Authentication doesn't seem to be working #47
Comments
|
In the user profile under Oauth 1 settings I see: 
|
|
Same for me. It looks like the login was successful as I can see the private ("Trackable") GPS traces I've uploded
|
|
I presume this is a result of openstreetmap/chef@4d161f9. I didn't write the original P2 OAuth code (or at least, not that I can remember!) and it doesn't seem sensible to try to retrofit 1.0a to it for the sake of a couple of months. Instead we should move to OAuth2 for which a library happily exists (https://github.com/charlesbihis/actionscript-oauth2). I'll try to get to that as soon as is possible. |
|
@systemed, |
|
Yep, I'm aware of it and when I get a spare moment I'll look at it, unless of course anyone beats me to it :) |
|
Linking to openstreetmap/operations#867 for tracking purposes only. |
|
I have a working Potlatch3 setup on my Windows 10 Home 64bit laptop. For testing and to try to get insight in the above issue I have made a fresh install of Windows 10 Home 64bit on my desktop test-PC. Running potlatch.exe 3 from the unpacked .zip distribution of 2022-01-24 after first logging in on openstreetmap.org with the same credentials as on my laptop I can do everything with Potlatch 3 except saving a changeset. The same screens and error appears as here above. If I check my settings and preferences in openstreetmap.org from both machines - the laptop and the desktop - they are identical, logically because they are online on the OSM server. |
|
OpenStreetMap has started doing "brownouts" for OAuth 1 which is what Potlatch uses to authenticate. I'm planning to implement support for OAuth 2 but haven't had time to do so yet, and certainly won't do before this weekend at the very earliest. (It's rather more complex in ActionScript than in other languages because OAuth 2 wasn't a well supported standard at the time that ActionScript 3 was in wide usage.) /cc @Firefishy |
|
For info, I also see "if you were previously authenticated, you can still use P3, but new authentications do not work". Logging out means that you won't be able to log in again. This has been the case since oauth1 was disabled. This only applies if there is not currently a brownout; I did try yesterday when "basic / oauth1a" was was turned off. What happened was that a message appeared in the P3 window suggesting that some endpoint was unavailable; it didn't say anything about authentication and the message mentioned in https://community.openstreetmap.org/t/oauth-1-0a-and-http-basic-auth-shutdown/108490/17 did not appear. |
|
It appears both 1.0 & 1.0a are turned off as of June 1st. "A server error occurred. Do you want to retry? (The server said: OAuth 1.0 and 1.0a are disabled: https://wiki.openstreetmap.org/wiki/2024_authentication_update)". Unable to save & there are no backgrounds available. |
|
Yep... I'm working on this latest bout of security theatre at present. |
|
The OAuth2 code is all done in #49. However, some upgrade or other to AIR has broken text rendering for a very large part of the user interface:
Unfortunately we do need to use a recent version of AIR in order to show the HTML for osm.org's OAuth2 authentication screen. The upshot is that I can't currently produce a workable build. I have managed to successfully get a local copy going by using a Heath Robinson amalgam of two separate AIR versions, but any .air file that's produced has the same text rendering issue. I have posted over on the AIR repo to find out what can be done about this, but until then I can't move any further forward with this, exasperatingly. |
|
Thanks. Is there a downloadable build that I can try under something like wine? I've sure I've seen text problems like that before and seem to remember using various wine-level bodges to resolve. |
|
I'm unable to build a Windows-native application at the moment so I don't think there'd be a lot of success running Wine. Having retried with a completely fresh install on a modern Mac, I'm now pretty sure this is an AIR issue. The AIR developers are usually pretty responsive so I'm hopeful there'll be a fix soon. If anyone wants to try building P3 themselves this is the process:
Edit: confirmed by another AIR user that this appears to be an issue with the latest AIR SDK. |
|
Good news from Harman:
|
|
For info, I've installed the Windows "AIR runtime - version 51.0.1.2" from https://airsdk.harman.com/runtime , and https://www.systemed.net/potlatch/download/Potlatch_3_air__2024_06_12.zip from https://www.systemed.net/potlatch/download/ . That does allow me to sign in via Oauth2 and Potlatch 3 then appears at https://www.openstreetmap.org/oauth2/authorized_applications . I did not see any font corruption (in Windows 10). For those interested, the resultant edit was https://www.openstreetmap.org/changeset/152602519 . There are some rough edges still - logout doesn't seem to work. Also, after revoking an oauth2 token P3 reauthorises via Basic Auth. 
looks like a basic or oauth1 authorisation If I logout again, I eventually get an oauth2 prompt Test edits were made here: |
|
@SomeoneElseOSM, @systemed, I could replicate the procedure you described above here on my Windows 10 Home 22H2 (EN-US) laptop and have a full working potlatch 3.1 setup now, and indeed there is a fresh OAuth2 authorisation present entry in my OpenStreetMap settings. Thanks for the procedure and Richard, thanks for your work on Potlatch 3. |
What I found last time on Linux was that a separate Windows Air runtime didn't install under Wine, but one packaged into a Windows executable did (actually I had to manually unpackage it first, but Air did install). This time the standalone Windows Air runtime also doesn't want to install under Wine, so when packaging is possible again that'd be worth trying. There's no guarantee of success (that's down to Harman, I guess) but it'd be worth a try. |
|
Mac and Windows standalone executables should both be doable, but they're a colossal faff to produce (due to all the signing nonsense) so I don't have them as an urgent priority if people are happy with the .air file. I had carefully crafted a bash script which did all the signing/stapling stuff for macOS which worked fine until Apple redid their signing mechanism :( There is a Linux SDK which should allow Linux executables to be created directly, but it's only available with Harman commercial licenses which start at $199pa. It would require a bit of reworking as it doesn't support the StageWebView embedded browser which we currently use for the OAuth login. |
|
I've installed
Same here, with one exception. I didn't remember where is the login, so I opened "My GPS traces" and authorized Potlatch. Next I received a "login failed" message, that got me worried. Then I re-opened "Mt GPS traces" page, the list of my GPS traces was there. |
|
Can somebody confirm the current status of this - is there any outstanding problem with doing OAuth 2 in Potlatch 3? |
|
It's fully functional (or at least that's the intention!) |
|
My experience is that logging out and back in doesn't work as you'd expect (see #47 (comment) above). Part of that seems to be due to the way that authentication has changed, but part is also due to how the underlying website has changed (it's not as practical to log out as before - not a website issue, but sort of an example of https://xkcd.com/1172/ ). If more information is needed, let me know - happy to press whatever buttons and capture whatever screenshots are needed on Windows. |
|
@systemed To check, when you say
do you mean Runtime? As I'm getting an 'Access Denied' from this Windows link: |
|
Yep, the runtime. The direct Windows download link is https://airsdk.harman.com/assets/downloads/AdobeAIR.exe . I don't know why Adobe still have a download page - it's all been farmed out to Harman now and that's where you should download AIR from. |
When I try and sign in to Potlatch3 it gets over the first hurdle but fails at the second:
(the credentials were copied from a password manager and worked in an incognito web browser, which should rule out my typing as a factor)
Is this perhaps related to the Oauth1 / 1.0a / 2 changes - https://lists.openstreetmap.org/pipermail/announce/2024-February/000116.html ?
The text was updated successfully, but these errors were encountered: