Open naturzukunft opened 7 months ago
Hello @naturzukunft As I see the code of the part that says "Invalid account..." - it simply confirms that previous steps didn't complete in a creation of a new account:
val isValid: Boolean
get() {
return (!deleted
&& actor.actorId != 0L && connection.nonEmpty && data.accountName.isValid
&& actor.oid.isNotEmpty())
}
Please configure verbose logging in Troubleshooting section of Settings and lookup possible problems in the log (or send it to me for investigation)
@naturzukunft It may help if you create an account for "andstatus" at your server so I could test it myself!
@yvolk you can register a user here: https://login.m4h.network/auth/realms/LOA/login-actions/registration?client_id=account-console&tab_id=csiOMexnQRQ
@naturzukunft OK, I registered andstatus@gmail.com there, but in order to access your dev server I need to register something like "andstatus@dev.rdf-pub.org" ?!
i have to check and think about it...
The server was not running, what exactly (endpoint) do you call?
rdf-pub creates the actor profile, if the authenticated actor is calling it's profile the first time. so if you try to access the profile as anonymous user before, it's not available. But the whoami should work after registration
Info, you can check if the server is up with https://dev.rdf-pub.org/actuator/health
That's working: curl --location --request GET 'https://dev.rdf-pub.org/.well-known/webfinger?resource=andstatus'
@naturzukunft Did you try connect with AndStatus app? I'm trying and it's failing at the Client registration step:
{
"redirect_uris": [
"http:\/\/oauth-redirect.andstatus.org"
],
"client_name": "AndStatus",
"client_uri": "http:\/\/andstatus.org\/andstatus",
"logo_uri": "http:\/\/andstatus.org\/images\/andstatus-logo.png",
"scope": "read write follow",
"policy_uri": "https:\/\/github.com\/andstatus\/andstatus\/blob\/master\/doc\/Privacy-Policy.md",
}
and gets:
Registration failed with Status code: FORBIDDEN; hard; Error='insufficient_scope'; ; statusCode:FORBIDDEN (403); url:'https://login.m4h.network/auth/realms/LOA/clients-registrations/openid-connect'; response:'{"error":"insufficient_scope","error…'
@naturzukunft Did you try connect with AndStatus app?
yes, that was working, after i did some settings in keycloack.
I added *.andstatus.org
to trusted hosts.
if i do a ping andstatus.org
i get
64 bytes from www.andstatus.org (185.87.193.233): icmp_seq=1 ttl=52 time=63.0 ms
The request, that produces the error above cames from 37.204.0.215
?
Fredy
if i do
curl --location --request POST 'https://login.m4h.network/auth/realms/LOA/clients-registrations/openid-connect' \
--header 'Content-Type: application/json' \
--data-raw '{
"redirect_uris": [
"http://oauth-redirect.andstatus.org"
],
"client_name": "AndStatus",
"client_uri": "http://andstatus.org/andstatus",
"logo_uri": "http://andstatus.org/images/andstatus-logo.png",
"scope": "read write follow",
"policy_uri": "https://github.com/andstatus/andstatus/blob/master/doc/Privacy-Policy.md"
}'
i get
{
"error": "insufficient_scope",
"error_description": "Policy 'Trusted Hosts' rejected request to client-registration service. Details: Host not trusted."
}
That's ok, because my notebokk ist not a trusted device.
i think that was your request:
If 37.204.0.215
is your dev machine, i can add it to trusted hosts!
If
37.204.0.215
is your dev machine, i can add it to trusted hosts!
Yes, currently this is my IP (but it's not static...)
i added it. try again. if it changes, i've to add the new one ;-(
@naturzukunft 1. Client registration succeeded.
