-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Non-oauth compliant authentication flow? #670
Comments
Mastodon's oauth implementation sadly tends not to be fully compliant with the spec, and I believe this is one such case:
We've already added a few workarounds to make Mastodon clients happy, so this would need to be one such workaround; I don't have the time to go do it myself, but I'd welcome a pull request that tackled it. |
I would be happy to work on a PR! Any pointers to the workarounds you already added so I have a place to start? |
It's pretty much all contained in https://github.com/jointakahe/takahe/blob/main/api/views/oauth.py - we have our own oauth backend almost entirely because of the implementation being weird. |
If it's not following redirects, the same view can be served with-and-without the / by changing: path("oauth/authorize", oauth.AuthorizationView.as_view()) to something like re_path(r"oauth/authorize/?$", oauth.AuthorizationView.as_view()) |
@TkTech yup! I'll wait for @frankdilo to double check this 😊 |
@patrick91 this is my auth code
it it possible there is a redirect in between and we are losing the body of the request? |
ok, I've take a look at the code for oauth lib and didn't find any place where it adds a slash :) I think @frankdilo your code might be adding the slash when you're trying to get the token (so after the login). I've added some logs: The user agent is {
"grant_type": "authorization_code",
"client_id": "tk-abc",
"client_secret": "abc",
"code": "abc",
"redirect_uri": "https://api.typefully.com/mastodon/accounts/connect/end/"
} In any case making the slash optional fixes it, so @TkTech maybe we can just do that? |
ok, I've tested the url change, with my current server and it worked 😊 |
…follow redirects. (jointakahe#670)
I am trying to integrate takahe with Typefully which recently added Mastodon support, but connecting accounts is failing at the last step of the oauth proces, when the client tries to fetch the token. https://share.cleanshot.com/kLCMYtcM
I am seeing an error in our Python backend:
I traced it down to this Python implementation of oauth.
Looking at the responses I get from a standard Mastodon server, it seems that they put the redirect URI with the token in the body of the response, while Takahe only puts it in the location header (notice the empty response body compared to the Mastodon Social response).
The text was updated successfully, but these errors were encountered: