-

Sat, 16 Oct 2021 02:17:00 -0700

rockyiii@huby.infozoo.de

Hi Pascal
Can you help us here:

https://zotadel.net/display/b64.aHR0cHM6Ly96b3RhZGVsLm5ldC9hY3Rpdml0eS8wN2VkZjBiOS03ZGIyLTQ5N2EtYmFjZS04MDlkNjQ2YmM1YmM

mehr anzeigen 41

Sat, 16 Oct 2021 03:08:02 -0700

Pascal (Hz)

pascal@hz.eenoog.org

The authorization callback URL (filled in e.g. at github) is what the remote Identity provider will try to call and it should be directed to your hub. So "localhost" will not work.

The addon documentation says

Redirect URI (== authorization callback URL - feel free to update this description in the addon if it's better understood)

Create an OAuth2 application in the provider's interface
Configure the provider's OAuth2 application to execute a callback to the Hubzilla socialauth app on "<your hub's base URL>/socialauthsignin.php"

=> so for me, I have in github "https://hub.eenoog.org/socialauthsignin.php" as Authorization callback URL

Give it a try!

(for authenticating one HZ to another HZ via social auth addon on hub1 + OAuth2 app on hub2, that is possible (hub2 as a custom OAuth provider) but there is the built-in Remote authentication which is native way and much easier if it's an option)

Sat, 16 Oct 2021 03:43:54 -0700

RockyIII

rockyiii@huby.infozoo.de

thanks for the quick replay

so on https://github.com/settings/applications/new

i put in for "Homepage URL" -

and for " Authorization callback URL" - /socialauthsignin.php

with the generated key and secret by github i get in HZ stil:

404 Not Found
nginx

what i´m missing?

(for authenticating one HZ to another HZ via social auth addon on hub1 + OAuth2 app on hub2, that is possible (hub2 as a custom OAuth provider) but there is the built-in Remote authentication which is native way and much easier if it's an option)

i wanted to test the OAuth2 addon and since sites where an OAuth2 login is offered are no easy to find i had the idea to test it with an other HZ site... so I want to login to an second account on HZ hub 02 with the login information i have on HZ hub 01 for a separate account. Could that work?

Sun, 17 Oct 2021 00:10:18 -0700 zuletzt bearbeitet: Wed, 03 Nov 2021 10:26:35 -0700

Pascal (Hz)

pascal@hz.eenoog.org

Hello

it still works for me.
Are you sure you enabled the 'Github' entry (checkbox 'Yes' on the right)?

Did you enable the HZ logs (all logs, including Debug)? If so, what does it say around the time you press the 'Login with github' button?

In my logs:

2021-10-17T06:48:11Z:LOG_INFO:d2f1ff2b3c:config.php:125:getProviderConfig: Getting provider config for GitHub
2021-10-17T06:48:11Z:LOG_INFO:d2f1ff2b3c:socialauth.php:51:socialauth_login: Adding provider GitHub
2021-10-17T06:48:11Z:LOG_INFO:d2f1ff2b3c:config.php:125:getProviderConfig: Getting provider config for custom_gitea
2021-10-17T06:48:11Z:LOG_INFO:d2f1ff2b3c:socialauth.php:51:socialauth_login: Adding provider gitea
2021-10-17T06:48:16Z:LOG_INFO:d2f1ff2b3c:Mod_SocialAuth.php:45:get: SocialAuth Signin controller GET
2021-10-17T06:48:16Z:LOG_INFO:d2f1ff2b3c:Mod_SocialAuth.php:16:getAuth: Configured providers: Array
(
    [0] => GitHub
    [1] => custom_gitea
)

