OAuth2 flow for ActivityPub C2S

[diogogithub]

Hi, currently working on adding ActivityPub C2S support to GNU social v3.

We want to test it with AndStatus while implementing. We started by adding OAuth2. We are unsure of what is the correct flow for authentication... What should happen after the return from /api/v1/apps? We are returning a JSON similar to the example one except for the vapid_key. Is this the expected by AndStatus? If so, what should we do next?

GNU social Logs

request.INFO: Matched route "oauth2_apps". {"route":"oauth2_apps","route_parameters":{"_route":"oauth2_apps","_controller":["Plugin\\OAuth2\\Controller\\Apps","__invoke"],"_format":"html","_fragment":"","_locale":"en","template":"","accept":[],"is_system_path":true},"request_uri":"https://testv3.gnusocial.rocks/api/v1/apps?p=%2Fapi%2Fv1%2Fapps","method":"POST"} []
app.DEBUG: OAuth2 Apps: Received a POST request. [] []
app.DEBUG: OAuth2 Apps: Request content:  ["{\"client_name\":\"AndStatus\",\"redirect_uris\":\"http:\\/\\/oauth-redirect.andstatus.org\",\"scopes\":\"read write follow\",\"website\":\"http:\\/\\/andstatus.org\"}"] []
doctrine.DEBUG: SELECT NEXTVAL('oauth2_client_meta_id_seq') [] []
app.DEBUG: OAuth2 Apps: Created App:  [{"Trikoder\\Bundle\\OAuth2Bundle\\Model\\Client":"0366edaddc24cce99d9bd1746d6c76eb"},{"Plugin\\OAuth2\\Entity\\OAuth2ClientMeta":[]}] []
app.DEBUG: OAuth2 Apps: Create App Meta:  [{"id":12,"name":"AndStatus","website":"http://andstatus.org","redirect_uri":"http://oauth-redirect.andstatus.org","client_id":"0366edaddc24cce99d9bd1746d6c76eb","сlient_secret":"63ab7a758e5dd68d3526c5171b663b4f8641ce79efa9349be412f78994c158ceb62f94ac96de7b70035b8c69f4cc2bc84f6951d59abf96184c415633f48b22e7"}] []
doctrine.DEBUG: "START TRANSACTION" [] []
doctrine.DEBUG: INSERT INTO oauth2_client_meta (id, identifier, client_name, website, created, modified) VALUES (?, ?, ?, ?, ?, ?) {"1":12,"2":"0366edaddc24cce99d9bd1746d6c76eb","3":"AndStatus","4":"http://andstatus.org","5":"2022-01-14T16:48:22+00:00","6":"2022-01-14T16:48:22+00:00"} []
doctrine.DEBUG: INSERT INTO oauth2_client (secret, redirect_uris, grants, scopes, active, allow_plain_text_pkce, identifier) VALUES (?, ?, ?, ?, ?, ?, ?) {"1":"63ab7a758e5dd68d3526c5171b [...]","2":[{"Trikoder\\Bundle\\OAuth2Bundle\\Model\\RedirectUri":"http://oauth-redirect.andstatus.org"}],"3":[{"Trikoder\\Bundle\\OAuth2Bundle\\Model\\Grant":"client_credentials"}],"4":[{"Trikoder\\Bundle\\OAuth2Bundle\\Model\\Scope":"read"},{"Trikoder\\Bundle\\OAuth2Bundle\\Model\\Scope":"write"},{"Trikoder\\Bundle\\OAuth2Bundle\\Model\\Scope":"follow"}],"5":true,"6":false,"7":"0366edaddc24cce99d9bd1746d6c76eb"} []
doctrine.DEBUG: "COMMIT" [] []

AndStatus Logs

2022-01-14-16-07-19_log.txt 2022_01_14_16_07_20_280_testv3_gnusocial_rocks_oauth_register_client.json.txt 2022_01_14_16_07_20_488_testv3_gnusocial_rocks_oauth_register_client.json.txt 2022_01_14_16_07_20_488_testv3_gnusocial_rocks_oauth_register_client.txt

[yvolk]

@diogogithub Good news about GNU Social! Will look into this...

[yvolk]

Hello @diogogithub Unfortunately, the AndStatus log doesn't show actual cause of the "Register client application" failure. I tried the same host myself ( testv3.gnusocial.rocks ), see that it doesn't work now, and I improved logging to see the error both in logs in the AndStatus UI.

So now I see this in UI and similar - in logs:

Please try this Alpha build (or build yourself from current master): AndStatus-60.00-alpha.zip

[diogogithub]

Thank you for looking into this. That error is because I was sleeping and had turned off my computer. Tried with the apk you've sent and got this:.

I pulled the changes at https://social.hsal.es which usually is always online. :)

[diogogithub]

AndStatus logs when tested with your apk and social.hsal.es 2022-01-15-12-38-32_log.txt 2022_01_15_12_38_44_418_social_hsal_es_oauth_register_client_post.json.txt 2022_01_15_12_38_44_955_social_hsal_es_oauth_register_client_response.json.txt 2022_01_15_12_38_44_955_social_hsal_es_oauth_register_client_response.txt

[yvolk]

Currently AndStatus clearly says: "AndStatus client registration failed: org.json.JSONException: No value for client_secret" And you know, your payload doesn't have such value :-)

What looks like it, actually has different first character in the name that looks like Latin "c" :-)

[diogogithub]

damn, I thought that kind of typos was a programmer jokes only thingy. Just realised that c and the Russian keymap с are on the same key and I must have switched keymaps accidentally while typing.

[yvolk]

@diogogithub Will you add "me" (whoami) property to the access-token-response? (See e.g. https://github.com/andstatus/andstatus/issues/499#issuecomment-463075969 )

[someonewithpc]

I believe the OAuth flow is now working, with the exception of returning the me property. We were wondering, do you know what the purpose of the id in the response to client registration is? Currently we just hard coded 42, as we don't have a meaningful numeric ID to return. Is this required for something, or is it a mastodon thing?

GS dev, btw

[yvolk]

I don't see "id" in the "OAuth 2.0 Dynamic Client Registration Protocol" spec https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.1

AndStatus uses only two values from the response: client_id and client_secret

(see org.andstatus.app.net.http.HttpConnectionOAuth2JavaNet#registerClient )

[diogogithub]

@yvolk @someonewithpc was referring to the /api/v1/apps endpoint, Mastodon shows an id (which seems to be serial) in the response: https://docs.joinmastodon.org/methods/apps/ , and we currently hardcoded a 42: https://code.undefinedhackers.net/GNUsocial/gnu-social/src/branch/v3/plugins/OAuth2/Controller/Client.php#L85

[yvolk]

Yes, I understood you and answered in my previous comment.

So my opinion about the "id" field: "id" is not present in the public OAuth2 spec, and so I would say that you can ignore it and omit it in your implementation.