Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authentication doesn't seem to be working #47

Open
SomeoneElseOSM opened this issue Feb 14, 2024 · 25 comments
Open

Authentication doesn't seem to be working #47

SomeoneElseOSM opened this issue Feb 14, 2024 · 25 comments

Comments

@SomeoneElseOSM
Copy link

When I try and sign in to Potlatch3 it gets over the first hurdle but fails at the second:

Screenshot 2024-02-14 132937 Screenshot 2024-02-14 133010 Screenshot 2024-02-14 133028

(the credentials were copied from a password manager and worked in an incognito web browser, which should rule out my typing as a factor)

Is this perhaps related to the Oauth1 / 1.0a / 2 changes - https://lists.openstreetmap.org/pipermail/announce/2024-February/000116.html ?

@SomeoneElseOSM
Copy link
Author

In the user profile under Oauth 1 settings I see:

Screenshot 2024-02-14 134125

@zstadler
Copy link

Same for me. It looks like the login was successful as I can see the private ("Trackable") GPS traces I've uploded

image

@systemed
Copy link
Owner

I presume this is a result of openstreetmap/chef@4d161f9.

I didn't write the original P2 OAuth code (or at least, not that I can remember!) and it doesn't seem sensible to try to retrofit 1.0a to it for the sake of a couple of months. Instead we should move to OAuth2 for which a library happily exists (https://github.com/charlesbihis/actionscript-oauth2). I'll try to get to that as soon as is possible.

@zstadler
Copy link

zstadler commented Mar 9, 2024

@systemed,
Please see what can be done about this issue.

@systemed
Copy link
Owner

systemed commented Mar 9, 2024

Yep, I'm aware of it and when I get a spare moment I'll look at it, unless of course anyone beats me to it :)

@mmd-osm
Copy link

mmd-osm commented May 10, 2024

Linking to openstreetmap/operations#867 for tracking purposes only.

@BikePC
Copy link

BikePC commented May 28, 2024

I have a working Potlatch3 setup on my Windows 10 Home 64bit laptop. For testing and to try to get insight in the above issue I have made a fresh install of Windows 10 Home 64bit on my desktop test-PC. Running potlatch.exe 3 from the unpacked .zip distribution of 2022-01-24 after first logging in on openstreetmap.org with the same credentials as on my laptop I can do everything with Potlatch 3 except saving a changeset. The same screens and error appears as here above. If I check my settings and preferences in openstreetmap.org from both machines - the laptop and the desktop - they are identical, logically because they are online on the OSM server.
My conclusion so far is that somewhere locally on the PC settings are saved that do not meet the current OSM requirements.
Firewall settings maybe and there are settings in the registry regarding 'potlatch' which I don't understand? Have looked around in ProgramData and Appdata, but no potlatch stuff there.
When I restore the disk image with a working Potlatch om my desktop test-PC, overwriting the fresh Win10 install, everything is fine again. Proving that we have to search locally on the PC, is'nt it?

@systemed
Copy link
Owner

OpenStreetMap has started doing "brownouts" for OAuth 1 which is what Potlatch uses to authenticate. I'm planning to implement support for OAuth 2 but haven't had time to do so yet, and certainly won't do before this weekend at the very earliest. (It's rather more complex in ActionScript than in other languages because OAuth 2 wasn't a well supported standard at the time that ActionScript 3 was in wide usage.)

/cc @Firefishy

@SomeoneElseOSM
Copy link
Author

For info, I also see "if you were previously authenticated, you can still use P3, but new authentications do not work". Logging out means that you won't be able to log in again. This has been the case since oauth1 was disabled.

This only applies if there is not currently a brownout; I did try yesterday when "basic / oauth1a" was was turned off. What happened was that a message appeared in the P3 window suggesting that some endpoint was unavailable; it didn't say anything about authentication and the message mentioned in https://community.openstreetmap.org/t/oauth-1-0a-and-http-basic-auth-shutdown/108490/17 did not appear.

@DaveF63
Copy link

DaveF63 commented Jun 3, 2024

It appears both 1.0 & 1.0a are turned off as of June 1st.

"A server error occurred. Do you want to retry? (The server said: OAuth 1.0 and 1.0a are disabled: https://wiki.openstreetmap.org/wiki/2024_authentication_update)".

Unable to save & there are no backgrounds available.

@systemed
Copy link
Owner

systemed commented Jun 3, 2024

Yep... I'm working on this latest bout of security theatre at present.

@systemed
Copy link
Owner

systemed commented Jun 5, 2024

The OAuth2 code is all done in #49.

However, some upgrade or other to AIR has broken text rendering for a very large part of the user interface:

Screenshot 2024-06-05 at 15 41 02

Unfortunately we do need to use a recent version of AIR in order to show the HTML for osm.org's OAuth2 authentication screen.

The upshot is that I can't currently produce a workable build. I have managed to successfully get a local copy going by using a Heath Robinson amalgam of two separate AIR versions, but any .air file that's produced has the same text rendering issue.

I have posted over on the AIR repo to find out what can be done about this, but until then I can't move any further forward with this, exasperatingly.

@SomeoneElseOSM
Copy link
Author

Thanks. Is there a downloadable build that I can try under something like wine? I've sure I've seen text problems like that before and seem to remember using various wine-level bodges to resolve.

@systemed
Copy link
Owner

systemed commented Jun 6, 2024

I'm unable to build a Windows-native application at the moment so I don't think there'd be a lot of success running Wine.

Having retried with a completely fresh install on a modern Mac, I'm now pretty sure this is an AIR issue. The AIR developers are usually pretty responsive so I'm hopeful there'll be a fix soon.