2021-10-17T06:48:16Z:LOG_INFO:d2f1ff2b3c:Mod_SocialAuth.php:18:getAuth: Request provider = GitHub
2021-10-17T06:48:16Z:LOG_INFO:d2f1ff2b3c:config.php:125:getProviderConfig: Getting provider config for GitHub
2021-10-17T06:48:16Z:LOG_INFO:d2f1ff2b3c:Mod_SocialAuth.php:91:get: Socialauth - not connected to GitHub yet
2021-10-17T06:48:21Z:LOG_INFO:d2f1ff2b3c:Mod_SocialAuth.php:45:get: SocialAuth Signin controller GET
2021-10-17T06:48:21Z:LOG_INFO:d2f1ff2b3c:Mod_SocialAuth.php:55:get: No provider specified
2021-10-17T06:48:21Z:LOG_INFO:d2f1ff2b3c:Mod_SocialAuth.php:16:getAuth: Configured providers: Array
(
    [0] => GitHub
    [1] => custom_gitea
)

2021-10-17T06:48:21Z:LOG_INFO:d2f1ff2b3c:Mod_SocialAuth.php:18:getAuth: Request provider = GitHub
2021-10-17T06:48:21Z:LOG_INFO:d2f1ff2b3c:config.php:125:getProviderConfig: Getting provider config for GitHub
2021-10-17T06:48:21Z:LOG_INFO:d2f1ff2b3c:Mod_SocialAuth.php:72:get: Socialauth - Connected to GitHub OK
2021-10-17T06:48:22Z:LOG_INFO:d2f1ff2b3c:Mod_SocialAuth.php:154:Zotlabs\Module\socialauth_signin: Trying to log in account ***@***

Sun, 17 Oct 2021 03:04:15 -0700 zuletzt bearbeitet: Wed, 03 Nov 2021 12:23:34 -0700

RockyIII

rockyiii@huby.infozoo.de

have a look at my log? does this explain something?

2021-10-17T09:54:49Z: cleared

Wed, 20 Oct 2021 12:11:50 -0700 zuletzt bearbeitet: Wed, 20 Oct 2021 12:12:38 -0700

RockyIII

rockyiii@huby.infozoo.de

have you an idea what could be the problem?

just to explain to you - I test the addon on a other hub than infozoo.de ... so you will not see the Github button here...

Wed, 20 Oct 2021 22:55:35 -0700

Pascal (Hz)

pascal@hz.eenoog.org

I was hoping you would send me the debug logs when you try to log in as I asked before, that would give me more info.

I can only come up with some ideas:
- what do you see in the URL bar when you receive the 404? That could give an indication.
- did you verify your email address in github ( https://docs.github.com/en/get-started/signing-up-for-github/verifying-your-email-address)

Thu, 21 Oct 2021 05:54:49 -0700 zuletzt bearbeitet: Thu, 21 Oct 2021 05:55:57 -0700

Pascal (Hz)

pascal@hz.eenoog.org

From your logs, it seems like the request to https://hub.eenoog.org/socialauthsignin.php?provider=GitHub isn't arriving to your hub.
The first that happens when the addon receives this GET, is to log in the log file:

SocialAuth Signin controller GET

e.g. like in my log file:

2021-10-17T06:48:11Z:LOG_INFO:d2f1ff2b3c:socialauth.php:51:socialauth_login: Adding provider gitea
2021-10-17T06:48:16Z:LOG_INFO:d2f1ff2b3c:Mod_SocialAuth.php:45:get: SocialAuth Signin controller GET

And I'm not seeing that in your log file.

What if you enter the URL https://hub.eenoog.org/socialauthsignin.php?provider=GitHub in your URL bar, what do you see in the logfile?

Thu, 21 Oct 2021 06:24:14 -0700

RockyIII

rockyiii@huby.infozoo.de

when i click on you links i end up at
https://github.com/login/oauth/authorize?response_type=code&client_id=......

and it shows:

Authorize Hubzilla
@rocky-III Hubzilla by abanink
wants to access your rocky-III account
Personal user data
Email addresses (read-only)

Authorizing will redirect to
https://hub.eenoog.org

Thu, 21 Oct 2021 08:20:49 -0700 zuletzt bearbeitet: Thu, 21 Oct 2021 08:26:26 -0700

Pascal (Hz)

pascal@hz.eenoog.org

I should have mentioned that you need to replace the base URL by your hub instead of mine.
In the end, we're interested in what happens on your hub, not on mine you see...

Can you also check your webserver logs, see which incoming requests you receive during the social login process?

Thu, 21 Oct 2021 09:12:14 -0700 zuletzt bearbeitet: Wed, 03 Nov 2021 12:34:05 -0700

RockyIII

rockyiii@huby.infozoo.de

your link is actually
https://hub.eenoog.org/socialauthsignin.php?provider=GitHub&zid=rockyiii%40huby.infozoo.de

so if i use
https://xyx.de/socialauthsignin.php?provider=GitHub
or
https://xyx.de/socialauthsignin.php?provider=GitHub&zid=aa@xyx.de
instead
i get this 404 Not Found Error

this is what is see in the nginx server log:

[21/Oct/2021:18:06:41 +0200] "GET /socialauthsignin.php?provider=GitHub HTTP/2.0" 404 162 "[url=https://xyx.de/&quot]https://xyx.de/&quot[/url]; "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0"

Thu, 21 Oct 2021 10:06:03 -0700

Pascal (Hz)

pascal@hz.eenoog.org

so we see that the request reaches your webserver, good!
But somehow a 404 response is generated, and I don't see any proof that Hubzilla tries to use the socialauth module (as said before, this would be proven if the log would show the first log statement in the module's get() function, i.e. "SocialAuth Signin controller GET").

Can you show me the output of this query in your hubzilla database where the socialauth module is installed?

select k,v from config where cat='system' and k='routes';

Thu, 21 Oct 2021 10:34:34 -0700 zuletzt bearbeitet: Wed, 03 Nov 2021 12:25:12 -0700

RockyIII

rockyiii@huby.infozoo.de

cleared

Thu, 21 Oct 2021 13:42:41 -0700

Pascal (Hz)

pascal@hz.eenoog.org

ok, thanks. So the routes to the module's endpoints are correctly loaded.

Now I start to think it could be something nginx specific (I'm using apache).
This is a long shot, but can you:
1) on the hub where the social auth module is installed: change the code in the social auth module: remove the ".php" extension in the line "return z_root() . '/socialauthsignin.php';" in socialauth/include/config.php in the add-on directory like this:

diff --git a/socialauth/include/config.php b/socialauth/include/config.php
index fd748534..c88c199d 100644
--- a/socialauth/include/config.php
+++ b/socialauth/include/config.php
@@ -30,7 +30,7 @@ class SocialAuthConfig {
        }

        static public function getCallback() {
-               return z_root() . '/socialauthsignin.php';
+               return z_root() . '/socialauthsignin';
        }

        static public function getBuiltinProviders() {

2) In your github Oauth config: also remove the .php extension from the authorization callback URL to look like below.

try again.

Fri, 22 Oct 2021 03:02:08 -0700

RockyIII

rockyiii@huby.infozoo.de

Ok - now it looks a bit better...
now if i click the github button it tasks me to

https://github.com/login/oauth/authorize?response_type=code&client_id=......xxxxx

and i can click "Authorize"

If i now try to login and click on the github button

I get the message by github
"you are being redirected to the authorized application"

and get redirected to the login page - but I´m not logged in

Fri, 22 Oct 2021 03:03:46 -0700

Pascal (Hz)

pascal@hz.eenoog.org

do you have the debug log file? We should see something more now in there...

Fri, 22 Oct 2021 03:19:53 -0700 zuletzt bearbeitet: Wed, 03 Nov 2021 12:22:16 -0700

RockyIII

rockyiii@huby.infozoo.de

here is the log:[code]

2021-10-22T10:17:35Z: ( cleared)

Fri, 22 Oct 2021 23:18:47 -0700

Pascal (Hz)

pascal@hz.eenoog.org

hey

can you post the output in your HZ debug log file?

