OAuth login first pass#2302
Conversation
|
I'm getting build errors on this branch: 
Is this something wrong on my end? The CI build workflow didn't run, probably because this PR was initially a draft. |
| categoryimportdialog | ||
| ) | ||
|
|
||
| mo2_add_filter(NAME src/core GROUPS |
There was a problem hiding this comment.
Could you add the newly added source files to one of the source groups as well (either to this one or create a new group for all Nexus API-related stuff)?
There was a problem hiding this comment.
We normally only stage the changes in this file when publishing new builds, so I think these should be reverted for this PR.
|
@aglowinthefield I know this PR is fairly old now but would you mind looking at Jon's suggestions? I'm testing this locally now. |
Silarn
left a comment
Silarn
left a comment
There was a problem hiding this comment.
Ultimately I'm not sure this is actually functional. I don't believe the REST APIs can USE the OAuth token. I think we'd need to use the GraphQL API...
So this is at best a start to switching over to those APIs.
| void setState(State state, const QString& message = {}); | ||
| void notifyTokens(); | ||
| void handleError(const QString& message); | ||
| void injectPkceChallenge(QAbstractOAuth::Stage stage, |
There was a problem hiding this comment.
This appears to require an import of QAbstractOAuth
| QCryptographicHash::hash(m_codeVerifier, QCryptographicHash::Sha256) | ||
| .toBase64(QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals); | ||
|
|
||
| parameters->insert(QStringLiteral("code_challenge"), QString::fromUtf8(challenge)); |
There was a problem hiding this comment.
These should use replace instead of insert or you get repeat parameters.
| m_flow->setTokenUrl(QUrl(NexusOAuth::tokenUrl())); | ||
| #endif | ||
| m_flow->setClientIdentifier(clientId); | ||
| m_flow->setScope(QString()); |
There was a problem hiding this comment.
It appears the scope can't be empty. Nexus seem to use "openid profile email"
| payload.insert(it.key(), QJsonValue::fromVariant(it.value())); | ||
| } | ||
|
|
||
| auto tokens = makeTokensFromResponse(payload); |
There was a problem hiding this comment.
Unfortunately extraTokens isn't getting all the data - in fact only the created_at token. The refresh token and expiration are folded into the m_flow object and need to be retrieved with those methods. I haven't been able to get token type as of yet.
|
After some investigation, you can automatically fetch / create an application auth token by using the graphql api. But none of that's been done yet. We'd need to authorize the oauth token, fetch the actual application apikey, and then use that at various points to authorize different GraphQL endpoints that need it. I think the main benefit is being able to use collections but it's a bit of work to get this all functional for sure. |
|
So, this is a functional way to retrieve an API key that can be used with the v1 API. I suppose a minimum viable version would use the OAuth credentials for fetch the API key at startup and then save the OAuth credentials with a refresh as needed. I haven't been able to test the refresh code yet. Then we'd at least be part way to migrating to the v2 API and being able to potentially add collections. |
|
After some more work, I was able to fetch an API key (I suppose I should verify the fallback autogenerate option) and use it to run the validation endpoint. This endpoint specifically requires an application API key to validate against, so it makes sense it doesn't work with just the OAuth header. However, once that bit is validated, the OAuth header does seem to work for the remaining APIs. |
| bool ValidationAttempt::sendRequest(NXMAccessManager& m, const QString& key) | ||
| bool ValidationAttempt::sendRequest(NXMAccessManager& m, const NexusOAuthTokens& tokens) | ||
| { | ||
| const QString requestUrl(NexusBaseUrl + "/users/validate"); |
There was a problem hiding this comment.
Unfortunatey the old validate endpoint still requries an API key.
After discussions with @Al12rs , we should be able to use the OAuth token with the 'https://users.nexusmods.com/oauth/userinfo' endpoint to get similar info.
https://github.com/Nexus-Mods/NexusMods.App/blob/main/src/NexusMods.Abstractions.NexusWebApi/DTOs/OAuth/OAuthUserInfo.cs#L12
https://github.com/Nexus-Mods/NexusMods.App/blob/main/src/NexusMods.Abstractions.NexusWebApi/DTOs/OAuth/MembershipRole.cs#L10
|
https://github.com/ModOrganizer2/modorganizer/compare/dev/oauth-graphql is a functioning branch. I'm not sure if I've had to refresh my token yet. |
|
I'll note there's one snag with changing the validation endpoint. It doesn't have the API rate limit data which was causing mo2 to think it was out of requests. I modified it to use the default rate limits on validate and then it can get accurate limits when any other API request is triggered. Which works for now. One thing I'm not sure about is what the rate limits look like for the graphql endpoints. |
3 participants
No description provided.