12-03 12:00:34.999 I/VerifyCredentials2626: A connection error occurred Status code: INTERNAL_SERVER_ERROR; hard; URL: https://dev.rdf-pub.org/api/whoami; Caused by Status code: INTERNAL_SERVER_ERROR; hard; ; statusCode:INTERNAL_SERVER_ERROR (500); url:'https://dev.rdf-pub.org/api/whoami'; response:'{ "reason" : "Internal Server Error…'
ResourceAccessException: I/O error on GET request for "https://login.m4h.network/auth/realms/LOA/protocol/openid-connect/certs": login.m4h.network; nested exception is java.net.UnknownHostException: login.m4h.network
i've to do some setup to access the whoami endpoint from postman.
i also has trouble to access keycloak from postman. i ve to contact my keycloak admin. sorry.
^ tomorrow he will take a look on it.
Info: The admin unfortunately got sick and is still in bed
Today i was able to request a jwt again! Let me know, if i should add a new ip address to thrustred hosts
Hello @naturzukunft ! I see my IP didn't change yet.
I tested once again
{
"id": "https:\/\/dev.rdf-pub.org\/actor\/4ee107d9-753b-43a8-a952-3d6571487cf2",
"type": "Person",
"inboxSparql": "https:\/\/dev.rdf-pub.org\/actor\/4ee107d9-753b-43a8-a952-3d6571487cf2\/inbox\/sparql",
"outboxSparql": "https:\/\/dev.rdf-pub.org\/actor\/4ee107d9-753b-43a8-a952-3d6571487cf2\/outbox\/sparql",
"identifier": "4ee107d9-753b-43a8-a952-3d6571487cf2",
"version": {
"type": "xsd:long",
"@value": "1"
},
"inbox": "https:\/\/dev.rdf-pub.org\/actor\/4ee107d9-753b-43a8-a952-3d6571487cf2\/inbox",
"outbox": "https:\/\/dev.rdf-pub.org\/actor\/4ee107d9-753b-43a8-a952-3d6571487cf2\/outbox",
"preferredUsername": "4ee107d9-753b-43a8-a952-3d6571487cf2",
"@context": [
"https:\/\/schema.org\/docs\/jsonldcontext.json",
"https:\/\/www.w3.org\/ns\/activitystreams",
"https:\/\/rdf-pub.org\/schema\/rdf-pub-context.json"
]
}
These are credentials of another account: 4ee107d9-753b-43a8-a952-3d6571487cf2@dev.rdf-pub.org/ActivityPub account name: andstatus@dev.rdf-pub.org/ActivityPub vs username: 4ee107d9-753b-43a8-a952-3d6571487cf2
So the Account verification failed and the account was not added to AndStatus app. No wonder. I also don't see any clue that this is my Actor's object...
I'm not sure, if this is correct. 4ee107d9-753b-43a8-a952-3d6571487cf2 is the userid which is in the subject claim of the token. it's the userid of your user in keycloak. If you request via webfinger you get https://dev.rdf-pub.org/actor/4ee107d9-753b-43a8-a952-3d6571487cf2
I think that is valid.
I'm wondering why preferredUsername
is 4ee107d9-753b-43a8-a952-3d6571487cf2
.
rdf-pub is not working with usernames, because it's terrible if the username is changing! Then all subjects are wrong.
rdf-pub is not working with usernames, because it's terrible if the username is changing! Then all subjects are wrong.
Ok. But preferredUsername should be "andstatus" in this object anyway, I think.
Yes of corse. Thats a bug.
Am 11. Dezember 2023 20:04:53 MEZ schrieb Yuri Volkov @.***>:
rdf-pub is not working with usernames, because it's terrible if the username is changing! Then all subjects are wrong.
Ok. But preferredUsername should be "andstatus" in this object anyway, I think.
-- Reply to this email directly or view it on GitHub: https://github.com/andstatus/andstatus/issues/585#issuecomment-1850707777 You are receiving this because you were mentioned.
Message ID: @.***> -- Sent from /e/OS Mail.
but... i'm thinking about making the preferred username independent of the oauth2 server. Because if different oauth2 servers are offered for authentication, the preferred username from the JWToken is no longer unique. The same with the userId, which in rdf-pub is currently the id of the oauth2 server. it is possible that I will introduce a mapping here too.
Thanks for supporting me and rdf-pub. I'm
I will not be available from 14.12. to 17.12.
I have now provided the whoami endpoint, then I come across this error: