Add support for OpenID Connect OAuth2 self-hosted services for external auth

[poVoq]

Referencing:
#89 (comment)

Using build in OAuth2 provider functionality of self-hosted services such as Nextcloud or Gitea there could be a really easy registration and login functionality similar to the often found "log in with Github" etc. buttons.

See for example: https://docs.nextcloud.com/server/17/admin_manual/configuration_server/oauth2.html
https://docs.gitea.io/en-us/oauth2-provider/

[jhthorsen]

The big problem here is not how to authorise the user, but rather how to get the email (or other information) after the user has authorised the access.

I don't know how to do this in a generic way.

[poVoq]

AFAIK you can request access to that and usually the identifier is "email". But that that could be just an admin config setting.

IMHO just have a look at how others do the same, it's a solved problem I think.

[leshokunin]

This would be really interesting for us! We're making an inbox service where we can have addons. I'd love to show Convos in an iframe, and create a user in the background. Wouldn't have to be tied to email or anything, we could just handle authentication on our side. That would actually be the ideal solution.

[jhthorsen]

I'm still very unsure how to solve this. If someone can draft which (semi-) standard URLs that can be used after the user gets redirected to Convos to retrieve the user profile, then I will implement it. If there is no such thing as a standard list, then at least I want to start out with Google, Github and whatever @leshokunin is using.

The flow is something like this:

1. You arrive at https://your-convos.example.com/login
2. You click on one of/a "Connect" button which takes you to a provider X (Google, Github, ....)
3. You either accept or reject on the providers webpage
4. If you accept, then Convos gets a token it can use to retreive information from provider X
5. Convos needs an endpoint user profile URL where it can retrieve information from (this is where my problem comes in)
6. Once Convos has done a GET to endpoint user profile URL, then Convos needs to know which field to fetch. Maybe "email" is a standard field, but I don't know.

Some help to make this generic is very much welcome. I will use https://metacpan.org/pod/Mojolicious::Plugin::OAuth2#Configuration which already support a list of providers, but no means to retrieve the user information.

[poVoq]

I think you need to look into the OpenID Connect standard that builds this on top of oauth2.

Besides that, an option only for logging into a linked account without auto registration would also be a good start.

[jhthorsen]

logging into a linked account without auto registration would also be a good start.

How does that work?

I’ve spent way too much time looking into the Oauth2/OpenID “standards” years ago. It was a complete mess. Not saying it’s as bad now, but without any help I don’t see this issue going anywhere.

[poVoq]

The way that is implemented in the Nextcloud social plugin for example is that a user that is regularly logged in can authenticate with oauth2 (say their twitter account) and that account will be linked to their existing account. Then next time they want to log in they just need to press the "login with twitter" button.

[jhthorsen]

It still needs to connect the user with some sort of key. Oauth2 does not do authentication, it just gives some sort of authorization level.

[poVoq]

So I guess I can close this now... Is the feature documented somewhere?

[jberger]

The feature isn't finished just a branch that mostly works. I'm sorry I haven't had time to come back to it yet. Between work and parenting I have precious little open source time available to me. I'd leave it open for tracking for now if you don't mind?

[jhthorsen]

Not sure if this is interesting or not: #696 (Proxy authentication by http header value)

[pinpox]

Is oauth/OpenID Connect usable on convos? Looking to switch to a IRC webclient that does support external user management, e.g. with dex which I'm using for other services already