On your question:
(for authenticating one HZ to another HZ via social auth addon on hub1 + OAuth2 app on hub2, that is possible (hub2 as a custom OAuth provider) but there is the built-in Remote authentication which is native way and much easier if it's an option)

After 1,5 day of troubleshooting, I found how it can be done. It can't be done out of the box but with an update of the social auth module, it should be possible to configure. I'll keep you posted on that.

Sat, 23 Oct 2021 05:05:16 -0700

RockyIII

rockyiii@huby.infozoo.de

Hey thanks for your help..

what kind of HZ debug log your are asking for?

Sat, 23 Oct 2021 11:10:28 -0700

Pascal (Hz)

pascal@hz.eenoog.org

I mean the same log as you posted before with typically this kind of content:
"2021-10-21T11:11:46Z:LOG_INFO:63886bdc21:socialauth.php:41:socialauth_login: Providers: Array
(
[0] => GitHub
)

2021-10-21T11:11:46Z:LOG_INFO:63886bdc21:config.php:125:getProviderConfig: Getting provider config for GitHub
2021-10-21T11:11:46Z:LOG_INFO:63886bdc21:socialauth.php:51:socialauth_login: Adding provider GitHub
..."

But then the content of the logfile around the time when you attempt to login using the 'sign in with Github' button, to see what is logged on your hub (as I don't have X-ray eyes and no console access on your hub of course I can't see that from here).

Sun, 24 Oct 2021 01:09:26 -0700

RockyIII

rockyiii@huby.infozoo.de

I did sent this log.... didn t you get the log with the timestemp 2021-10-22T10:17:35?

Sun, 24 Oct 2021 01:37:51 -0700

RockyIII

rockyiii@huby.infozoo.de

This time as attachment

Sun, 24 Oct 2021 01:51:43 -0700

RockyIII

rockyiii@huby.infozoo.de

. attachment

Sun, 24 Oct 2021 04:05:08 -0700 zuletzt bearbeitet: Wed, 03 Nov 2021 10:26:08 -0700

Pascal (Hz)

pascal@hz.eenoog.org

Thanks!

From the log file, this seems to be the problem:

2021-10-22T10:17:42Z:LOG_INFO:28558269f2:Mod_SocialAuth.php:154:Zotlabs\Module\socialauth_signin: Trying to log in account ***@***
2021-10-22T10:17:42Z:LOG_INFO:28558269f2:Mod_SocialAuth.php:167:Zotlabs\Module\socialauth_signin: Email address ****@*** not found in database

This is what is meant in the README of the socialauth module:
* Prerequisites
- You must be able to authenticate at the provider with an email address which exists in your hub

=> So the email address you are logged in with at Github must be the same email address as the user you are trying to log in.
The reason is that the socialauth module matches the email address that it receives from Github (because you authenticated with that email address at Github) to an email address in the hub where you are trying to execute the login. So you must have an account that has the email address equal to the email address you are using at Github.

* Is it possible that you are logged in at Github with email address "***@***" but the account on your hub has a different email address?
* If yes, can you create an account with that the email address "***@***" on that hub and try to login using Github again? (If it doesn't work, please send me the debug log again).

Sun, 24 Oct 2021 10:06:35 -0700 zuletzt bearbeitet: Mon, 25 Oct 2021 09:59:24 -0700

RockyIII

rockyiii@huby.infozoo.de

whooo... now it works.. THANKS

i changed the emailadress....

I did not understand this

You must be able to authenticate at the provider with an email address which exists in your hub

This should be found in the Readme under "Limitations" and not just in the admin section...

a regular user need to know this when activating the add on

Also this :

Creating new accounts in Hubzilla is not supported through socialauth sign-in

should be readable on the loginpage under the e.g. github button just to make things clear

Mon, 25 Oct 2021 13:05:17 -0700

Pascal (Hz)

pascal@hz.eenoog.org

You must be able to authenticate at the provider with an email address which exists in your hub

This should be found in the Readme under "Limitations" and not just in the admin section...

