Exception in MyAccountBuilder

[naturzukunft]

I have now provided the whoami endpoint, then I come across this error:

11-24 13:56:29.464 V/AccountData133: new rdf-pub-admin@dev.rdf-pub.org/ActivityPub from jso: {
  "account": "rdf-pub-admin@dev.rdf-pub.org\/ActivityPub",
  "origin_name": "ActivityPub",
  "username": "rdf-pub-admin",
  "unique_name": "rdf-pub-admin@dev.rdf-pub.org",
  "credentials_verified": "1",
  "oauth": "true",
  "user_id": "0",
  "is_syncable": "true",
  "sync_automatically": "true",
  "fetch_frequency": "0",
  "myversion": "48",
  "order": "1",
  "user_token": "*******",
  "user_secret": "{\"access_token\":\"*****",\"expires_in\":300,\"refresh_expires_in\":1800,\"refresh_token\":\"*****",\"token_type\":\"Bearer\",\"not-before-policy\":1684133009,\"session_state\":\"******",\"scope\":\"read follow write\"}"
}
11-24 13:56:29.478 V/MyQuery: actorwebfinger_idToId; 0+rdf-pub-admin@dev.rdf-pub.org -> 0
11-24 13:56:29.488 D/OAuthClientKeys: Loaded OAuthClientKeysDynamic-17-dev.rdf-pub.org; Keys present
11-24 13:56:29.497 I/MyAccountBuilder:  Load failed: Invalid account; MyAccount: {(invalid) accountName:rdf-pub-admin@dev.rdf-pub.org/ActivityPub,Actor: {origin:ActivityPub, id: 0, webFingerId: rdf-pub-admin@dev.rdf-pub.org, username: rdf-pub-admin},not persistent,OAuth,access:NEVER,credentialsPresent,syncable,syncauto} 
java.lang.Exception
    at org.andstatus.app.util.MyLog.getCurrentStackTrace(MyLog.kt:331)
    at org.andstatus.app.account.MyAccountBuilder.logLoadResult(MyAccountBuilder.kt:73)
    at org.andstatus.app.account.MyAccountBuilder.access$logLoadResult(MyAccountBuilder.kt:42)
    at org.andstatus.app.account.MyAccountBuilder$Companion.loadFromAccountData(MyAccountBuilder.kt:377)
    at org.andstatus.app.account.MyAccountBuilder$Companion$fromJsonString$1.invoke(MyAccountBuilder.kt:369)
    at org.andstatus.app.account.MyAccountBuilder$Companion$fromJsonString$1.invoke(MyAccountBuilder.kt:366)
    at org.andstatus.app.account.MyAccountBuilder$Companion.fromJsonString$lambda$0(MyAccountBuilder.kt:366)
    at org.andstatus.app.account.MyAccountBuilder$Companion.$r8$lambda$GICBHO9t4YawFEbeJv85N1prV5Y(Unknown Source:0)
    at org.andstatus.app.account.MyAccountBuilder$Companion$$ExternalSyntheticLambda0.apply(Unknown Source:2)
    at io.vavr.control.Try.map(Try.java:416)
    at org.andstatus.app.account.MyAccountBuilder$Companion.fromJsonString(MyAccountBuilder.kt:366)
    at org.andstatus.app.account.StateOfAccountChangeProcess.<init>(StateOfAccountChangeProcess.kt:74)
    at org.andstatus.app.account.StateOfAccountChangeProcess.<init>(Unknown Source:0)
    at org.andstatus.app.account.StateOfAccountChangeProcess$Companion.fromStoredState(StateOfAccountChangeProcess.kt:166)
    at org.andstatus.app.account.AccountSettingsActivity.restoreState(AccountSettingsActivity.kt:203)
    at org.andstatus.app.account.AccountSettingsActivity.onCreate(AccountSettingsActivity.kt:167)
    at android.app.Activity.performCreate(Activity.java:8342)
    at android.app.Activity.performCreate(Activity.java:8321)
    at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1421)
    at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3626)
    at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3782)
    at android.app.ActivityThread.handleRelaunchActivityInner(ActivityThread.java:5783)
    at android.app.ActivityThread.handleRelaunchActivity(ActivityThread.java:5674)
    at android.app.servertransaction.ActivityRelaunchItem.execute(ActivityRelaunchItem.java:71)
    at android.app.servertransaction.ActivityTransactionItem.execute(ActivityTransactionItem.java:45)
    at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:138)
    at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:95)
    at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2307)
    at android.os.Handler.dispatchMessage(Handler.java:106)
    at android.os.Looper.loopOnce(Looper.java:201)
    at android.os.Looper.loop(Looper.java:288)
    at android.app.ActivityThread.main(ActivityThread.java:7924)
    at java.lang.reflect.Method.invoke(Native Method)
    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:548)
    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:936)

[yvolk]

Hello @naturzukunft As I see the code of the part that says "Invalid account..." - it simply confirms that previous steps didn't complete in a creation of a new account:

val isValid: Boolean
        get() {
            return (!deleted
                && actor.actorId != 0L && connection.nonEmpty && data.accountName.isValid
                && actor.oid.isNotEmpty())
        }

Please configure verbose logging in Troubleshooting section of Settings and lookup possible problems in the log (or send it to me for investigation)

[yvolk]

@naturzukunft It may help if you create an account for "andstatus" at your server so I could test it myself!

