goth icon indicating copy to clipboard operation
goth copied to clipboard

Published 20 hours ago verified publisher icon markbates

Attempted fix for #483 - Use Activitypub FQN as email during sign up.

Open chizutan5 opened this issue 2 years ago • 3 comments

I have attempted to use the strategies from the discord oauth (which has email handing) for mastodon, to provide the oauth client a usable email in the form of the user fqn ([email protected]) which should allow gitea to create user accounts through oauth, please correct if needed, but I think this might work.

Linked to issues #483 and go-gitea/gitea#21710

chizutan5 avatar Dec 21 '22 15:12 chizutan5

@techknowlogick Are you able to take a look at this and advise if something is wrong?

chizutan5 avatar Jan 05 '23 00:01 chizutan5

Thanks for this PR @chizutan5, I'm unsure about merging this PR as some systems expect that when being passed something via the email field that it is indeed the users field. This may lock out users from their account as they wouldn't have access to an email that doesn't exist. Is there a different way to get the email from mastodon, perhaps by passing an additional scope?

techknowlogick avatar Jan 12 '23 17:01 techknowlogick

Thanks for this PR @chizutan5, I'm unsure about merging this PR as some systems expect that when being passed something via the email field that it is indeed the users field. This may lock out users from their account as they wouldn't have access to an email that doesn't exist. Is there a different way to get the email from mastodon, perhaps by passing an additional scope?

Hi, Mastodon, Pleroma and possibly Misskey don't actually provide emails at all from what I can find, and there isn't any alternative scopes I know of that support giving it out, this is the only thing that provides an email-like ID which can be used. Maybe it can be passed on, specifically as "FQN", but this isn't compatible and for any software that needs an email but hasn't had any changes to support this fqn tag. I would argue that oauth generally negates the need to worry about users being locked out, as if they are, then they usually need to deal with the oauth provider who does have some kind of external contact method.

Maybe it can be possible to send some additional data that can then be interperated by compatible implementations, that tell them "hey, this is an activitypub id" so that it can be handled in some way but still allow legacy implementations to take it into the email field? This was originally a PR to fix a gitea issue where it wasn't possible to create an account through the mastodon oauth, is it better fixed over there by creating an FQN field that satisfies the requirements for needing an email on the account? (Then this PR can just be changed to feed through the FQN instead of claim that it is an email)

It's definitely off topic discussion but I have thought about how gitea could act as an activitypub server and send out activitypub direct messages to activitypub ids instead of emails so that that sort of fix actually works as it might be expected, maybe this oauth implementation is better suited for directly implementing into gitea instead of changing anything here?

I appreciate your feedback, since this could be a breaking change for some software, but I don't have context for what actually uses goth other than gitea.

Thank you.

chizutan5 avatar Jan 13 '23 01:01 chizutan5