Help getting started with Rodauth + Omniauth - API Only (Client Secret Missing?)

[mdodell]

Hey @janko! Thanks for the great library. I started this conversation in rodauth-rails before finding this gem shortly after. I am trying to get this working with LinkedIn Omniauth, and would love some help! I created two local repositories - a NextJS application, and a Rodauth Rails app.

Resources

• Client App Repo
• Rodauth API App

My Use Cases

I want to use Rodauth as an API Only Rails app that does the following:
1.) Allows me to get user information from LinkedIn
2.) Allows me to create accounts from LinkedIn
3.) Allows me to let users who have previously created an account with their LinkedIn Credentials to log in
4.) Allows me to persist login

What I've Tried

I have made a client app, that creates an authorization URL, following the spec of the LinkedIn API.

Then, I created a Rodauth app. I followed the README in rodauth-rails for a JSON API. I also added a cookie store. I then added the rodauth-omniauth gem, in addition to the omniauth-linkedin-2 gem, following all steps of the README in this repository.

You can find my backend app here.

I made a POST request to my backend app at auth/linkedin, which returns an authorization URL. The response looks like:

{
    authorize_url: "http://localhost:3000/auth/linkedin/callback?code=CODE&state=STATE"
}

Which I then open in a new tab from my client.

However, that page gives me an error:

{
error_type: "invalid_credentials",
error: "There was an error logging in with the external provider"
}

It says that the client secret is missing. I do specifiy that in the omniauth_provider in rodauth_main here (I replaced my personal secret for security reasons in this Github repo). Here is what the log looks like:

D, [2023-01-12T21:33:49.345876 #95996] DEBUG -- omniauth: (linkedin) Request phase initiated.
Started GET "/auth/linkedin/callback?code=CODE&state=STATE" for ::1 at 2023-01-12 21:33:50 -0500
D, [2023-01-12T21:33:50.855945 #95996] DEBUG -- omniauth: (linkedin) Setup endpoint detected, running now.
D, [2023-01-12T21:33:50.856107 #95996] DEBUG -- omniauth: (linkedin) Callback phase initiated.
E, [2023-01-12T21:33:51.035184 #95996] ERROR -- omniauth: (linkedin) Authentication failure! invalid_credentials: OAuth2::Error, invalid_request: A required parameter "client_secret" is missing
{"error":"invalid_request","error_description":"A required parameter \"client_secret\" is missing"}

[janko]

Just to be clear, you're getting the error about a missing client_secret only when using rodauth-omniauth, it doesn't occur when using OmniAuth directly? I honestly don't know how this gem could cause that kind of issue 🤔

You could verify that client_secret is indeed missing in the setup phase, you can put this in your Rodauth configuration:

omniauth_setup do
  p omniauth_strategy.options["client_secret"]
end

I'm assuming it will be nil. In that case, are you sure the secret is actually present in ENV/credentials?

[mdodell]

It was not nil - it printed just fine. I pushed up the code to now use Rails.application.credentials. My credentials file looked like this:

linkedin:
    client_id: "SOME SECRET ID"
    client_secret: "SOME SECRET CLIENT"

I confirmed they were in Rails.application.credentials by checking that manually in the rails console, and then by doing what you suggested. They appeared both times.

I haven't used Omniauth directly. Would you suggest doing that? Ideally I'd like to stay in the Rodauth-Rails ecosystem.

[janko]

OK, thanks for the info. I suggested using OmniAuth directly just to determine whether the issue is in rodauth-omniauth, or OmniAuth strategy configuration itself. If there is a bug in rodauth-omniauth that incorrectly configures the strategy, I would like to somehow prove it or rule it out. Because at the moment I don't know where to look. I could try setting it up myself and try to reproduce it, I just don't know how much work there is to create an OAuth app on the LinkedIn side.

[mdodell]

It looks like after doing some digging, this error stems from the omniauth-linkedin-2 library. There is an outstanding issue here: decioferreira/omniauth-linkedin-oauth2#68.

The fix for me was to add an initializer in config/initializers:

module OmniAuth
  module Strategies
    class LinkedIn < OmniAuth::Strategies::OAuth2
      def token_params
        super.tap do |params|
          params.client_secret = options.client_secret
        end
      end
    end
  end
end

Thanks for the debugging help Janko! I may have more questions about this new gem, but I'll leave them for another discussion. You're the best!

[janko]

No problem, glad you found a solution 🙂