So I've completed a proof-of-concept implementation of OpenWebAuth-based login on Weblate in a dev environment.
Before creating PRs, I'm now hoping for review and suggestions regarding the following hurdles on the way:
- I've tried to not re-implement all http signature logic again, and found this library. It's geared at a Fediverse (Activitypub) service but has the logic for HTTP signature and Webfinger so I was hoping to piggy-back on those tools. I encountered the following "incompatibilities":
1) HTTP signature verification in this library demands that the 'Date' HTTP header is provided. (streams) doesn't do this, so I had to patch it like this:
$ git diff Code/Module/Magic.php
diff --git a/Code/Module/Magic.php b/Code/Module/Magic.php
index 7171ceef1..eeca6be2a 100644
--- a/Code/Module/Magic.php
+++ b/Code/Module/Magic.php
@@ -101,6 +101,7 @@ class Magic extends Controller
$headers['X-Open-Web-Auth'] = random_string();
$headers['Host'] = $parsed['host'];
$headers['(request-target)'] = 'get ' . '/owa';
+ $headers['Date'] = gmdate('D, d M Y H:i:s T');
$headers = HTTPSig::create_sig($headers, $channel['channel_prvkey'], Channel::url($channel), true, 'sha512');
I'd like to know if it's an option to add that header in all OpenWebAuth implementations, or it shouldn't be required for OpenWebAuth (and so in some way not required by the library in this case at least).
2) The Webfinger functions I found were not returning a full webfinger result, only what's need in terms of the Fediverse server (for example in
this file where the result is the 'self' href, and the rest of the webfinger result is ignored in the result). So I added some 'lookup_with_webfinger_raw' functions to support my use case. So this would need to be accepted by this library's maintainer.
3) Only support for sha256 hash algorithm for signature verification, but (streams) signs with sha512 algorithm, so I needed to add support for sha512 hash-based verification to the library. Also something to be accepted by this library's maintainer.
If these cannot be overcome, it seems to me the only option left is to implement http signature & webfinger from scratch instead in a way that can use used for implementing new and at the same time fits existing OpenWebAuth implementations.
- I've made Weblate fetch the (streams) avatar based on the webfinger result. So now the (streams) avatar is visible when you login to Weblate through OpenWebAuth as it's available through a public look-up based on the Webfinger response.
Now Weblate requires the user's email to function correctly and this piece of info is not available like the avatar picture. The logged in user could fill it manually; but I thought it might be a good OpenWebAuth showcase if Weblate could fetch it from your own server with your permission. The user experience is well known: the user gets a pop-up asking if they want to share some data (like email address, etc) with an external service. In this way, the user is aware of exactly what he is sharing (and only that) with which external service i.e. Weblate here. The requestor origin for the email address would be the Weblate server itself (with its own identity i.e. keypair).
What I'm missing here: is there some public API/endpoint that fediverse servers provide to collect a user's email address or other personal info based on his fediverse handle? (OAuth would do this through a 'scope' during the authorization, here we're using OpenWebAuth to gain authorization from a remote server to access some user's data - but from which endpoint?)
Thanks to anyone who can help me advance!