After creating a Micropub client, so that I can post automatically to this site from a script, I decided to make the next step: creating my own Microsub client. What that is, and why I want it I’ll discusse some other time. But quickly after beginning that I realised a key first step needed to be solved first: getting the right authorisation to access my site.
My micropub client also requires that authorisation, but I circumvented doing that myself by using Jamie Tanna’s online tool to create the right access token to gain entry to my site. However, Jamie’s tool sets the scope of the permissions to ‘draft’, meaning you can save new posts as draft. That was fine for micropub, but isn’t useful for microsub.
For microsub I need a different scope, read and follow at first. So instead of starting to build a Microsub client, I first needed to create something to get the right access tokens. Luckily somewhere at the end of the Microsub documentation there’s a summary of the steps you need to take, and once I read that I could imagine a solution, and could recognise the different steps involved. I sketched them out for myself:
I then started to code each of those steps in PHP. In the end I needed about 30 lines of code.
It’s not a fancy script, just one for personal use, so it needs a bit of cleaning before I can share it.
The 4 steps I coded were:
- Create a URL of the IndieAuth endpoint listed in the site to visit, that contains various pieces of information
https://domain.com/indieauthendpoint?me=me&responsetype=code&client_id=mydomain&state=a_number_you_make_up&scope=the_access_you_ask&redirect_uri=where_to_send_answer_on_client_id
- Make the script able to receive the answer to that at the given redirect_uri:
http://redirect_uri?code=the_secret_code_you_asked&status=the_made_up_number_you_sent
The returned status ensures that the response belongs to the request you sent. The code is what you need to use for the next step. - For the next step you send a POST request (basically it’s sending in a webform) to the Token endpoint provided by the site, which contains the code you received, grant_type with the value authorization_code, the same client_id you sent earlier, and again a redirect_uri where to receive the answer. That last one can be different form before but must be on the same domain.
- What you get back is some JSON data that contains the access token. For each interaction you have with the site after this step you use that access token to get access to the site.
Where the notion of authorising myself with some website doing some digital variation of a multistage secret handshake for a long time has seemed daunting to me to create from scratch, once I was able to see the different building blocks it became simpler: each of those building blocks, visiting a URL, reading a response, sending in a webform, and reading JSON data I had written before, so I had some PHP code to re-use.