If anyone wants to try building P3 themselves this is the process:

Edit: confirmed by another AIR user that this appears to be an issue with the latest AIR SDK.

@systemed
Copy link
Owner

systemed commented Jun 7, 2024

Good news from Harman:

Fix should be out in the next release, next week...

@SomeoneElseOSM
Copy link
Author

SomeoneElseOSM commented Jun 12, 2024

For info, I've installed the Windows "AIR runtime - version 51.0.1.2" from https://airsdk.harman.com/runtime , and https://www.systemed.net/potlatch/download/Potlatch_3_air__2024_06_12.zip from https://www.systemed.net/potlatch/download/ . That does allow me to sign in via Oauth2 and Potlatch 3 then appears at https://www.openstreetmap.org/oauth2/authorized_applications . I did not see any font corruption (in Windows 10). For those interested, the resultant edit was https://www.openstreetmap.org/changeset/152602519 .

There are some rough edges still - logout doesn't seem to work.
The logged-in status survives an app deinstall and reinstall
The publisher appears as "UNKNOWN" to the Windows installer.

Also, after revoking an oauth2 token P3 reauthorises via Basic Auth.
More on that:

Screenshot 2024-06-12 220636

looks like a basic or oauth1 authorisation
I can make a change
https://www.openstreetmap.org/changeset/152605706
(presumably by basic auth)
I have nothing listed at https://www.openstreetmap.org/user/SomeoneElse2/oauth_clients and P3 is no longer listed at https://www.openstreetmap.org/oauth2/authorized_applications since I removed it.

If I logout again, I eventually get an oauth2 prompt
"get traces" gets another basic auth prompt
An edit is made with the credentials provided to that basic auth prompt
logout again
refresh traces
now I see traces for the previously supplied oauth2 user
and an edit is made as the oauth2 user

Test edits were made here:
https://www.openstreetmap.org/history#map=19/53.99432/-1.06626
and there's a bit of a description against each changeset comment.

@BikePC
Copy link

BikePC commented Jun 13, 2024

@SomeoneElseOSM, @systemed, I could replicate the procedure you described above here on my Windows 10 Home 22H2 (EN-US) laptop and have a full working potlatch 3.1 setup now, and indeed there is a fresh OAuth2 authorisation present entry in my OpenStreetMap settings. Thanks for the procedure and Richard, thanks for your work on Potlatch 3.
Having to install the AIR runtime followed by the Potlatch.air installer is no problem for me, so a single-click Potlatch.exe is no need for me.

@SomeoneElseOSM
Copy link
Author

so a single-click Potlatch.exe

What I found last time on Linux was that a separate Windows Air runtime didn't install under Wine, but one packaged into a Windows executable did (actually I had to manually unpackage it first, but Air did install).

This time the standalone Windows Air runtime also doesn't want to install under Wine, so when packaging is possible again that'd be worth trying. There's no guarantee of success (that's down to Harman, I guess) but it'd be worth a try.

@systemed
Copy link
Owner

Mac and Windows standalone executables should both be doable, but they're a colossal faff to produce (due to all the signing nonsense) so I don't have them as an urgent priority if people are happy with the .air file. I had carefully crafted a bash script which did all the signing/stapling stuff for macOS which worked fine until Apple redid their signing mechanism :(

There is a Linux SDK which should allow Linux executables to be created directly, but it's only available with Harman commercial licenses which start at $199pa. It would require a bit of reworking as it doesn't support the StageWebView embedded browser which we currently use for the OAuth login.

@zstadler
Copy link

I've installed

For info, I've installed the Windows "AIR runtime - version 51.0.1.2" from https://airsdk.harman.com/runtime , and https://www.systemed.net/potlatch/download/Potlatch_3_air__2024_06_12.zip from https://www.systemed.net/potlatch/download/ . That does allow me to sign in via Oauth2 and Potlatch 3 then appears at https://www.openstreetmap.org/oauth2/authorized_applications . I did not see any font corruption (in Windows 10). For those interested, the resultant edit was https://www.openstreetmap.org/changeset/152602519 .

Same here, with one exception. I didn't remember where is the login, so I opened "My GPS traces" and authorized Potlatch. Next I received a "login failed" message, that got me worried. Then I re-opened "Mt GPS traces" page, the list of my GPS traces was there.

@tomhughes
Copy link

Can somebody confirm the current status of this - is there any outstanding problem with doing OAuth 2 in Potlatch 3?

@systemed
Copy link
Owner

It's fully functional (or at least that's the intention!)

@SomeoneElseOSM
Copy link
Author

My experience is that logging out and back in doesn't work as you'd expect (see #47 (comment) above). Part of that seems to be due to the way that authentication has changed, but part is also due to how the underlying website has changed (it's not as practical to log out as before - not a website issue, but sort of an example of https://xkcd.com/1172/ ).

If more information is needed, let me know - happy to press whatever buttons and capture whatever screenshots are needed on Windows.

@DaveF63
Copy link

DaveF63 commented Jul 2, 2024

@systemed To check, when you say

  • install AIR

do you mean Runtime?
https://airsdk.harman.com/runtime

As I'm getting an 'Access Denied' from this Windows link:
https://help.adobe.com/en_US/air/build/WS5b3ccc516d4fbf351e63e3d118666ade46-7fee.html

@systemed
Copy link
Owner

systemed commented Jul 2, 2024

Yep, the runtime. The direct Windows download link is https://airsdk.harman.com/assets/downloads/AdobeAIR.exe .

I don't know why Adobe still have a download page - it's all been farmed out to Harman now and that's where you should download AIR from.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants