Skip to content

No more me #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

No more me #14

wants to merge 2 commits into from

Conversation

carrvo
Copy link

@carrvo carrvo commented Nov 29, 2024

Extend the work of @Zegnat by supporting multiple trusted endpoints. I ran this manually against SelfAuth and IndieAuth\Client.

@Zegnat
Copy link
Owner

Zegnat commented Dec 1, 2024

This is interesting. I kinda dropped using Mintoken when the IndieAuth specification dropped explicitly having tokens seen as something truly separate from logins. Did you test this with any token users, like maybe a Microsub client?

PRs are much appreciated, even if I am not super fast to respond and merge. That is mostly because Mintoken has always been more proof of concept than anything else. And not having it in use myself means testing changes is a lot tougher.

@carrvo
Copy link
Author

carrvo commented Dec 1, 2024

The short answer is no. I have only successfully tried it with IndieAuth\Client.

The long answer is that I heard about IndieAuth about a month ago and my first goal is to get Apache HTTPd to authenticate a user. However, I have struggled to find a module for IndieAuth or any documentation on how to configure the OIDC or OAuth2 modules for use with IndieAuth. I have been quite happy with SelfAuth as a minimal IdP to get me started but need MinToken to get the latter working. This change is one roadblock I have encountered but I have yet to accomplish something seemly so simple. All that said, I am far away from attempting a Microsub client or trying to understand them...

I really like IndieAuth's ability to share restricted content with people that I don't have to register on my system and I really like that MinToken lets you select which scopes you give permission for (OIDC has added telling you but it still ends up being an "all or nothing" approval). A feature MinToken could use is letting services post descriptions for their scopes; but I hope to raise another PR within the next few weeks to propose this officially.

@Zegnat
Copy link
Owner

Zegnat commented Dec 2, 2024

However, I have struggled to find a module for IndieAuth or any documentation on how to configure the OIDC or OAuth2 modules for use with IndieAuth.

Interesting, are you thinking of e.g. mod_oauth2 to have Apache check the tokens sent by the user? That shouldn’t be too hard. Mintoken predates this update and cannot help you as is, but IndieAuth explicitly supports Token Introspectionn which looks to be what you need for that.

I am not fully up to date on the latest IndieAuth implementations, but someone in the IndieWeb chat might have an immediate recommendation for one that supports introspection. (Probably try #indieweb-dev.)

A feature MinToken could use is letting services post descriptions for their scopes; but I hope to raise another PR within the next few weeks to propose this officially.

I am unsure what you mean here. The consumer of tokens (i.e. Apache HTTPd for you) decides what a token does. So you would want your Apache configuration to somehow be reflected by the IndieAuth flow? That would have to go into the authorization endpoint, as that is the only part that visually shows something to the user.

@carrvo
Copy link
Author

carrvo commented Dec 2, 2024

However, I have struggled to find a module for IndieAuth or any documentation on how to configure the OIDC or OAuth2 modules for use with IndieAuth.

Interesting, are you thinking of e.g. mod_oauth2 to have Apache check the tokens sent by the user? That shouldn’t be too hard. Mintoken predates this update and cannot help you as is, but IndieAuth explicitly supports Token Introspectionn which looks to be what you need for that.

I am not fully up to date on the latest IndieAuth implementations, but someone in the IndieWeb chat might have an immediate recommendation for one that supports introspection. (Probably try #indieweb-dev.)

Yes, mod_oauth2 or, since the former only only checks a token and I see no way for it to initiate the flow, mod_auth_oidc. Those in in the IndieWeb chat don't seem particularly interested in this level (I suspect they do their auth in the application after HTTPd has handed over control), but they are nice. I was afraid that introspection was its own beast, seems I was correct :(

As of last night I did figure out this was possible with mod_authnz_external + a database...which is not particularly secure since I cannot tie the request with the device like with sessions, so someone can easily steal the login...

@carrvo
Copy link
Author

carrvo commented Dec 2, 2024

This is interesting. I kinda dropped using Mintoken when the IndieAuth specification dropped explicitly having tokens seen as something truly separate from logins. Did you test this with any token users, like maybe a Microsub client?

PRs are much appreciated, even if I am not super fast to respond and merge. That is mostly because Mintoken has always been more proof of concept than anything else. And not having it in use myself means testing changes is a lot tougher.

To return to your main question: I don't really intend to test it against a Microsub client. However, if I correctly understand your verifyCode function, then my change would mean its rough logic is:

  1. Iterate through the trusted endpoints asking each in turn if they own the code and can verify it.
  2. If they can, great! Continue further.
  3. Otherwise ask the next one.
  4. If no endpoint can, then fail.

@carrvo
Copy link
Author

carrvo commented Dec 3, 2024

However, I have struggled to find a module for IndieAuth or any documentation on how to configure the OIDC or OAuth2 modules for use with IndieAuth.

Interesting, are you thinking of e.g. mod_oauth2 to have Apache check the tokens sent by the user? That shouldn’t be too hard. Mintoken predates this update and cannot help you as is, but IndieAuth explicitly supports Token Introspectionn which looks to be what you need for that.
I am not fully up to date on the latest IndieAuth implementations, but someone in the IndieWeb chat might have an immediate recommendation for one that supports introspection. (Probably try #indieweb-dev.)

Yes, mod_oauth2 or, since the former only only checks a token and I see no way for it to initiate the flow, mod_auth_oidc. Those in in the IndieWeb chat don't seem particularly interested in this level (I suspect they do their auth in the application after HTTPd has handed over control), but they are nice. I was afraid that introspection was its own beast, seems I was correct :(

As of last night I did figure out this was possible with mod_authnz_external + a database...which is not particularly secure since I cannot tie the request with the device like with sessions, so someone can easily steal the login...

...and I just figured out mod_oauth2, which additionally needs #15 to work.

carrvo
carrvo commented Dec 4, 2024
View reviewed changes
endpoint.php
Comment on lines +229 to +231
$endpoints = getTrustedEndpoints();
foreach ($endpoints as $endpoint) {
$info = verifyCode($request['code'], $request['client_id'], $request['redirect_uri'], $endpoint);
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
$endpoints = getTrustedEndpoints();
foreach ($endpoints as $endpoint) {
$info = verifyCode($request['code'], $request['client_id'], $request['redirect_uri'], $endpoint);
$endpoints = getTrustedEndpoints();
// Iterate through the trusted endpoints asking each in turn if they own the code and can verify it.
foreach ($endpoints as $endpoint) {
$info = verifyCode($request['code'], $request['client_id'], $request['redirect_uri'], $endpoint);

@carrvo carrvo mentioned this pull request Dec 4, 2024
Open
@carrvo
Copy link
Author

carrvo commented Dec 5, 2024

A feature MinToken could use is letting services post descriptions for their scopes; but I hope to raise another PR within the next few weeks to propose this officially.

I am unsure what you mean here. The consumer of tokens (i.e. Apache HTTPd for you) decides what a token does. So you would want your Apache configuration to somehow be reflected by the IndieAuth flow? That would have to go into the authorization endpoint, as that is the only part that visually shows something to the user.

Just figured out why you were confused--this would be a SelfAuth enhancement, not for here at all. Whoops...and I was talking ahead of myself anyway.

@carrvo carrvo mentioned this pull request Aug 13, 2025
Closed
@carrvo
Copy link
Author

carrvo commented Aug 13, 2025

This has been in active use against mod_oauth2 within https://github.com/carrvo/mindie-idp/tree/master/mintoken

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carrvo @Zegnat