friendica oAuth authenticate for SPIP CMS
I installed a friendica instance (say "friendica.site") and a SPIP website (a CMS : cf https://spip.net ) and its mastodon plugin ( https://git.spip.net/spip-contrib-extensions/mastodon )
Using that plugin, I can send messages to the friendica instance, but i need the plugin to oAuth into friendica for further features.
So as to do so, I installed the oauthprovider addon https://github.com/bmillwood/friendica-oauthprovider
When declaring the account in SPIP-plugin config page, i'm redireted to friendica.site and asked whether i accept oAuth. I agree. The newly accepted "SpipToMastodon" app appears in the addon config page friendica.site/admin/addon/oauthprovider : everything seems ok.
Then there is a redirect toward the SPIP plugin config page, and an error happens, because the process tries to fetch the following url : friendica.site/api/v1/accounts/verify_credentials?access_token=64ee5f2etc...
and friendica's `getUserIdByAuth` method fails with error « Unauthorized / This API requires login » and sends a 401 http code back... The spip-plugin fails.
I see that when trying that url directly in the browser, it asks for an interactive http login and password !!! When i enter my login and password, i then get a nice json with my user datas.
When trying that url on mastodon sites in the browser (with adapted access_tokens), i do not have to interactively enter my login and password = the feedback url is immediately accepted and json data is provided.
It looks like the access_token enables this for mastodon, but not for friendica.
In friendica's code, the PHPDOC says « An addon indicates successful login by setting 'authenticated' to non-zero value and returning a user record » relating to `Hook::callAll('authenticate', $addon_auth);`. Is this some kind of pipelined operation that the oauthprovider addon should implement, using the access_token ?
On the SPIP plugin side, is there something to be done so the plugin accomodates friendica verify_credentials page ?
JLuc
in reply to JLuc • • •Progress on the issue :
- according to oAuth spec https://datatracker.ietf.org/doc/html/rfc6750#section-5.3 , the bearer access_token « SHOULD NOT be passed in page URLs (for example, as query string parameters). Instead, bearer tokens SHOULD be passed in HTTP message headers or message bodies for which confidentiality measures are taken. Browsers, web servers, and other software may not adequately secure URLs in the browser history, web server logs, and other data structures. If bearer tokens are passed in page URLs, attackers might be able to steal them from the history data, logs, or other unsecured locations. »
Friendica does this right. It looks like Mastodon wrongly accepts the token as en url argument. (Suprising, isnt ?)
I will propose a fix for SPIP plugin so it can pass the access_token in Authorization header, for both friendica, mastodon and hopefully other creatures of the fediverse.
#friendica #mastodon #spip #security