Authentication doesn't seem to be working

Question

Authentication doesn't seem to be working

Opened this issue 8 months ago · 25 comments

When I try and sign in to Potlatch3 it gets over the first hurdle but fails at the second:

(the credentials were copied from a password manager and worked in an incognito web browser, which should rule out my typing as a factor)

Is this perhaps related to the Oauth1 / 1.0a / 2 changes - https://lists.openstreetmap.org/pipermail/announce/2024-February/000116.html ?

Answer 1 · 2024-02-14T13:41:46.000Z

In the user profile under Oauth 1 settings I see:

Answer 2 · 2024-02-17T21:36:58.000Z

Same for me. It looks like the login was successful as I can see the private ("Trackable") GPS traces I've uploded

Answer 3 · 2024-02-18T23:05:14.000Z

I presume this is a result of openstreetmap/chef@4d161f9.

I didn't write the original P2 OAuth code (or at least, not that I can remember!) and it doesn't seem sensible to try to retrofit 1.0a to it for the sake of a couple of months. Instead we should move to OAuth2 for which a library happily exists (https://github.com/charlesbihis/actionscript-oauth2). I'll try to get to that as soon as is possible.

Answer 4 · 2024-03-09T21:25:09.000Z

@systemed,
Please see what can be done about this issue.

Answer 5 · 2024-03-09T23:26:34.000Z

Yep, I'm aware of it and when I get a spare moment I'll look at it, unless of course anyone beats me to it :)

Answer 6 · 2024-05-10T10:58:35.000Z

Linking to openstreetmap/operations#867 for tracking purposes only.

Answer 7 · 2024-05-28T12:26:21.000Z

I have a working Potlatch3 setup on my Windows 10 Home 64bit laptop. For testing and to try to get insight in the above issue I have made a fresh install of Windows 10 Home 64bit on my desktop test-PC. Running potlatch.exe 3 from the unpacked .zip distribution of 2022-01-24 after first logging in on openstreetmap.org with the same credentials as on my laptop I can do everything with Potlatch 3 except saving a changeset. The same screens and error appears as here above. If I check my settings and preferences in openstreetmap.org from both machines - the laptop and the desktop - they are identical, logically because they are online on the OSM server.
My conclusion so far is that somewhere locally on the PC settings are saved that do not meet the current OSM requirements.
Firewall settings maybe and there are settings in the registry regarding 'potlatch' which I don't understand? Have looked around in ProgramData and Appdata, but no potlatch stuff there.
When I restore the disk image with a working Potlatch om my desktop test-PC, overwriting the fresh Win10 install, everything is fine again. Proving that we have to search locally on the PC, is'nt it?

Answer 8 · 2024-05-28T12:31:49.000Z

OpenStreetMap has started doing "brownouts" for OAuth 1 which is what Potlatch uses to authenticate. I'm planning to implement support for OAuth 2 but haven't had time to do so yet, and certainly won't do before this weekend at the very earliest. (It's rather more complex in ActionScript than in other languages because OAuth 2 wasn't a well supported standard at the time that ActionScript 3 was in wide usage.)

/cc @Firefishy

Answer 9 · 2024-05-28T13:34:05.000Z

For info, I also see "if you were previously authenticated, you can still use P3, but new authentications do not work". Logging out means that you won't be able to log in again. This has been the case since oauth1 was disabled.

This only applies if there is not currently a brownout; I did try yesterday when "basic / oauth1a" was was turned off. What happened was that a message appeared in the P3 window suggesting that some endpoint was unavailable; it didn't say anything about authentication and the message mentioned in https://community.openstreetmap.org/t/oauth-1-0a-and-http-basic-auth-shutdown/108490/17 did not appear.

Answer 10 · 2024-06-03T13:33:57.000Z

It appears both 1.0 & 1.0a are turned off as of June 1st.

"A server error occurred. Do you want to retry? (The server said: OAuth 1.0 and 1.0a are disabled: https://wiki.openstreetmap.org/wiki/2024_authentication_update)".

Unable to save & there are no backgrounds available.

Answer 11 · 2024-06-03T13:39:51.000Z

Yep... I'm working on this latest bout of security theatre at present.

Answer 12 · 2024-06-05T18:26:47.000Z

The OAuth2 code is all done in #49.

However, some upgrade or other to AIR has broken text rendering for a very large part of the user interface:

Unfortunately we do need to use a recent version of AIR in order to show the HTML for osm.org's OAuth2 authentication screen.

The upshot is that I can't currently produce a workable build. I have managed to successfully get a local copy going by using a Heath Robinson amalgam of two separate AIR versions, but any .air file that's produced has the same text rendering issue.

I have posted over on the AIR repo to find out what can be done about this, but until then I can't move any further forward with this, exasperatingly.

Answer 13 · 2024-06-05T20:43:20.000Z

Thanks. Is there a downloadable build that I can try under something like wine? I've sure I've seen text problems like that before and seem to remember using various wine-level bodges to resolve.

Answer 14 · 2024-06-06T06:54:40.000Z

I'm unable to build a Windows-native application at the moment so I don't think there'd be a lot of success running Wine.

Having retried with a completely fresh install on a modern Mac, I'm now pretty sure this is an AIR issue. The AIR developers are usually pretty responsive so I'm hopeful there'll be a fix soon.

If anyone wants to try building P3 themselves this is the process:

install AIR
install AIR SDK for Flex Developers: https://airsdk.harman.com/download
download Apache Flex SDK: https://flex.apache.org/installer.html
copy the Flex SDK files over the Air SDK (as per step 4 at https://helpx.adobe.com/uk/x-productkb/multi/how-overlay-air-sdk-flex-sdk.html) to produce a merged directory
add /path/to/your/Flex/SDK/bin to your command line path, so it can find the compiler and launcher
clone P3 and git checkout oauth2
amxmlc potlatch2.mxml -debug=false -omit-trace-statements=false
adl potlatch2-app.xml -nodebug

Edit: confirmed by another AIR user that this appears to be an issue with the latest AIR SDK.

