-
Notifications
You must be signed in to change notification settings - Fork 1
/
index.html
324 lines (296 loc) · 12.3 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>Gimme a token</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="redirect_uri" href="https://nonexisting-domain.invalid/redirect_uri">
<style>
body {
max-width: 600px;
margin: 0 auto;
padding: 2px;
}
h3 {
margin-bottom: .3em;
}
h4 {
margin: 0;
}
p {
margin: 0;
margin-bottom: .5em;
}
hr {
margin-top: 5em;
border: none;
border-bottom: 1px solid black;
}
input, textarea {
width: calc(100% - 18px);
padding: 3px 6px;
margin: 0 auto;
margin-bottom: .5em;
border: 1px solid grey;
border-radius: 4px;
font-size: 14px;
-webkit-appearance: none;
}
input[type=submit], input[type=button], button, a.button {
width: auto;
min-width: 150px;
display: inline-block;
border-radius: 3px;
text-decoration: none;
text-align: center;
font-family: sans-serif;
padding: 8px 12px;
font-size: 14px;
color: black;
cursor: pointer;
border: solid 2px grey;
background-color: #ccc;
}
input[readonly] {
background-color: #eee;
cursor: not-allowed;
}
.main {
border: solid 2px green !important;
background-color: #32cd32 !important;
}
form {
margin-top: .5em;
}
a.hide-link {
color: inherit;
text-decoration: none;
}
#state-warning, #state-success {
padding: 3px 8px;
border-radius: 3px;
}
#state-warning {
color: #721c24;
background-color: #f8d7da;
border-color: #f5c6cb;
}
#state-success {
color: #155724;
background-color: #d4edda;
border-color: #c3e6cb;
}
[hidden] { display: none; }
</style>
</head>
<body>
<a href="https://gimme-a-token.5eb.nl" class="h-app u-url p-name hide-link"><h1>Gimme an Access Token</h1></a>
This page helps you to <a href="https://indieweb.org/obtaining-an-access-token">obtain an access token</a>
or <a href="https://indieweb.org/IndieAuth">IndieAuth</a>, that you can use with home-made Micropub clients
in IFTTT, Workflow and the like.<br>
This page looks hacky on purpose, use at your own risk. Needs javascript, because it works on your own computer.<br>
You can also save this HTML page to your own computer first, if that makes you feel safer.
See <a href="https://github.com/sebsel/gimme-a-token">the code</a> or file an <a href="https://github.com/sebsel/gimme-a-token/issues/new">issue</a>.
<hr>
<b>Step 1</b> fill out this form:
<form action="https://indieauth.com/auth" id="step-1" target="_blank">
<h3>Me</h3>
<p>
<input type="url" name="me" id="me" value="http://example.com" onblur="syncMe(this.value)" /><br>
IndieAuth works with URLs to identify yourself online. What is the URL you want to use to identify with? Usually, this is the URL of your homepage.
</p>
<h3>Authorization Endpoint</h3>
<p>
<input type="url" value="https://indieauth.com/auth" onblur="syncAuthEndpoint(this.value)" /><br>
What is your Authorization Endpoint? You can find this by looking for <code>rel="authorization_endpoint"</code> if you view the source of your homepage.
</p>
<p>
You can also use <a href="https://indieweb-endpoints.cc" rel="nofollow">indieweb-endpoints.cc</a> or <a href="https://xray.p3k.io/" rel="nofollow">XRay</a> to find
it for you, based on your me-URL. Look for the <code>authorization_endpoint</code> value, but also look for the <code>token_endpoint</code> while you're at it: you need it in step 2.
