OAuth set up clarification

Question

OAuth set up clarification

TakeV-Lambda opened this issue 9 months ago · comments

Hi there!

We recently set up a loomio instance for our community (loving it so far), but there are some things I am not clear on when it comes to setting up loomio to point to a custom oauth provider, and the documentation does not seem to clarify things.

For context, we are running a custom mastodon server as well, and would like to allow members from that server to log into the loomio instance via mastodon.

To create an app from mastodon, we require a redirect URL. Is there a specific URL path we should point to for that? For instance, should I be redirecting to "loomio.example.com" or "loomio.example.com/foo/bar/baz"?
Am I supposed to configure via the "OAUTH_xxx" env variables?
If so, which variables in that set are required? Mastodon does not look like it uses a PROFILE_URL or any of the OAUTH_ATTR fields.

Robert Guthrie · Answer 1 · Sun Sep 10 2023 04:29:23 GMT+0800 (China Standard Time)

Hi, Sorry the documentation isn't great here. Let's try to fix that.

The redirect URL should be
https://loomio.example.com/oauth/authorize

Yes, configure via OAUTH_ variables

OAuth is a big horrible mess of a standard, and every system implements it differently. It's going to take some investigation of how mastodon's implementation works to understand how to complete this.

TakeV · Answer 2 · Sun Sep 10 2023 05:54:27 GMT+0800 (China Standard Time)

Perhaps I could help with some of it! I know the mastodon spec and API.

Was able to get pretty far with just that clarification, actually.

The relevant docs are here:

My steps were the following:

Register an app with mastodon via curl (Yeah, no other way...). The command I used was curl -X POST "https://masto.example.com/api/v1/apps?client_name=mastodon-loomio&redirect_uris=https://loomio.example.com/oauth/authorize", which returns the key and secret (also vapid key, but I do not know what that does).
Set loomio's env OAUTH_AUTH_URL to https://masto.example.com/oauth/authorize
Set loomio's ennv OAUTH_TOKEN_URL to https://masto.example.com/oauth/token
Set OAUTH_ATTR_NAME to username
Populate the client and secret with the results of the curl to register a mastodon app

Right now, it is erroring out because of the missing OAUTH_PROFILE_URL. Unsure what that is supposed to be, and I cannot find the specs describing it. I was assuming that it is the API call to get a user account, but the API explicitly requires passing the user's mastodon id (the endpoint being https://masto.example.com/api/v1/:id).

Additionally, the email of an account can only be obtained from the admin API endpoint at https://masto.example.com/api/v1/admin/accounts/:id. There is also a v2 version, but I believe the pertinent data is returned by both. All admin endpoints require a bearer token, however.

I think both account endpoints will allow you

Not sure at all about the OAUTH_SCOPE.

Thanks!

Robert Guthrie · Answer 3 · Sun Sep 10 2023 06:05:40 GMT+0800 (China Standard Time)

Nice work.

It might be optional, but it would be great if doorkeeper implemented some kind of profile URL, that provides a name and avatar, usually.

I'm not able to do much work on this this week, sorry. But I will be doing a bit of work on SSO in a month or so.

TakeV · Answer 4 · Sun Sep 10 2023 06:24:57 GMT+0800 (China Standard Time)

Sounds great, thank you!

I could also look at it as well, just would need a pointer about where in the source to get started.

poVoq · Answer 5 · Sun Sep 17 2023 06:11:46 GMT+0800 (China Standard Time)

I am also in the process of trying to figure out how to get it working with Gitea/Forgejo. I can probably share how to do it next week.

I also noticed that Discord Oauth2 is missing, but the channels bot supports it, might be an useful addition.

poVoq · Answer 6 · Mon Sep 18 2023 00:07:55 GMT+0800 (China Standard Time)

I am running into a similar issue with Gitea. No idea what the OAUTH_SCOPE endpoint might be, and when not setting it I get this error: KeyError (key not found: "OAUTH_SCOPE"):

The Gitea oauth2 provider docu is also not that helpful on the matter, but it does mention the option of an OpenID Connect Discovery feature via:

/.well-known/openid-configuration

Maybe supporting this would be the easiest? Edit: Link to an example: https://codeberg.org/.well-known/openid-configuration

Edit: Ah, looks like the.well-known endpoint actually works as the OAUTH_SCOPE. Need to test a bit more, but I got a successful login via Oauth2 and Gitea just now it seems.

Robert Guthrie · Answer 7 · Tue Sep 19 2023 05:39:39 GMT+0800 (China Standard Time)

I'm sorry, I've been really unwell with flu for weeks now. I don't have much brain space to help with this currently.

I'd need to try setting this up to debug it for you.

poVoq · Answer 8 · Tue Sep 19 2023 05:47:15 GMT+0800 (China Standard Time)

No, worries. Get better soon.

I think I got it working with Forgejo (Gitea). Just need to test a few edge cases.

Robert Guthrie · Answer 9 · Tue Sep 19 2023 06:35:27 GMT+0800 (China Standard Time)

Please consider sharing your config here. I'm going to update the README.. or atleast the default_env with some OAUTH examples for specific systems.

poVoq · Answer 10 · Sat Sep 23 2023 07:24:28 GMT+0800 (China Standard Time)

Ok here is what seems to work with Forgejo (Gitea).

Currently busy with something else, so this still isn't fully tested, but it seems to work for logging into existing Loomio accounts:

OAUTH_AUTH_URL='https://example.org/login/oauth/authorize'
OAUTH_TOKEN_URL='https://example.org/login/oauth/access_token'
OAUTH_PROFILE_URL='https://example.org/login/oauth/userinfo'
OAUTH_SCOPE='https://example.org/.well-known/openid-configuration'
OAUTH_APP_KEY='getfromprovider'
OAUTH_APP_SECRET='getfromprovider'
OAUTH_ATTR_UID='name'
OAUTH_ATTR_NAME='preferred_username'
OAUTH_ATTR_EMAIL='email'