aaronpk/indieauth-gpg.txt

## indieauth-gpg.txt
Current challenge:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJtZSI6Imh0dHA6Ly9hYXJvbnBhcmVja2kuY29tIiwidXNlcl9pZCI6MSwicHJvZmlsZV9pZCI6MzAzNCwicmVkaXJlY3RfdXJpIjoiaHR0cDovL2luZGlld2ViY2FtcC5jb20vU3BlY2lhbDpJbmRpZUF1dGg_cmV0dXJudG89TWFpbl9QYWdlIiwic3RhdGUiOm51bGwsInNjb3BlIjpudWxsLCJub25jZSI6MTExODU4LCJjcmVhdGVkX2F0IjoxNDA0NDMyMzQ1fQ.fyd2XE5-4Rf_EfPZzHc_Y3yOmyr8x_7soWvAJS644rY

Decoded challenge payload:

{"me":"http://aaronparecki.com","user_id":1,"profile_id":3034,"redirect_uri":"http://indiewebcamp.com/Special:IndieAuth","state":"","scope":"","nonce":"4000000"}

I could rewrite this challenge to human-readable key/value pairs:

me=http://aaronparecki.com
user_id=1
profile_id=3034
redirect_uri=http://indiewebcamp.com/Special:IndieAuth
state=
scope=
nonce=4000000
signature=fyd2XE5-4Rf_EfPZzHc_Y3yOmyr8x_7soWvAJS644rY

On indieauth.com, user_id and profile_id reference database rows corresponding to the user. I could remove these from the challenge in place of a little more code on the server side to tie things together.

That would look like:

me=http://aaronparecki.com
redirect_uri=http://indiewebcamp.com/Special:IndieAuth
state=
scope=
nonce=4000000
signature=fyd2XE5-4Rf_EfPZzHc_Y3yOmyr8x_7soWvAJS644rY

The signature is needed so that the indieauth.com server knows the challenge values were not tampered with. Currently this uses a JWT signature, but I'd be happy to present the entire thing as a GPG-signed message instead if that makes more sense.

In this case, the person sees a prompt that says "sign this challenge" and they can see the entire contents of the message they are signing.
	Current challenge:

	eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJtZSI6Imh0dHA6Ly9hYXJvbnBhcmVja2kuY29tIiwidXNlcl9pZCI6MSwicHJvZmlsZV9pZCI6MzAzNCwicmVkaXJlY3RfdXJpIjoiaHR0cDovL2luZGlld2ViY2FtcC5jb20vU3BlY2lhbDpJbmRpZUF1dGg_cmV0dXJudG89TWFpbl9QYWdlIiwic3RhdGUiOm51bGwsInNjb3BlIjpudWxsLCJub25jZSI6MTExODU4LCJjcmVhdGVkX2F0IjoxNDA0NDMyMzQ1fQ.fyd2XE5-4Rf_EfPZzHc_Y3yOmyr8x_7soWvAJS644rY

	Decoded challenge payload:

	{"me":"http://aaronparecki.com","user_id":1,"profile_id":3034,"redirect_uri":"http://indiewebcamp.com/Special:IndieAuth","state":"","scope":"","nonce":"4000000"}

	I could rewrite this challenge to human-readable key/value pairs:

	me=http://aaronparecki.com
	user_id=1
	profile_id=3034
	redirect_uri=http://indiewebcamp.com/Special:IndieAuth
	state=
	scope=
	nonce=4000000
	signature=fyd2XE5-4Rf_EfPZzHc_Y3yOmyr8x_7soWvAJS644rY

	On indieauth.com, user_id and profile_id reference database rows corresponding to the user. I could remove these from the challenge in place of a little more code on the server side to tie things together.

	That would look like:

	me=http://aaronparecki.com
	redirect_uri=http://indiewebcamp.com/Special:IndieAuth
	state=
	scope=
	nonce=4000000
	signature=fyd2XE5-4Rf_EfPZzHc_Y3yOmyr8x_7soWvAJS644rY

	The signature is needed so that the indieauth.com server knows the challenge values were not tampered with. Currently this uses a JWT signature, but I'd be happy to present the entire thing as a GPG-signed message instead if that makes more sense.

	In this case, the person sees a prompt that says "sign this challenge" and they can see the entire contents of the message they are signing.