Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Absence of GET param seems to break Mintoken #11

Closed
sebsel opened this issue May 1, 2022 · 1 comment
Closed

Absence of GET param seems to break Mintoken #11

sebsel opened this issue May 1, 2022 · 1 comment
Labels
question

Comments

@sebsel
Copy link

sebsel commented May 1, 2022
edited
Loading

I am opening this on behalf of Richard, who was at IndieWebCamp Düsseldorf this weekend. This is also the context: we didn't get Mintoken to work and we had minus 3 minutes until demo time.

The endpoint seemed to crash on an error: array_merge() doesn't accept null as a second argument. This means that in the code below, filter_input_array(INPUT_GET, ['me' ...]) does return null. (Line 278)

php-mintoken/endpoint.php

Lines 265 to 281 in 5f508fb

$request = array_merge(
filter_input_array(INPUT_POST, [
'grant_type' => [
'filter' => FILTER_VALIDATE_REGEXP,
'options' => ['regexp' => '@^authorization_code$@'],
],
'code' => [
'filter' => FILTER_VALIDATE_REGEXP,
'options' => ['regexp' => '@^[\x20-\x7E]+$@'],
],
'client_id' => FILTER_VALIDATE_URL,
'redirect_uri' => FILTER_VALIDATE_URL,
]),
filter_input_array(INPUT_GET, [
'me' => FILTER_VALIDATE_URL,
])
);

I cannot find a mention in the spec of the me param in either the POST-body nor the query string for the token request. But: Gimme-a-token does add the me, just in the POST-body, not the query string (which I think is the INPUT_GET but I am not sure how that works).

When we added a ?me= to the endpoint URL manually, it didn't seem to work either, but that's about all the debug-time we had left.

Can you shine any light on this? Where did me come from and why does Mintoken think it should come from GET?
@sebsel sebsel changed the title Absence of GET param seems to break selfauth Absence of GET param seems to break Mintoken May 1, 2022
@Zegnat
Copy link
Owner

Zegnat commented Jun 21, 2022

The Mintoken design is old in IndieAuth terms. It is from before 2020. You would have to go back to at least January 2020 to find the latest spec that still included a me parameter on the § 6.3.1 Token Request. This is because later versions of IndieAuth dropped the me parameter. This was done when the entire communication channel between authorization and token endpoint was scrapped from the spec.

Because Mintoken does not come with an authorization endpoint at all, it is up to the user to make sure that their chosen authorization endpoint still uses the early-2020 way of communicating and that applications that come to get a token do the same.

For history:

  1. Discussions on GitHub:
  2. PR that did the work: Initial updates from IndieAuth popup session indieweb/indieauth#49
  3. Discussion note from the 2020-08-08 IndieAuth Pop-up

Hope that shines enough light on things! 😎

@Zegnat Zegnat closed this as completed Jun 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Zegnat @sebsel