Johan Bové

Trying to obtain an Access Token for IndiePub with IndieAuth to be used in IFTTT requests so I can link other Web Services with my site.

I was able before to get a token using https://gimme-a-token.5eb.nl/, and the integration with Pocket, Deezer and others worked, but I revoked all access tokens and today it no longer works to create a new token on my Known instance running version 1.2.2.

This post is about trying to solve this issue.

Got the endpoints of my server using:
https://indieweb-endpoints.cc/search?url=https%3A%2F%2Fsocial.johanbove.info

After entering all the fields in "Gimme A Token" and going through the process to get the access token, I end up on https://social.johanbove.info/indieauth/token with the message "Client mismatch". And I'm not sure where to go next.

What is causing this "client mismatch"? Did Known get safer or is "gimme-a-token" broken?

Going to reach out to Seb and Marcus in the next days.

Found that Greg had a similar issue with Monocle some months ago: https://gist.github.com/jgmac1106/3d4df34f99f9a2bd34d47262f26bf508

Update 2020-06-29 19:00

So I can rule out that "Gimme-A-Token" is broken.

Thanks to the greate people on the #knownchat IRC channel (thanks Aaron, Greg and sknebel) I have a pointer towards htaccess and http/https redirecting. Looking into that now.

Update 2020-06-29 23:20

It seems that for a correct IndieAuth authentication, I had to add a hard-coded "me" url in the head of the Known head.tpl.php file so the Known homepage would always have this link:

<!-- Hardcoded me url -->
<link href="https://social.johanbove.info" rel="me" class="u-url">

This resolved the https://monocle.p3k.io site error message and I can log in in one flow without having to retry.

But unfortunately I'm still getting "Client mismatch" errors with "Gimme a token" most of the time. I did manage to get once an actual token which I can now use again for IFTTT PESOS syndication.

My current Known .htaccess Content-Security-Policy is full of #IndieWeb tool urls.

<IfModule mod_headers.c>
Header set Content-Security-Policy: "default-src 'self'; frame-ancestors 'self' https://www.youtube-nocookie.com https://player.vimeo.com; base-uri 'self'; form-action 'self' https://www.brid.gy https://indieauth.com/ https://monocle.p3k.io/ https://aperture.p3k.io https://indigenous.abode.pub https://alltogethernow.io https://quill.p3k.io; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' https: data:; media-src *; worker-src 'self' https; font-src *; connect-src 'self'; frame-src 'self' https://www.youtube-nocookie.com https://player.vimeo.com;
    Header set X-Content-Security-Policy: "default-src 'self'; frame-ancestors 'self' https://www.youtube-nocookie.com https://player.vimeo.com; base-uri 'self'; form-action 'self' https://www.brid.gy https://indieauth.com/ https://monocle.p3k.io/ https://aperture.p3k.io https://indigenous.abode.pub https://alltogethernow.io https://quill.p3k.io; script-src 'self' 'unsafe-inline' 'unsafe-eval' ; object-src 'none'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' https: data:; media-src *; worker-src 'self' https; font-src *; connect-src 'self'; frame-src 'self' https://www.youtube-nocookie.com https://player.vimeo.com;
    Header set X-WebKit-CSP: "default-src 'self'; frame-ancestors 'self' https://www.youtube-nocookie.com https://player.vimeo.com; base-uri 'self'; form-action 'self' https://www.brid.gy https://indieauth.com/ https://monocle.p3k.io/ https://aperture.p3k.io https://indigenous.abode.pub https://alltogethernow.io https://quill.p3k.io; script-src 'self' 'unsafe-inline' 'unsafe-eval' ; object-src 'none'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' https: data:; media-src https:; worker-src 'self' https; font-src *; connect-src 'self'; frame-src 'self' https://www.youtube-nocookie.com https://player.vimeo.com;
</IfModule>