I have many potential/work-in-progress projects which require account systems. I figured heav, apparently, figured that optimally, I should implement this once and then never again. this is ultimately better for the user, also, as they must keep track of fewer accounts.

as such, auth.citrons.xyz exists. it is usable by anyone; though, I disclaim responsibility if it explodes.

the API documentation is todo, but the gist of it is this:

a service is identified with a domain. to discover a service, e.g. example.com, the authentication service queries https://example.com/.well-known/citrons/auth. this is required to be a JSON file containing the following properties:

  • name - the name of the service
  • endpoint - a URL in your application a user id and token can be POSTed to.

when you wish to log in a user, link them to https://auth.citrons.xyz/login?service=<domain>. the user confirms by submitting a form to your endpoint. the form contains the user's ID in uid and token in token.

you can then query the status of a token by posting it to https://auth.citrons.xyz/api/user/<user_id>/auth/<service_domain>.

$ curl --request POST \
    --data 'token=XXXX' \
     https://auth.citrons.xyz/api/user/50fc23f03043d139/auth/example.com
{"valid":true,"user":{"username":"citrons","ttl":800,"uid":"50fc23f03043d139"},"ttl":800}

$ curl --request POST \
    --data 'token=invalid'\
    https://auth.citrons.xyz/api/user/50fc23f03043d139/auth/example.com
{"valid":false,"ttl":9999999}

ultimately, it is now possible to log in. by the way, I have designed the site around the new style I am working on for my site redesign, my new webæsthetic.

enjoy. tell me if you find some horrible bug.