[naturzukunft]

@yvolk you can register a user here: https://login.m4h.network/auth/realms/LOA/login-actions/registration?client_id=account-console&tab_id=csiOMexnQRQ

[yvolk]

@naturzukunft OK, I registered andstatus@gmail.com there, but in order to access your dev server I need to register something like "andstatus@dev.rdf-pub.org" ?!

[naturzukunft]

i have to check and think about it...

[naturzukunft]

The server was not running, what exactly (endpoint) do you call?

rdf-pub creates the actor profile, if the authenticated actor is calling it's profile the first time. so if you try to access the profile as anonymous user before, it's not available. But the whoami should work after registration

Info, you can check if the server is up with https://dev.rdf-pub.org/actuator/health

[naturzukunft]

That's working: curl --location --request GET 'https://dev.rdf-pub.org/.well-known/webfinger?resource=andstatus'

[yvolk]

@naturzukunft Did you try connect with AndStatus app? I'm trying and it's failing at the Client registration step:

1. AndStatus posts to "https://login.m4h.network/auth/realms/LOA/clients-registrations/openid-connect" this:

   {
   "redirect_uris": [
   "http:\/\/oauth-redirect.andstatus.org"
   ],
   "client_name": "AndStatus",
   "client_uri": "http:\/\/andstatus.org\/andstatus",
   "logo_uri": "http:\/\/andstatus.org\/images\/andstatus-logo.png",
   "scope": "read write follow",
   "policy_uri": "https:\/\/github.com\/andstatus\/andstatus\/blob\/master\/doc\/Privacy-Policy.md",
   }

and gets:

Registration failed with Status code: FORBIDDEN; hard; Error='insufficient_scope'; ; statusCode:FORBIDDEN (403); url:'https://login.m4h.network/auth/realms/LOA/clients-registrations/openid-connect'; response:'{"error":"insufficient_scope","error…'

[naturzukunft]

@naturzukunft Did you try connect with AndStatus app?

yes, that was working, after i did some settings in keycloack.

I added *.andstatus.org to trusted hosts.

if i do a ping andstatus.org i get 64 bytes from www.andstatus.org (185.87.193.233): icmp_seq=1 ttl=52 time=63.0 ms

The request, that produces the error above cames from 37.204.0.215 ?

Fredy

[naturzukunft]

if i do

curl --location --request POST 'https://login.m4h.network/auth/realms/LOA/clients-registrations/openid-connect' \
--header 'Content-Type: application/json' \
--data-raw '{
  "redirect_uris": [
    "http://oauth-redirect.andstatus.org"
  ],
  "client_name": "AndStatus",
  "client_uri": "http://andstatus.org/andstatus",
  "logo_uri": "http://andstatus.org/images/andstatus-logo.png",
  "scope": "read write follow",
  "policy_uri": "https://github.com/andstatus/andstatus/blob/master/doc/Privacy-Policy.md"
}'

i get

{
    "error": "insufficient_scope",
    "error_description": "Policy 'Trusted Hosts' rejected request to client-registration service. Details: Host not trusted."
}

That's ok, because my notebokk ist not a trusted device.

[naturzukunft]

i think that was your request:

[naturzukunft]

If 37.204.0.215 is your dev machine, i can add it to trusted hosts!

[yvolk]

If 37.204.0.215 is your dev machine, i can add it to trusted hosts!

Yes, currently this is my IP (but it's not static...)

[naturzukunft]

i added it. try again. if it changes, i've to add the new one ;-(

[yvolk]

@naturzukunft 1. Client registration succeeded.

2. Got HTTP 500 response on whoami endpoint (time in UTC):

12-03 12:00:34.999 I/VerifyCredentials2626: A connection error occurred Status code: INTERNAL_SERVER_ERROR; hard; URL: https://dev.rdf-pub.org/api/whoami; Caused by Status code: INTERNAL_SERVER_ERROR; hard; ; statusCode:INTERNAL_SERVER_ERROR (500); url:'https://dev.rdf-pub.org/api/whoami'; response:'{ "reason" : "Internal Server Error…'

[naturzukunft]

ResourceAccessException: I/O error on GET request for "https://login.m4h.network/auth/realms/LOA/protocol/openid-connect/certs": login.m4h.network; nested exception is java.net.UnknownHostException: login.m4h.network

i've to do some setup to access the whoami endpoint from postman.

