuth library but it quickly evolved in to a full-blown indieauth service. The code is all up at and pull requests are definitely welcome.

I have already added support for Github, Google+, and even Instagram, though this is a really big hack and will likely break often.   I have not yet added support for Twitter as it uses OAuth 1 while the others use OAuth 2.  And the difference is certainly enought that its not on the top of my priorities.  Recently I had been working quite hard to get Facebook support, but alas my attempts have fallen short.  What follows is an explanation of exactly where Facebook's API prevents any ability to add support and maintain security of the users.

In order to fully understand my conundrum you need to understand RelMeAuth.  Links between sites can have an extra property called "rel".  These can be quite useful for saying the relation between the site I am on and the site I am linking to.  Setting rel=canonical means the linked site is considered the "canonical" or original, true version of the content.  There are a number of such possible rel values.  The one that the IndieWeb uses quite heavily is rel=me.  This states that the linked site is another profile for myself.  If you look at my website and view source for the "elsewhere" section you will see all my links to my profile on other websites have this rel=me link.  I have control of my website, so I could point these anywhere. I could say rel=me and then point to Andy Warhol's wikipedia page.  So alone, these links cannot be trusted.  However, I also control my Twitter account, and Twitter is nice enought to set rel=me when I set my website in my profile on Twitter.  Now my website points to my Twitter profile with rel=me and my Twitter profile points right back to my site with rel=me.  Since both sites agree, I can logically say that they are both the same person.  If a user can prove they control one of these pages then they obviously control the other.  So if I give a site proof that my account on twitter is mine, just by looking at the links, the site knows I control  This is RelMeAuth at its core, and the first part of IndieAuth.

Facebook has a rel=me link back to my website and I have a rel=me link to my Facebook profile.  There is also a way to authenticate with Facebook, so where is the problem?  Well, Facebook takes privacy with its app developers quite seriously.  If I log in to an application via Facebook, the current Facebook API keeps me anonymous. Everything that happens within the app is through a unique ID that is specific to that application.  Sure, the app could request access to plenty of information, but my profile URL or my account name isn't one of those things.  For IndieID, this means that its easy to verify the rel=me links are there and point to each other, and then log in via facebook is easy too.  But without that extra bit of information, its not possible to tell if the account that logged in is actually the account that the rel=me links just verified.  Even if I start from Facebook and look at the user's website link, I have no idea if the link I find at that website is pointing back to the same profile I am on.

I spent a good week looking for other ways around this issue, but no matter what I see, there is always some way that the system could be fooled.  Since IndieID is really a login provider,  its important to maintain security.  A security problem here could expose a lot.  So, sadly, my hopes of Facebook based login have been dashed to pieces.  I think the worst part is that I completely understand and can agree with why Facebook does this.  Its a user privacy issue.  Sure they could just make it another access level (I had to request approval just to get the ability to see the user's website link), but honestly, who reads those?  The thing could say "Power of Attorney" and most users would just click right past it. Alas, its depressing how few sites actually support this whole system. One can but hope that in the future we gain more traction in this area.