Support FedBOX as an ActivityPub server

[yvolk]

@mariusor, the developer of FedBOX ( https://github.com/go-ap/fedbox ), suggested to start a discussion about making AndStatus client work with FedBOX server via ActivityPub C2S protocol ( https://mastodon.social/@AndStatus/108326841582823684 )

This thread ("issue") will help us openly communicate during the work that will probably require making some changes at both sides.

I think that the easiest way for us to make AndStatus and FedBOX work together is to investigate simultaneously at both sides: me accessing a FedBOX server instance using AndStatus client and @mariusor looking at this from the FedBOX server instance side.

So @mariusor, could you create an "andstatus" user account at your developer's FedBOX instance. Please send me connection details to andstatus@gmail.com, and I will start testing, debugging and posting results here. Or maybe I can create an account myself.

[mariusor]

I will do that ASAP, what do you guys use for a callback URL for OAuth2?

[yvolk]

"http://oauth-redirect.andstatus.org" (see org.andstatus.app.net.http.HttpConnectionInterface.Companion#getCALLBACK_URI )

There is a lot of information/discussions on this is this project's Issues. Please start with https://github.com/andstatus/andstatus/issues/548

[mariusor]

I sent an email. Let me know what fails. :P

[yvolk]

Hi @mariusor. After reading your emails I think that we need to return to the start in order to understand, what our goal is. What I currently see are notes that aren't simple enough even for a developer, unfortunately.

My opinion:

Our goal is:

1. Use ActivityPub C2S with authentication/authorization protocols that fit it (are good for it...).
2. Adapt both AndStatus and FedBOX so that an ordinary User (i.e. a person without special education) could use "FedBOX Social Network" as an "ActivityPub type" social network via AndStatus Android application (AndStatus supports several types of Social networks. ActivityPub is one of them).
3. Create an instruction for a User. The instruction should be simple enough to make this work, including all necessary registration steps and application settings.

Correct?

[mariusor]

Hi @yvolk, I generally agree.

But I guess for me the first priority is to write proper documentation that can help a developer to create a OAuth2 client application that can operate on FedBOX instances. I will focus this reply on this.

I'll summarize here the minimal information (that I believe) you would need to get started.

1. FedBOX uses a simple OAuth2 login mechanism and you have the credentials already (the client UUID and secret)
2. The OAuth2 authorize URL for FedBOX is: https://federated.id/oauth/authorize
3. The client authorization should be done as a basic auth Authorization header for this step.
4. The OAuth2 token URL is: https://federated.id/oauth/token
5. If you follow a regular authorization code grant flow you should be redirected to a FedBOX login form that you need to display in a webview.
6. Once the user logs in successfully, the webview gets redirected to the redirect URL you mentioned in the ticket.
7. There's no mechanism to actually create a user account without using another application. I will send you another email with an invitation to create a user account.

An example for a valid URL that starts the authorization process:

# Needs Basic Auth 
https://federated.id/oauth/authorize?response_type=code&client_id=3a0b5d1a-6666-45ae-6666-0b1867c90666&state=verifyme&redirect_uri=https%3A%2F%2Fexample.com%2Fcallback

[yvolk]

@mariusor I wrote about instruction for a User exactly because this is the first thing that is needed for me, the developer of AndStatus, to start development/changes of AndStatus to work with FedBOX.

From above information I still don't know, how to start. Please help me, as you already wrote what you think is the first priority :-)

Please look at the "User scenario" that I'm starting to write, and explain, give details or correct me.

1. A Person wants to join a community that is associated with the host (the instance of the Social network) "fedbox1.example.com". E.g. because he has read somewhere about this Social Network instance.

2. The Person navigates his Internet browser to the https://fedbox1.example.com to figure out what to do for this.

3. On the http://fedbox1.example.com page he reads that he needs to register in the network.

4. The Person registers in the "fedbox1.example.com instance". And he chooses "User1" as his username in this network. @mariusor Where does the Person register and what he knows (or what he gets) after the registration that will be needed during adding User account in AndStatus app?

5. The Person also reads that he needs to install AndStatus Android app from one of the links at this page: https://github.com/andstatus/andstatus#readme

6. The Person installs and launches AndStatus app.

7. On the first screen of the app the Person taps "Get Started" button.

8. "Type of Social network" screen opens, providing a choice of 5 types (Mastodon, Twitter, ActivityPub, GnuSocial and Pump.io).

9. The Person selects "ActivityPub".

10. A screen form to be filled in order to start addition of a new ActivityPub account is opened. The screen has only one field to fill: "Username@your.server", and the field has this tip:

    Your unique name in the "ActivityPub" Social network. 
    It looks like an email address, with your username then "@" then your server. E.g. AndStatus@pleroma.site..."

    

11. The Person types: "User1@fedbox1.example.com" and taps "Add this account" button. @mariusor As I understand this FedBOX instance needs something else?! What should the Person type in what fields?

12. Using provided information about the instance of the ActivityType Social network (that happens to be FedBOX instance) AndStatus app starts OAuth... process.

13. What AndStatus currently does: it extracts hostname from the "unique name" that the Person provided ( fedbox1.example.com ) and tries to Register "AndStatus client instance" (i.e. register AndStatus app installed on this Android device) in the "fedbox1.example.com" server instance...

@mariusor As I understand, you expect something else here, what exactly?

@mariusor What are next steps in terms of information that was provided above? I mean that obviously AndStatus knows nothing (yet...) about e.g. "https://fedbox1.example.com/oauth/authorize" that you mentioned in point 2 of your "OAuth scenario" as I will call it.