[naturzukunft]

i also has trouble to access keycloak from postman. i ve to contact my keycloak admin. sorry.

[naturzukunft]

^ tomorrow he will take a look on it.

[naturzukunft]

Info: The admin unfortunately got sick and is still in bed

[naturzukunft]

Today i was able to request a jwt again! Let me know, if i should add a new ip address to thrustred hosts

[yvolk]

Hello @naturzukunft ! I see my IP didn't change yet.

[yvolk]

I tested once again

1. Create ActivityPub account
2. Unique name: andstatus@dev.rdf-pub.org
3. Client registration succeeded
4. Web page prompting for my email and password opened
5. I typed "andstatus@gmail.com" and the password that I used during registration at https://login.m4h.network/auth/realms/LOA/login-actions/registration?client_id=account-console&tab_id=csiOMexnQRQ
6. A screen with confirmation opened and I confirmed that I allow AndStatus app to access my account.
7. Got Access token as I see in logs
8. Requested: uri: 'https://dev.rdf-pub.org/api/whoami' and successfully got this Person object:

   {
   "id": "https:\/\/dev.rdf-pub.org\/actor\/4ee107d9-753b-43a8-a952-3d6571487cf2",
   "type": "Person",
   "inboxSparql": "https:\/\/dev.rdf-pub.org\/actor\/4ee107d9-753b-43a8-a952-3d6571487cf2\/inbox\/sparql",
   "outboxSparql": "https:\/\/dev.rdf-pub.org\/actor\/4ee107d9-753b-43a8-a952-3d6571487cf2\/outbox\/sparql",
   "identifier": "4ee107d9-753b-43a8-a952-3d6571487cf2",
   "version": {
   "type": "xsd:long",
   "@value": "1"
   },
   "inbox": "https:\/\/dev.rdf-pub.org\/actor\/4ee107d9-753b-43a8-a952-3d6571487cf2\/inbox",
   "outbox": "https:\/\/dev.rdf-pub.org\/actor\/4ee107d9-753b-43a8-a952-3d6571487cf2\/outbox",
   "preferredUsername": "4ee107d9-753b-43a8-a952-3d6571487cf2",
   "@context": [
   "https:\/\/schema.org\/docs\/jsonldcontext.json",
   "https:\/\/www.w3.org\/ns\/activitystreams",
   "https:\/\/rdf-pub.org\/schema\/rdf-pub-context.json"
   ]
   }

9. And AndStatus decided that this is metadata of some other Person: These are credentials of another account: 4ee107d9-753b-43a8-a952-3d6571487cf2@dev.rdf-pub.org/ActivityPub account name: andstatus@dev.rdf-pub.org/ActivityPub vs username: 4ee107d9-753b-43a8-a952-3d6571487cf2

So the Account verification failed and the account was not added to AndStatus app. No wonder. I also don't see any clue that this is my Actor's object...

[naturzukunft]

I'm not sure, if this is correct. 4ee107d9-753b-43a8-a952-3d6571487cf2 is the userid which is in the subject claim of the token. it's the userid of your user in keycloak. If you request via webfinger you get https://dev.rdf-pub.org/actor/4ee107d9-753b-43a8-a952-3d6571487cf2

I think that is valid.

I'm wondering why preferredUsername is 4ee107d9-753b-43a8-a952-3d6571487cf2.

[naturzukunft]

[naturzukunft]

rdf-pub is not working with usernames, because it's terrible if the username is changing! Then all subjects are wrong.

[yvolk]

rdf-pub is not working with usernames, because it's terrible if the username is changing! Then all subjects are wrong.

Ok. But preferredUsername should be "andstatus" in this object anyway, I think.

[naturzukunft]

Yes of corse. Thats a bug.

Am 11. Dezember 2023 20:04:53 MEZ schrieb Yuri Volkov @.***>:

rdf-pub is not working with usernames, because it's terrible if the username is changing! Then all subjects are wrong.

Ok. But preferredUsername should be "andstatus" in this object anyway, I think.

-- Reply to this email directly or view it on GitHub: https://github.com/andstatus/andstatus/issues/585#issuecomment-1850707777 You are receiving this because you were mentioned.

Message ID: @.***> -- Sent from /e/OS Mail.

[naturzukunft]

but... i'm thinking about making the preferred username independent of the oauth2 server. Because if different oauth2 servers are offered for authentication, the preferred username from the JWToken is no longer unique. The same with the userId, which in rdf-pub is currently the id of the oauth2 server. it is possible that I will introduce a mapping here too.

Thanks for supporting me and rdf-pub. I'm

I will not be available from 14.12. to 17.12.