ergo icon indicating copy to clipboard operation
ergo copied to clipboard

Published 20 hours ago verified publisher icon ergochat

support OAUTHBEARER

Open slingamn opened this issue 3 years ago • 11 comments
trafficstars

https://emersion.fr/blog/2022/irc-and-oauth2/

In terms of ergo, all we need to do is:

  1. Add a config option (to the auth-script block?) to enable advertising the OAUTHBEARER mechanism
  2. Modify authenticateHandler to process OAUTHBEARER by forwarding it to an auth-script
  3. Extend the auth-script protocol to take an additional oauthbearer field in the input (the output type is already sufficiently expressive)

slingamn avatar Oct 07 '22 17:10 slingamn

See #336 and #502 for related prior discussions.

slingamn avatar Oct 07 '22 17:10 slingamn

Is anyone working on this at all? 🤔

prologic avatar Nov 18 '23 04:11 prologic

I started a draft but didn't finish it. Is this something you're interested in? I could prioritize it for the next release.

slingamn avatar Nov 18 '23 23:11 slingamn

@slingamn Yes! 👌 Please 🙏 I'm looking to potentially do the following:

This should enable me to stand up a mostly decent small team/startup chat/comms platform that is fully self-hosted without the issues I've been facing with Matrix (Synapse+Element).

prologic avatar Nov 19 '23 01:11 prologic

Nice, I'll plan to do this soon. You could help test :-)

slingamn avatar Nov 19 '23 17:11 slingamn

Absolutely! 🙏🙇‍♂️

prologic avatar Nov 20 '23 07:11 prologic

@prologic sorry about the delay; I have a draft of this over at #2122. (See the changes to default.yaml for how to enable the feature.)

I successfully tested with Gamja and a local Authelia, but I had to patch out a couple checks in Authelia's libs relating to Gamja-Authelia interactions (i.e. unrelated to Ergo's OAUTHBEARER implementation itself):

  1. A CSRF check here: https://github.com/ory/fosite/blob/f4114878826c6d26b6751a1ea61f69ebbc25d4f2/authorize_request_handler.go#L401-L410
  2. Redirect URI validation here: https://github.com/ory/fosite/blob/f4114878826c6d26b6751a1ea61f69ebbc25d4f2/handler/oauth2/flow_authorize_code_token.go#L78-L85 (it expected https://example.com/gamja/ but received https://example.com/gamja/?scope=)

It's very likely that one or both of these issues is caused by my misconfiguration of Gamja and/or Authelia, but be advised that things may not work out of the box.

slingamn avatar Feb 06 '24 06:02 slingamn

(Ignore the jwt-auth config block or anything related to draft/bearer; those are for a related but distinct specification)

slingamn avatar Feb 06 '24 07:02 slingamn

@prologic any thoughts on when you might be able to test this? I was thinking of doing an early release that includes this change. (Sorry to pester you after I took so long implementing it ;-)

slingamn avatar Feb 13 '24 04:02 slingamn

I haven't had an opportunity to try this out yet, been very busy with my day job. But it'son my list!

prologic avatar Feb 13 '24 12:02 prologic

Thanks! I'm pretty confident in the PR so I'm going to merge it now and you can test it from the master branch.

slingamn avatar Feb 13 '24 23:02 slingamn