OAuth for authenticated users not working as expected #352

New Issue

Open

opened 2022-12-08 12:18:16 +00:00 by halcy · 2 comments

halcy commented

2022-12-08 12:18:16 +00:00

Your setup

Akkoma 3.4.0 (ng.cathoderay.tube)

What were you trying to do?

Trying to use oauth with an app ( https://mastolab.kal-tsit.halcy.de/day05/ ) written with Mastodon.py as a user that is already logged into akkoma, with no force-reauth, requesting scopes "read:accounts", "read:statuses" and "write:statuses", with a uuid1 string as state parameter.

What did you expect to happen?

A screen asking me if it's okay to grant the permissions requested, followed by a redirect with code and state parameters in the request.

What actually happened?

An instant redirect without any parameters.

Relative severity (does this prevent you from using the software as normal?)

[ ] I cannot use the software
[ ] I cannot use it as easily as I'd like
[x] I can manage

It's a bit annoying. I'm not actually 100% sure if my usage is out of spec or if this is a bug here, but I think it might be (point of reference: same code does work with masto, and it also works if I log out of akkoma first / use the application from a private window) - if the request was invalid, it would in any case be more useful to have an error message.

## Your setup Akkoma 3.4.0 (ng.cathoderay.tube) ## What were you trying to do? Trying to use oauth with an app ( https://mastolab.kal-tsit.halcy.de/day05/ ) written with Mastodon.py as a user that is already logged into akkoma, with no force-reauth, requesting scopes "read:accounts", "read:statuses" and "write:statuses", with a uuid1 string as state parameter. ## What did you expect to happen? A screen asking me if it's okay to grant the permissions requested, followed by a redirect with code and state parameters in the request. ## What actually happened? An instant redirect without any parameters. ## Relative severity (does this prevent you from using the software as normal?) [ ] I cannot use the software [ ] I cannot use it as easily as I'd like [x] I can manage It's a bit annoying. I'm not actually 100% sure if my usage is out of spec or if this is a bug here, but I think it might be (point of reference: same code does work with masto, and it also works if I log out of akkoma first / use the application from a private window) - if the request was invalid, it would in any case be more useful to have an error message.

floatingghost commented

2022-12-08 17:49:17 +00:00

Owner

check your redirect_uri in the oauth application you registered

if it does not match exactly the location header you're being given on redirect, it won't give you any parameters (i literally just ran into this one hehe)

check your redirect_uri in the oauth application you registered if it does not match exactly the `location` header you're being given on redirect, it won't give you any parameters (i literally just ran into this one hehe)

halcy commented

2022-12-08 18:47:10 +00:00

Author

Had a look at what request the browsed sends:

This, at least, looks correct to me: It's https://mastolab.kal-tsit.halcy.de/day05/auth in both cases. There should not be a way for the URL the app was registered with to be different, but I'll ask the admin to have a look (don't think I can check it out myself).

Quite confused still by how it works when I do it in a private window (i.e. as a not logged in user). Same request URI:

https://ng.cathoderay.tube/oauth/authorize?client_id=VM3VQ771gLay1RBndXnP40UaU5Foxw2ssODI0jnNZH0&response_type=code&redirect_uri=https%3A%2F%2Fmastolab.kal-tsit.halcy.de%2Fday05%2Fauth&scope=read%3Aaccounts+read%3Astatuses+write%3Astatuses&force_login=False&state=96ca14a6-7728-11ed-bcfe-c86000bc3e25&lang=None

I get shown the login form, log in, get the parameters. I'd understand if both or neither worked, but this is weird.

Had a look at what request the browsed sends: ![http://aka-san.halcy.de/share/500_Internal_Server_Error__Firefox_Developer_Edit_2022-12-08_20-40-58.png](http://aka-san.halcy.de/share/500_Internal_Server_Error__Firefox_Developer_Edit_2022-12-08_20-40-58.png) This, at least, looks correct to me: It's https://mastolab.kal-tsit.halcy.de/day05/auth in both cases. There should not be a way for the URL the app was registered with to be different, but I'll ask the admin to have a look (don't think I can check it out myself). Quite confused still by how it works when I do it in a private window (i.e. as a not logged in user). Same request URI: https://ng.cathoderay.tube/oauth/authorize?client_id=VM3VQ771gLay1RBndXnP40UaU5Foxw2ssODI0jnNZH0&response_type=code&redirect_uri=https%3A%2F%2Fmastolab.kal-tsit.halcy.de%2Fday05%2Fauth&scope=read%3Aaccounts+read%3Astatuses+write%3Astatuses&force_login=False&state=96ca14a6-7728-11ed-bcfe-c86000bc3e25&lang=None I get shown the login form, log in, get the parameters. I'd understand if both or neither worked, but this is weird.

No Milestone

No project

No Assignees

2 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#352

No description provided.