Skip to main content

Johan Bové

Gimme A Token "client mismatch" in Known

Figuring out why Gimme A Token is not working for my Known instance

2 min read

Trying to obtain an Access Token for IndiePub with IndieAuth to be used in IFTTT requests so I can link other Web Services with my site.

I was able before to get a token using https://gimme-a-token.5eb.nl/, and the integration with Pocket, Deezer and others worked, but I revoked all access tokens and today it no longer works to create a new token on my Known instance running version 1.2.2.

This post is about trying to solve this issue.

Got the endpoints of my server using:
https://indieweb-endpoints.cc/search?url=https%3A%2F%2Fsocial.johanbove.info

After entering all the fields in "Gimme A Token" and going through the process to get the access token, I end up on https://social.johanbove.info/indieauth/token with the message "Client mismatch". And I'm not sure where to go next.

What is causing this "client mismatch"? Did Known get safer or is "gimme-a-token" broken?

Going to reach out to Seb and Marcus in the next days.

Found that Greg had a similar issue with Monocle some months ago: https://gist.github.com/jgmac1106/3d4df34f99f9a2bd34d47262f26bf508

Update 2020-06-29 19:00

So I can rule out that "Gimme-A-Token" is broken.

Thanks to the greate people on the IRC channel (thanks Aaron, Greg and sknebel) I have a pointer towards htaccess and http/https redirecting. Looking into that now.

Update 2020-06-29 23:20

It seems that for a correct IndieAuth authentication, I had to add a hard-coded "me" url in the head of the Known head.tpl.php file so the Known homepage would always have this link:

<!-- Hardcoded me url -->
<link href="https://social.johanbove.info" rel="me" class="u-url">

This resolved the https://monocle.p3k.io site error message and I can log in in one flow without having to retry.

But unfortunately I'm still getting "Client mismatch" errors with "Gimme a token" most of the time. I did manage to get once an actual token which I can now use again for IFTTT PESOS syndication.

Johan Bové

Johan Bové

Trying this from my Known site. But it seems to fail. Not sure what is going on.
- Added Granary Atoms feed.
- Added htaccess entry for redirecting webfinger
Testing by replying to this post: https://mastodon.technology/@snarfed/3194674
But my reply is not going through. Will investigate tomorrow.

Johan Bové

Johan Bové

My Known "Content-Security-Policy" htaccess configuration

2 min read

My current Known .htaccess Content-Security-Policy is full of tool urls.


<IfModule mod_headers.c>
Header set Content-Security-Policy: "default-src 'self'; frame-ancestors 'self' https://www.youtube-nocookie.com https://player.vimeo.com; base-uri 'self'; form-action 'self' https://www.brid.gy https://indieauth.com/ https://monocle.p3k.io/ https://aperture.p3k.io https://indigenous.abode.pub https://alltogethernow.io https://quill.p3k.io; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' https: data:; media-src *; worker-src 'self' https; font-src *; connect-src 'self'; frame-src 'self' https://www.youtube-nocookie.com https://player.vimeo.com;
    Header set X-Content-Security-Policy: "default-src 'self'; frame-ancestors 'self' https://www.youtube-nocookie.com https://player.vimeo.com; base-uri 'self'; form-action 'self' https://www.brid.gy https://indieauth.com/ https://monocle.p3k.io/ https://aperture.p3k.io https://indigenous.abode.pub https://alltogethernow.io https://quill.p3k.io; script-src 'self' 'unsafe-inline' 'unsafe-eval' ; object-src 'none'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' https: data:; media-src *; worker-src 'self' https; font-src *; connect-src 'self'; frame-src 'self' https://www.youtube-nocookie.com https://player.vimeo.com;
    Header set X-WebKit-CSP: "default-src 'self'; frame-ancestors 'self' https://www.youtube-nocookie.com https://player.vimeo.com; base-uri 'self'; form-action 'self' https://www.brid.gy https://indieauth.com/ https://monocle.p3k.io/ https://aperture.p3k.io https://indigenous.abode.pub https://alltogethernow.io https://quill.p3k.io; script-src 'self' 'unsafe-inline' 'unsafe-eval' ; object-src 'none'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' https: data:; media-src https:; worker-src 'self' https; font-src *; connect-src 'self'; frame-src 'self' https://www.youtube-nocookie.com https://player.vimeo.com;
</IfModule>

Johan Bové

Where you able to get the .htaccess file extensions issue sorted out?

Johan Bové

Current Known htaccess mod_rewrite script

1 min read

My current mod_rewrite code in the Known .htaccess file:


    RewriteEngine On

   RewriteCond %{HTTPS} !=on
    RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
    RewriteRule ^ %{ENV:PROTO}://%1%{REQUEST_URI} [R=301,L]

Johan Bové

This is exactly the reason why my personal homepage is pure html which is served as shtml through Apache server side includes (ssi). Easy to set up, even locally, and most web host support it without further configuration, except for a flag in htaccess.

Johan Bové

I've changed the permalink structure to the highest granularity on my instance: ``/:year/:month/:day/:slug ``. Will add redirects using to deal with existing Twitter posts.