</p>
<p hidden id="discover">
<a href="https://indieweb-endpoints.cc/" id="discover-endpoints" class="button main" rel="nofollow" target="_blank">use IndieWeb Endpoints</a>
<a href="https://xray.p3k.io/rels?url=" id="discover-xray" class="button main" rel="nofollow" target="_blank">use XRay</a>
for <code id="discover-url"></code>
</p>
<p id="discover-button">
<button type="button" onclick="syncMe(document.getElementById('me').value)">Show buttons for IndieWeb Endpoints and XRay based on 'me' value</button>
</p>
<h3>Client ID</h3>
<p>
<input type="url" name="client_id" value="https://gimme-a-token.5eb.nl/" onblur="syncClientId(this.value)" /><br>
The URL of the app you request a token for. This is more for administration purposes, but it's good to pick a sensible one.
It is important that it's on <code>http://</code> or <code>https://</code> and it must have a path, so end in with a slash (<code>/</code>) if you only choose a domain.
</p>
<p>
<strong>Note</strong>: servers will try to fetch this URL to verify the <code>redirect_uri</code> (see below).<br>
Gimme-a-token.5eb.nl will advertize the <code>redirect_uri</code> as shown below to them. If you pick another <code>client_id</code>, some servers might try to protect you
and give a warning, because the <code>redirect_uri</code> is on a different domain than your <code>client_id</code>.
</p>
<h3>Scope</h3>
<p>
<input type="text" name="scope" value="create update"/><br>
A space-separated list of things you would like to request permission for.
</p>
<h3>State</h3>
<p>
<input type="text" name="state" id="state" required/><br>
This field is set to a set of random characters. You can leave it as is. This parameter makes sure no-one sits between this page and the Authorization Endpoint.
You can also pick your own random characters if that makes you feel safer.
</p>
<h3>More values</h3>
<p>
The following fields are also needed for your endpoint, but you can safely ignore them here: we're just showing them for transparency.
</p>
<h4>Response Type</h4>
<input type="text" name="response_type" value="code" readonly/>
<h4>Redirect URI</h4>
<input type="text" name="redirect_uri" id="redirect_uri" value="https://nonexisting-domain.invalid/redirect_uri" readonly/>
<p>
<input type="submit" class="main" value="To login">
<br>
Clicking on the button will send the above fields to the specified Authorization Endpoint. There you can sign in and approve the new token.
After the signing, you will be redirected to <code>https://nonexisting-domain.invalid/redirect_uri</code>, which does not exist. This is on purpose. See step 2.
</p>
</form>
<hr>
<b>Step 2</b> Getting the code
<form action="https://tokens.indieauth.com/token" id="step-2" method="POST" target="_blank">
<h3>Redirected URL</h3>
<p>
On the other window, you will see an empty window for a non-existing page, on a url similar to this one:
<code>
https://nonexisting-domain.invalid/redirect_uri?code=xxx&me=http%3A%2F%2Fexample.com%2F
</code><br>
... where 'xxx' is the code, which we need. You can paste the URL into this box and press the button, which will do some URL-parsing and URL-decoding for you.
It will also verify the state.
</p>
<p>
<textarea id="redirected-url" rows="5"></textarea><br>
<button type="button" onclick="parseRedirectedUrl()">Parse</button>
</p>
<div hidden id="state-warning"><strong>Watch out!</strong>
The state does not match up! Someone is trying to mess with you.
Or did you refresh this page? That changes the state too.
</div>
<div hidden id="state-success">The state parameter is valid.</div>
<hr>
<b>Step 3</b> Getting the token
<h3>Code</h3>
<p>
<textarea name="code" id="code" rows="5"></textarea><br>
This field should have been filled in after you clicked the button above. You can leave it here.
</p>
<h3>Token Endpoint</h3>
<p>
<input type="text" id="token_endpoint" value="https://tokens.indieauth.com/token" onblur="syncTokenEndpoint(this.value)"><br>
This is the place where we will send your code to, so you can download the token. You can discover this the same way as you did
with the Authorization Endpoint, but now looking for the <code>token_endpoint</code> rel value.
</p>
<h3>More values</h3>
<p>
These values come from step 1, and should have changed to what you filled in there. You can leave them as is.