Well I could change that if I agreed that it's a limitation; however, as the email address is used as the identifier to look up the user that just authenticated at the remote identity provider (like Github), it's just the way it works - how else can the social auth know which user just authenticated remotely...

Anyway, anybody is free to make and propose changes, I think I already did my share.

I've created a merge request for version 0.4 of the socialauth app to resolve your login issues.
It also supports configuring scopes for custom providers, so if you like to configure Hubzilla as a remote provider you can do that by configuring "openid email" as scope. The email address exposed by Hubzilla (as identity provider) must still match an account's email address on the local hub where the "social login" is done.

Fri, 29 Oct 2021 04:00:33 -0700

RockyIII

rockyiii@huby.infozoo.de

It also supports configuring scopes for custom providers, so if you like to configure Hubzilla as a remote provider you can do that by configuring "openid email" as scope. The email address exposed by Hubzilla (as identity provider) must still match an account's email address on the local hub where the "social login" is done.

I stil don´t know how to do this... how to configur this "openid email" ?

Fri, 29 Oct 2021 06:07:57 -0700

Pascal (Hz)

pascal@hz.eenoog.org

That's "officially" supported in version 0.4 of the social auth app.
But if you want to play around with it, you only need to replace 2 files in fact & configure.

Steps:
(in my example, 'hub.eenoog.org' is my 'client' where I want to perform social login, 'hzsandbox2.eenoog.org is my 'server' which is the identity provider)

On the Hubzilla instance which plays the role of identity provider:
Configure:
* make sure to configure the "OAuth2 Apps Manager" app
* add an application & configure like this example

Replace 'hub.eenoog.org' with the hostname of your hubzilla client's hostname.

On the Hubzilla instance where you want to perform the social login:
1) Prepare:
* download & copy these files over the existing files:
* https://framagit.org/abanink/addons/-/blob/dev/socialauth/Mod_SocialAuth.php => <add-on dir>/socialauth/Mod_SocialAuth.php
* https://framagit.org/abanink/addons/-/blob/dev/socialauth/include/config.php => <add-on dir>/socialauth/include/config.php

2) Configure your hubzilla instance where you want to perform the social login to support the scope configuration:
* add a custom provider (you can choose the name, in my example it's 'anotherhz')

* enable & configure the custom provider, example see below but replace "hzsandbox2.eenoog.org" everywhere by the other HZ (which will play the role of identity provider).

(the key/secret must match the provider side name/secret)

For info, you would find those endpoints & scope info if you connect to any HZ instance at /oauthinfo

On the 'client' you should see an extra login option on the login page 'Sign in with ....' (whatever you configured as name).
Note that the same requirement is still valid: the email address of the user on your 'server' must match an account's email address on your 'client'. You should be logged in as the user who has that email address.

Fri, 29 Oct 2021 08:01:22 -0700 zuletzt bearbeitet: Fri, 29 Oct 2021 09:49:22 -0700

RockyIII

rockyiii@huby.infozoo.de

THANKS so much @Pascal this is very helpful

I tried to create this custom provider but somehow all the filed in words are not saved.. I also can´t enable the custom provider..
All my addon files have chmod 640 - is this right? Or what other reason could there be??

Fri, 29 Oct 2021 09:16:27 -0700

Pascal (Hz)

pascal@hz.eenoog.org

As always, check the log file when you submit the page. Paste it here if not clear from the log file what's wrong.

Also, these queries on the DB could help (remove secrets before pasting):

select k,v from config where cat='socialauth' and k like 'custom_%';
select k,v from config where cat='socialauth' and k = 'providers';

Mon, 01 Nov 2021 01:45:08 -0700

RockyIII

rockyiii@huby.infozoo.de

here is the logfile:

Mon, 01 Nov 2021 01:54:30 -0700 zuletzt bearbeitet: Mon, 01 Nov 2021 02:15:51 -0700

Pascal (Hz)

pascal@hz.eenoog.org

ok, the values do not seem to be saved to the DB.
I'll try to reproduce your issue.

Mon, 01 Nov 2021 02:00:07 -0700

RockyIII

rockyiii@huby.infozoo.de

here is the query output

Mon, 01 Nov 2021 05:43:37 -0700 zuletzt bearbeitet: Mon, 01 Nov 2021 09:07:54 -0700

Pascal (Hz)

pascal@hz.eenoog.org

strange, but it seems to have something to do with the dot (.) in the name of your custom provider.
Quick solution is probably to use a name without a dot. (e.g. "im.almendenetz" => "imalmendenetz")

[UPDATE]
Found the issue :

Dots and spaces in variable names are converted to underscores. For example <input name="a.b" /> becomes $_REQUEST["a_b"].

From this source:
PHP: Variables From External Sources - Manual

When a form is submitted to a PHP script, the information from that form is automatically made available to the script. There are few ways to access this information, for example: There are only two ways to access data from your HTML forms. Currently available methods are listed below: Example #2 Accessing data from a simple POST HTML form Using a...

So it would be best that the same conversion is done when the name is entered in the form so that names with a dot or space are saved as if they have been entered with an underscore; so you would see 'im_almendenetz' as provider name if you entered 'im.almendenetz'.
[UPDATE2] I included a way to avoid this issue also in version 0.4 of the add-on. For now, don't use dots or spaces in the custom provider name.

Wed, 03 Nov 2021 07:15:41 -0700

RockyIII

rockyiii@huby.infozoo.de

@Pascal THANKS... now it works like cream... very nice

Wed, 03 Nov 2021 08:09:26 -0700

Pascal (Hz)

pascal@hz.eenoog.org

nice thanks for the feedback!

Wed, 03 Nov 2021 08:14:57 -0700

RockyIII

rockyiii@huby.infozoo.de

@Pascal so what it the reason why we need to register first regular before we can use your socialauth add on ? Does HZ not allow this in an other way?

Wed, 03 Nov 2021 08:53:50 -0700

Pascal (Hz)

pascal@hz.eenoog.org

Technically it's most probably feasible to login users that don't have an account on your hub.
It would mean that a new user is created in hubzilla when they are able to log in using a remote identity provider like google, github etc.
So everyone with an account on github, google etc whatever remote identity provider you have configured, could have an account auto-created on your hub when they authenticate that way.
Sure you want this?

I didn't bother to implement this because I doubted if anyone would be willing to use it that way; and it's more work :)
But for an identity provider under your own control, ok, I could see the use case or, if you want to open up the sign-up to virtually anyone.

You're free to create a feature request in the framagit issue tracker of course.

Wed, 03 Nov 2021 09:35:31 -0700

RockyIII

rockyiii@huby.infozoo.de

Thank you for this explanation

Done: https://framagit.org/hubzilla/core/-/issues/1645

Wed, 03 Nov 2021 12:40:03 -0700

RockyIII

rockyiii@huby.infozoo.de

But for an identity provider under your own control, ok, I could see the use case or, if you want to open up the sign-up to virtually anyone.

Maybe an alternative version of the socialauth add-on would be interesting to have which just the admin of a hub could configure - just this admin can decide than what kind of remote identity provider will be activated

Thu, 04 Nov 2021 01:17:09 -0700

Pascal (Hz)

pascal@hz.eenoog.org

Good point - I intended this add-on as "admin-only", but just realized that every user has access to the add-on settings.
So all it takes is to limit access to the settings to admin users only. Will look into it.

Fri, 05 Nov 2021 01:19:28 -0700

Pascal (Hz)

pascal@hz.eenoog.org

Version 0.4 (pending pull request) now disallows configuration access for non-admins.