OAuth for authenticated users not working as expected #352
Labels
No labels
approved, awaiting change
bug
configuration
documentation
duplicate
enhancement
extremely low priority
feature request
Fix it yourself
help wanted
invalid
mastodon_api
needs docs
needs tests
not a bug
planned
pleroma_api
privacy
question
static_fe
triage
wontfix
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: AkkomaGang/akkoma#352
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Your setup
Akkoma 3.4.0 (ng.cathoderay.tube)
What were you trying to do?
Trying to use oauth with an app ( https://mastolab.kal-tsit.halcy.de/day05/ ) written with Mastodon.py as a user that is already logged into akkoma, with no force-reauth, requesting scopes "read:accounts", "read:statuses" and "write:statuses", with a uuid1 string as state parameter.
What did you expect to happen?
A screen asking me if it's okay to grant the permissions requested, followed by a redirect with code and state parameters in the request.
What actually happened?
An instant redirect without any parameters.
Relative severity (does this prevent you from using the software as normal?)
[ ] I cannot use the software
[ ] I cannot use it as easily as I'd like
[x] I can manage
It's a bit annoying. I'm not actually 100% sure if my usage is out of spec or if this is a bug here, but I think it might be (point of reference: same code does work with masto, and it also works if I log out of akkoma first / use the application from a private window) - if the request was invalid, it would in any case be more useful to have an error message.
check your redirect_uri in the oauth application you registered
if it does not match exactly the
location
header you're being given on redirect, it won't give you any parameters (i literally just ran into this one hehe)Had a look at what request the browsed sends:
This, at least, looks correct to me: It's https://mastolab.kal-tsit.halcy.de/day05/auth in both cases. There should not be a way for the URL the app was registered with to be different, but I'll ask the admin to have a look (don't think I can check it out myself).
Quite confused still by how it works when I do it in a private window (i.e. as a not logged in user). Same request URI:
https://ng.cathoderay.tube/oauth/authorize?client_id=VM3VQ771gLay1RBndXnP40UaU5Foxw2ssODI0jnNZH0&response_type=code&redirect_uri=https%3A%2F%2Fmastolab.kal-tsit.halcy.de%2Fday05%2Fauth&scope=read%3Aaccounts+read%3Astatuses+write%3Astatuses&force_login=False&state=96ca14a6-7728-11ed-bcfe-c86000bc3e25&lang=None
I get shown the login form, log in, get the parameters. I'd understand if both or neither worked, but this is weird.