</p>
<h4>Me</h4>
<input type="url" name="me" value="https://example.com/" id="step-2-me" readonly />
<h4>Client ID</h4>
<input type="url" name="client_id" value="https://gimme-a-token.5eb.nl/" id="step-2-client_id" readonly />
<h4>Grant Type</h4>
<input type="text" name="grant_type" value="authorization_code" readonly/>
<h4>Redirect URI</h4>
<input type="text" name="redirect_uri" value="https://nonexisting-domain.invalid/redirect_uri" readonly/>
<p>
<input type="submit" class="main" value="Download token"><br>
After clicking on "Download token", another new window will open, this time with your new access token (and some other stuff).
Depending on how your token endpoint is set up, your browser might attempt to download a file. You can just download it and open it with a text editor.
</p>
You will see something like this:
<pre><code>
{
"access_token": "XXXXXX",
"token_type": "Bearer",
"scope": "create update",
"me": "https://user.example.net/"
}
</code></pre>
Where 'xxx' is your access token. Have fun with it, but remember: <strong>that thing is your password</strong>. Use it wisely.
</form>
<br><br>
<button onclick="document.getElementById('extra-box').removeAttribute('hidden')">Weird response?</button>
<div hidden id="extra-box">
<br><br>
Seems like you hit an older token endpoint. No probs, here is another box to decode it!
<h3>Response</h3>
<textarea id="token-response" rows="5"></textarea><br>
<button type="button" onclick="parseTokenResponse()">Parse</button>
<h3>Access Token</h3>
<textarea id="access-token" rows="5"></textarea><br>
Again: this is your password, use it wisely.
</div>
<hr>
by <a href="https://seblog.nl/">Sebastiaan Andeweg</a> | <a href="https://github.com/sebsel/gimme-a-token">Source</a> | <a href="https://github.com/sebsel/gimme-a-token/issues">Issues</a>
<script>
function syncMe(value) {
document.getElementById('step-2-me').value = value;
document.getElementById('discover-xray').href = 'https://xray.p3k.io/rels?url=' + encodeURIComponent(value);
document.getElementById('discover-endpoints').href = 'https://indieweb-endpoints.cc/search?url=' + encodeURIComponent(value);
document.getElementById('discover-url').innerText = value;
document.getElementById('discover').removeAttribute('hidden');
document.getElementById('discover-button').setAttribute('hidden', true);
}
function syncAuthEndpoint(value) {
document.getElementById('step-1').action = value;
}
function syncTokenEndpoint(value) {
document.getElementById('step-2').action = value;
}
function syncClientId(value) {
document.getElementById('step-2-client_id').value = value;
}
function parseRedirectedUrl() {
var url = document.getElementById('redirected-url').value;
var state = findQueryParam(url, 'state');
if (document.getElementById('state').value === state) {
document.getElementById('state-success').removeAttribute('hidden');
document.getElementById('state-warning').setAttribute('hidden', true);
} else {
document.getElementById('state-warning').removeAttribute('hidden');
document.getElementById('state-success').setAttribute('hidden', true);
}
document.getElementById('code').value = findQueryParam(url, 'code');
}
function parseTokenResponse() {
var response = '?' + document.getElementById('token-response').value;
document.getElementById('access-token').value = findQueryParam(response, 'access_token');
}
function findQueryParam(url, field) {
var result = 'unable to find ' + field;
try {
var vars = url.split('?')[1].split('&');
for (var i = 0; i < vars.length; i++) {
console.log(vars)
var pair = vars[i].split('=');
if (pair[0] === field) {
result = decodeURIComponent(pair[1]);
break;
}
}
} catch(e) {
console.error(e, url, vars);
}
return result;
}
function ready(fn) {
if (document.attachEvent ? document.readyState === "complete" : document.readyState !== "loading") fn();
else document.addEventListener('DOMContentLoaded', fn);
}
function randomString() {
return Math.random().toString(36).substring(7);
}
function setState() {
document.getElementById('state').value = randomString() + randomString() + randomString() + randomString();
}
ready(setState);
</script>
</body>
</html>