Attempt to integrate with ORCID's OIDC

[brecke]

Hi,

I'm trying to use pow to integrate with ORCID OIDC on a fresh 1.7.2 Phoenix project. I've created a custom provider module and I get to see the login page. However, as I fill in the credentials, I'm getting this error:

Something went wrong, and you couldn't be signed in. Please try again.

I can't see any error on the server, so I wonder if there's any debugging tip I could use in order to try and figure this out. I'm farly new to Elixir / Phoenix so any help is appreciated!

Thanks in advance.

[danschultzer]

There should be an error log entry strating with Strategy failed with error:, do you see anything?

If there's no error log then I think it can show up if registration has been disabled or there are missing params. In the latter case it would be helpful to have the logger print a warning, I'll open a PR to fix this.

[danschultzer]

If you update your deps with {:pow_assent, git: "https://github.com/pow-auth/pow_assent.git", ref: "log-user-create-failed"} you will maybe see an error being logged.

[brecke]

thanks @danschultzer it logs something now:

[notice] TLS :client: In state :wait_cert_cr at ssl_handshake.erl:2113 generated CLIENT ALERT: Fatal - Handshake Failure
 - {:bad_cert, :unable_to_match_altnames}

Not sure what's wrong but I'll try and look it up

EDIT: Changed config to http_adapter: Assent.HTTPAdapter.Mint and the error is gone... but still does not work, and no log this time.

[danschultzer]

That's odd, you should definitely see an Strategy failed error logged somewhere with an {:error, :failed_to_connect tuple? Are you sure nothing is in the logs other than the TLS client notice?

This error means that the cert is invalid. What URL are you using for ORCID OIDC (this :site config)?

[brecke]

Hi,

Not sure I was clear before: your branch did expose a log which help me realize I had the site wrong. I then fixed it and got stuck on the SSL thing I described above, which goes away if using Mint instead of the default. Having done all that, I find myself without logs again.

I'm using a custom provider as follows:

defmodule Paperlens.Orcid.OrcidProvider do
  use Assent.Strategy.OAuth2.Base

  @impl true
  def default_config(_config) do
    [
      # The base URL to use for any paths below
      site: "https://orcid.org",
      # Full URL will not use the `:site` option
      authorize_url: "https://orcid.org/oauth/authorize",
      token_url: "/oauth/token",
      user_url: "/user",
      authorization_params: [scope: "email profile openid"],
      auth_method: :client_secret_post
    ]
  end
...

and then in config.exs:

config :paperlens, :pow_assent,
  http_adapter: Assent.HTTPAdapter.Mint,
  providers: [
    orcid: [
      client_id: System.get_env("ORCID_CLIENT_ID"),
      client_secret: System.get_env("ORCID_CLIENT_SECRET"),
      site: "https://orcid.org",
      authorization_params: [scope: "openid email profile"],
      nonce: true,
      strategy: Paperlens.Orcid.OrcidProvider
    ]
  ]

in the server console all I see now (with the Mint adapter) is

[debug] Processing with PowAssent.Phoenix.AuthorizationController.callback/2
  Parameters: %{"code" => "A3Al3K", "provider" => "orcid", "state" => "702152287fc0f4f5fb552c3f68299e56fadd20f45a45da90"}
  Pipelines: [:browser]
[info] Sent 302 in 841ms

...

[debug] Processing with Pow.Phoenix.SessionController.new/2
  Parameters: %{}
  Pipelines: [:browser]
[info] Sent 200 in 23ms

Just a bunch of warnings between the two. Any clue as to why I'm seeing no errors?

[danschultzer]

You should change the strategy base to OIDC:

defmodule Paperlens.Orcid.OrcidProvider do
  use Assent.Strategy.OIDC.Base

I think the TLS warning might have been a separate thing, not related to ORCID. I haven't been able to reproduce it accessing orcid.org. Digging into why the error log doesn't show up, it's confusing.

[danschultzer]

Just to rule out this registration isn't disabled (the only option for when you get redirected with no error log), how did you configure the pow assent routes look in your router module?

[brecke]

Hi,

The registration is not disabled. I also haven't changed anything in the router, it looks like this:

    pow_routes()
    pow_assent_routes()

Is there something missing on my side of things?

[danschultzer]

Found the issue! The disabled registration flag was on, because there is no router helpers enabled (with Phoenix 1.7 it's disabled and will likely be deprecated). The router helpers was used to detect whether registration is disabled. This has been resolved in #239.

If you want to test it right away, you can use {:pow_assent, git: "https://github.com/pow-auth/pow_assent.git", ref: "fix-verified-routes-handling"}. I'm going to check Pow as well to make sure I'm testing everything with the router helpers disabled. Release will be out later today.

[danschultzer]

v0.4.17 released with this fix, thanks!

FWIW the provider can be made super minimal:

defmodule Paperlens.Orcid.OrcidProvider do
  use Assent.Strategy.OIDC.Base

  @impl true
  def default_config(_config) do
    [
      site: "https://orcid.org",
      client_authentication_method: "client_secret_post"
    ]
  end
end

config :paperlens, :pow_assent,
  http_adapter: Assent.HTTPAdapter.Mint,
  providers: [
    orcid: [
      client_id: System.get_env("ORCID_CLIENT_ID"),
      client_secret: System.get_env("ORCID_CLIENT_SECRET"),
      strategy: Paperlens.Orcid.OrcidProvider
    ]
  ]

[brecke]

Glad I helped in some way :) I'll just suggest something here: listing phoenix supported versions on the readme file so one can immediately know whether something works 100% or still under testing. Anyway, good job!

[danschultzer]

Yeah, it was supposed to work with 1.7. The deps version requirement on hex.pm shows which Pow/PowAssent version works with which Phoenix version. I just hadn’t updated the tests to the new helpers structure so everything seemed to work when I added 1.7 support 😬