Answer 15 · 2024-06-07T11:34:13.000Z

Good news from Harman:

Fix should be out in the next release, next week...

Answer 16 · 2024-06-12T19:23:49.000Z

For info, I've installed the Windows "AIR runtime - version 51.0.1.2" from https://airsdk.harman.com/runtime , and https://www.systemed.net/potlatch/download/Potlatch_3_air__2024_06_12.zip from https://www.systemed.net/potlatch/download/ . That does allow me to sign in via Oauth2 and Potlatch 3 then appears at https://www.openstreetmap.org/oauth2/authorized_applications . I did not see any font corruption (in Windows 10). For those interested, the resultant edit was https://www.openstreetmap.org/changeset/152602519 .

There are some rough edges still - logout doesn't seem to work.
The logged-in status survives an app deinstall and reinstall
The publisher appears as "UNKNOWN" to the Windows installer.

Also, after revoking an oauth2 token P3 reauthorises via Basic Auth.
More on that:

looks like a basic or oauth1 authorisation
I can make a change
https://www.openstreetmap.org/changeset/152605706
(presumably by basic auth)
I have nothing listed at https://www.openstreetmap.org/user/SomeoneElse2/oauth_clients and P3 is no longer listed at https://www.openstreetmap.org/oauth2/authorized_applications since I removed it.

If I logout again, I eventually get an oauth2 prompt
"get traces" gets another basic auth prompt
An edit is made with the credentials provided to that basic auth prompt
logout again
refresh traces
now I see traces for the previously supplied oauth2 user
and an edit is made as the oauth2 user

Test edits were made here:
https://www.openstreetmap.org/history#map=19/53.99432/-1.06626
and there's a bit of a description against each changeset comment.

Answer 17 · 2024-06-13T12:48:32.000Z

@SomeoneElseOSM, @systemed, I could replicate the procedure you described above here on my Windows 10 Home 22H2 (EN-US) laptop and have a full working potlatch 3.1 setup now, and indeed there is a fresh OAuth2 authorisation present entry in my OpenStreetMap settings. Thanks for the procedure and Richard, thanks for your work on Potlatch 3.
Having to install the AIR runtime followed by the Potlatch.air installer is no problem for me, so a single-click Potlatch.exe is no need for me.

Answer 18 · 2024-06-13T13:16:17.000Z

so a single-click Potlatch.exe

What I found last time on Linux was that a separate Windows Air runtime didn't install under Wine, but one packaged into a Windows executable did (actually I had to manually unpackage it first, but Air did install).

This time the standalone Windows Air runtime also doesn't want to install under Wine, so when packaging is possible again that'd be worth trying. There's no guarantee of success (that's down to Harman, I guess) but it'd be worth a try.

Answer 19 · 2024-06-13T13:23:15.000Z

Mac and Windows standalone executables should both be doable, but they're a colossal faff to produce (due to all the signing nonsense) so I don't have them as an urgent priority if people are happy with the .air file. I had carefully crafted a bash script which did all the signing/stapling stuff for macOS which worked fine until Apple redid their signing mechanism :(

There is a Linux SDK which should allow Linux executables to be created directly, but it's only available with Harman commercial licenses which start at $199pa. It would require a bit of reworking as it doesn't support the StageWebView embedded browser which we currently use for the OAuth login.

Answer 20 · 2024-06-13T18:03:13.000Z

I've installed

For info, I've installed the Windows "AIR runtime - version 51.0.1.2" from https://airsdk.harman.com/runtime , and https://www.systemed.net/potlatch/download/Potlatch_3_air__2024_06_12.zip from https://www.systemed.net/potlatch/download/ . That does allow me to sign in via Oauth2 and Potlatch 3 then appears at https://www.openstreetmap.org/oauth2/authorized_applications . I did not see any font corruption (in Windows 10). For those interested, the resultant edit was https://www.openstreetmap.org/changeset/152602519 .

Same here, with one exception. I didn't remember where is the login, so I opened "My GPS traces" and authorized Potlatch. Next I received a "login failed" message, that got me worried. Then I re-opened "Mt GPS traces" page, the list of my GPS traces was there.

Answer 21 · 2024-06-26T13:14:39.000Z

Can somebody confirm the current status of this - is there any outstanding problem with doing OAuth 2 in Potlatch 3?

Answer 22 · 2024-06-26T13:15:49.000Z

It's fully functional (or at least that's the intention!)

Answer 23 · 2024-06-26T13:20:23.000Z

My experience is that logging out and back in doesn't work as you'd expect (see #47 (comment) above). Part of that seems to be due to the way that authentication has changed, but part is also due to how the underlying website has changed (it's not as practical to log out as before - not a website issue, but sort of an example of https://xkcd.com/1172/ ).

If more information is needed, let me know - happy to press whatever buttons and capture whatever screenshots are needed on Windows.

Answer 24 · 2024-07-02T17:02:57.000Z

@systemed To check, when you say

install AIR

do you mean Runtime?
https://airsdk.harman.com/runtime

As I'm getting an 'Access Denied' from this Windows link:
https://help.adobe.com/en_US/air/build/WS5b3ccc516d4fbf351e63e3d118666ade46-7fee.html

Answer 25 · 2024-07-02T20:25:22.000Z

Yep, the runtime. The direct Windows download link is https://airsdk.harman.com/assets/downloads/AdobeAIR.exe .

I don't know why Adobe still have a download page - it's all been farmed out to Harman now and that's where you should download AIR from.