remoteStorage

Getting invalid_client trying to connect to 5apps

Hi folks,

I have an app that I developed a while ago that uses RemoteStorage, and I’d been testing it against 5apps. Today I can no longer make a connection to my 5apps account; I’m initiating an OAuth flow at this URL:

https://5apps.com/rs/oauth/jcoglan?client_id=Storeroom%20Demo&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Facceptor.html&response_type=token&scope=storeroom%3Arw&state=__cb__9280cac75cdb69f49c55faefc0141ae3

This URL resolves and I’m prompted for my password. On entering it, I am redirected to:

http://localhost:8000/acceptor.html#error=invalid_client&state=__cb__9280cac75cdb69f49c55faefc0141ae3

There’s no information about why I’m getting this error or what’s wrong with my initial request. The 5apps dashboard barely contains any information about my storage account any more and I can’t find any docs that explain what I’m doing wrong. Can anyone help?

Hi James,

This is something that has been changed a few years ago. Since then, the client ID should be the URL of your app.

After we had changed this ourselves, the idea has also been outlined from the IndieWeb perspective over here: https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web

In short: As there is no client registration, we don’t have a unique identifier for your app, making it impossible for the server to prevent phishing without showing the app’s URL in the OAuth dialog. The solution to this problem is to use the app URL as client identifier, and require it to be the origin of the redirect URI. This way, when a user sees the domain of an app in the dialog, they can be sure that they’re actually directed to that app, without having to carefully inspect the redirect_uri parameter themselves.

I just added a note to https://wiki.remotestorage.io/App_Development:_Tips_and_Considerations#OAuth and opened an issue to clarify this directly in the specification:

I don’t think there was anything on the old dashboard that you cannot see on the new one, except for the 1GB free-account limit. We haven’t re-implemented that yet, because we’re still hesitant to offer paid accounts until the spec is final.

Do you have ideas for which information you’d like to see on the dashboard, that is currently missing? We’re all ears for any and all feedback and suggestions!

Thank you, that fixed my problem. I thought I’d tried this already, but I might have got it wrong, maybe I sent a URL instead of an origin. Anyway it’s working now and I’ve reconnected my storage :slight_smile:

1 Like