Contrib.social

indieweb_indieauth - not working with indielogin.com

Open on Drupal.org โ†’
Created on 8 March 2025, 4 months ago

Problem/Motivation

Attempting to set my site up as an authentication provider for IndieWeb
Getting a "Missing or invalid parameters to obtain code: me is empty" error

Steps to reproduce

  1. I setup the IndieAuth module to expose my Drupal 11 site as an authentication provider.
  2. Verified that my site exposes the authorization and token endpoints in the html head
  3. I setup all of the "rel=me" stuff and my site passes the tests on https://indiewebify.me/
  4. When I go to https://indielogin.com and enter my Drupal site URL it redirects me back to the authentication endpoint.
  5. I click the Authorize button and it redirects me back to indielogin.com with this query string
https://indielogin.com/redirect/indieauth?
state=b8a81a98f32f53a427396d57&
me=https://paullieberman.net/
&code=hflVnH7kI - Truncated

So the Drupal server is indeed sending back an authorization code, and the "me" parameter.

However when indielogin.com goes back to get the token I get.

{
    "error": "invalid_request",
    "error_description": "Missing or invalid parameters"
}

Checking the Drupal log it is a bit more specific.
"Missing or invalid parameters to obtain code: me is empty"

Identified the error is happening when indielogin.com makes the token request post. This post does not have a me parameter, yet the IndieAuthController insists on having one. Here is the token request post -

POST /indieauth/token HTTP/1.1 Accept: application/json Content-Length: 379  
Content-Type: application/x-www-form-urlencoded 
Host: paullieberman.net User-Agent: indielogin.com X-Php-Ob-Level: 1 

grant_type=authorization_code
&code=cC7mvwt4Ognf4 - truncated
&client_id=https%3A%2F%2Findielogin.com%2Fid
&redirect_uri=https%3A%2F%2Findielogin.com%2Fredirect%2Findieauth
&code_verifier=6931e4e67c - truncated

I attempted in vain to hack IndieAuthController.php to make it work without the 'me' parameter, hoping to be able to send you a diff, but even when I bypassed the checks for the 'me' parameter I could not make it work. Sorry

Proposed resolution

Honestly I'm not sure what the best resolution is. The Spec appears to say that your code is correct in expecting the "me" parameter.

"6.3.2 Authorization Code Verification
The token endpoint needs to verify that the authorization code is valid, and that it was issued for the matching me, client_id and redirect_uri, and contains at least one scope."

However one would tend to believe that indielogin.com is doing the right thing.

I tried to get help on the IndieWeb Slack/Discord channel where I got a lot diagnosing the problem, but not solving it. Other people said they have their own sites working as authentication providers for indielogin.com, but none of them are using Drupal.

Remaining tasks

User interface changes

API changes

Data model changes

๐Ÿ› Bug report
Status

Active

Version

1.26

Component

Code

Created by

๐Ÿ‡บ๐Ÿ‡ธUnited States lieb

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @lieb
  • Comment 4 months ago โ†’
    ๐Ÿ‡ง๐Ÿ‡ชBelgium swentel

    Thanks for the detailed report! I'm pretty sure I've tested this at some point in time where it probably worked, but indeed, now it doesn't. I did a quick test with https://micropublish.net/ too for instance, and nothing, so either the spec has been changed, or it's more relaxed, hard to say.

    However, attached is a patch which made me able to authenticate on indielogin.com and micropublish.net. From a security point of view, it doesn't seem to be less secure not validating me, so I think it's fine.

    Tests will probably fail, need to look at this (locally, they don't run anymore on the DA test infrastructure due to https://www.drupal.org/project/drupalci_environments/issues/3387737#comm... ๐Ÿ“Œ Split PHP image into php(cli/apache) and yarn(node/nightwatch) Needs review ), but it would be great if you could verify the login works now.

  • Comment 4 months ago โ†’
    ๐Ÿ‡ง๐Ÿ‡ชBelgium swentel

    New patch, suble change where the 'me' optional, but, in case it's there muse validate. Fixes the tests as well.

  • Comment 4 months ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States lieb

    Success!! Patch -2 worked. Patch -3 resulted in "Invalid State".
    I agree with your logic for Patch -3, if a "me" is returned then check to see if it matches.
    I will continue to engage the discussion group about what is the correct thing here:
    On a token request Post

    • Is "me" required?
    • Is "me" optional?
    • Is "me" not allowed?

    Thanks once again for your quick turn around on this.

  • Comment 4 months ago โ†’
    ๐Ÿ‡ง๐Ÿ‡ชBelgium swentel

    Hmm the invalid state is on indielogin.com? Haven't tested that patch yet, but I'll double check somewhere next week!

  • Comment 4 months ago โ†’
    ๐Ÿ‡ง๐Ÿ‡ชBelgium swentel

    indielogin.com seems to work for me with patch 3

    getting a notice though: Deprecated function: explode(): Passing null to parameter #2 ($string) of type string is deprecated in Drupal\indieweb_indieauth\Entity\IndieAuthAuthorizationCode->getScopes, so will fix that while we're at it

  • Comment 4 months ago โ†’
    ๐Ÿ‡ง๐Ÿ‡ชBelgium swentel

    Updated version fixing the explode

  • Comment 3 months ago โ†’
    ๐Ÿ‡ง๐Ÿ‡ชBelgium swentel
  • Comment 3 months ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡ณIndia rakesh.regar Rajasthan, India

    rakesh.regar โ†’ made their first commit to this issueโ€™s fork.

  • Merge request !7Issue #3511761 :indieweb_indieauth - not working with indielogin.com. โ†’ (Open) created by rakesh.regar
  • Pipeline finished with Success
    3 months ago
    Total: 511s
    #476676
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024