Getting invalid_client trying to connect to 5apps

jcoglan · October 24, 2020, 4:05pm

Hi folks,

I have an app that I developed a while ago that uses RemoteStorage, and I’d been testing it against 5apps. Today I can no longer make a connection to my 5apps account; I’m initiating an OAuth flow at this URL:

https://5apps.com/rs/oauth/jcoglan?client_id=Storeroom%20Demo&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Facceptor.html&response_type=token&scope=storeroom%3Arw&state=__cb__9280cac75cdb69f49c55faefc0141ae3

This URL resolves and I’m prompted for my password. On entering it, I am redirected to:

http://localhost:8000/acceptor.html#error=invalid_client&state=__cb__9280cac75cdb69f49c55faefc0141ae3

There’s no information about why I’m getting this error or what’s wrong with my initial request. The 5apps dashboard barely contains any information about my storage account any more and I can’t find any docs that explain what I’m doing wrong. Can anyone help?

raucao · October 25, 2020, 9:09am

Hi James,

This is something that has been changed a few years ago. Since then, the client ID should be the URL of your app.

After we had changed this ourselves, the idea has also been outlined from the IndieWeb perspective over here: OAuth for the Open Web • Aaron Parecki

In short: As there is no client registration, we don’t have a unique identifier for your app, making it impossible for the server to prevent phishing without showing the app’s URL in the OAuth dialog. The solution to this problem is to use the app URL as client identifier, and require it to be the origin of the redirect URI. This way, when a user sees the domain of an app in the dialog, they can be sure that they’re actually directed to that app, without having to carefully inspect the redirect_uri parameter themselves.

I just added a note to Home - remoteStorage and opened an issue to clarify this directly in the specification:

github.com/remotestorage/spec

Formally require OAuth client_id to match the origin of the redirect_uri

opened 09:08AM - 25 Oct 20 UTC

raucao

enhancement security clarity

We already decided this to be best practice, and most server implementations req…uire the client ID to match the origin of the redirect URI. However, it is not documented properly, and currently the spec actually says that the client ID should be ignored entirely by the server: > The server MAY expire bearer tokens, and MAY require the user to > register applications as OAuth clients before first use; if no > client registration is required, the server MUST ignore the value of > the client_id parameter in favor of relying on the origin of the > redirect_uri parameter for unique client identification. See section > 4 of [Section 4: Origin of a URI"">ORIGIN] for computing the origin. (Maybe someone can find the conversation where we decided to change this behavior, and then failed to update the spec.) @jcoglan [just ran into this change with an old app](https://community.remotestorage.io/t/getting-invalid-client-trying-to-connect-to-5apps/646) of his, which now fails to connect 5apps accounts.

raucao · October 25, 2020, 9:12am

I don’t think there was anything on the old dashboard that you cannot see on the new one, except for the 1GB free-account limit. We haven’t re-implemented that yet, because we’re still hesitant to offer paid accounts until the spec is final.

Do you have ideas for which information you’d like to see on the dashboard, that is currently missing? We’re all ears for any and all feedback and suggestions!

jcoglan · October 25, 2020, 10:55am

Thank you, that fixed my problem. I thought I’d tried this already, but I might have got it wrong, maybe I sent a URL instead of an origin. Anyway it’s working now and I’ve reconnected my storage