Support newly developed oauth flow for bugzilla login

RESOLVED FIXED

Status

Firefox OS
Gaia::Bugzilla Lite
RESOLVED FIXED
3 years ago
a year ago

People

(Reporter: daleharvey, Assigned: daleharvey)

Tracking

({foxfood})

unspecified
foxfood

Firefox Tracking Flags

(feature-b2g:2.5+)

Details

Attachments

(1 attachment)

Comment hidden (empty)
Byron, did you mention that people logged in via persona (or in future github) wont be able to authenticate currently over the rest api?
Component: Gaia → Gaia::Feedback
Flags: needinfo?(glob)
(In reply to Dale Harvey (:daleharvey) from comment #1)
> Byron, did you mention that people logged in via persona (or in future
> github) wont be able to authenticate currently over the rest api?

persona's design and implementation requires a browser; it cannot be used for api/headless authentication.

users who use persona to authentication to bmo are able to use api-keys for api authentication.  while not finalised, it's highly probable that fixing the copy+paste api-key dance will be a q2 goal for the bmo team.
Flags: needinfo?(glob)
> persona's design and implementation requires a browser; it cannot be used for api/headless authentication.

We arent using the API headlessly, its people using http://bzlite.com/ in a browser, I am going to give adding persona login a shot and hope the api works.

I am not sure why API keys are being used or that they can be fixed, QR codes certainly isnt much improvement. It seems like any login flow (persona / github oauth) we use on http://bugzilla.mozilla.org should also be able to authenticate REST api calls
Blocks: 1134701
Component: Gaia::Feedback → Bugzilla Lite
So for the short term I think the only solution is to support API key authentication for users who only use persona auth, long term I would really like to have 1st class support for authentication for REST clients
Summary: Support Persona Logins → Allow users to enter API key
Assignee: nobody → dale
Hey Byron, sorry for all the bmo questions but thanks a lot for your help

Is there a good way to check that a token is valid, it would be extra ideal if I could figure out the username from the token
Flags: needinfo?(glob)
(In reply to Dale Harvey (:daleharvey) from comment #4)
> So for the short term I think the only solution is to support API key
> authentication for users who only use persona auth, long term I would really
> like to have 1st class support for authentication for REST clients

the bugzilla team agrees :) but it's likely this will require a rewrite of our authentication stack :(

(In reply to Dale Harvey (:daleharvey) from comment #5)
> Is there a good way to check that a token is valid, it would be extra ideal
> if I could figure out the username from the token

we have http://bugzilla.readthedocs.org/en/latest/api/core/v1/user.html#valid-login for the older login tokens, but nothing for api-keys.  i've filed bug 1143533.
until that lands, trying to perform an action which requires authentication.

user matching is probably the best one to hit - you need to be logged in, and we ignore queries which are too short so the impact on bmo is minimal.

https://bugzilla.mozilla.org/rest/user?match=x&api_key=...

(that's literally a single "x" as the match)
Flags: needinfo?(glob)
Decided on the weekly meeting to not block on this, I think ideally I may be able to get familiar with the bugzilla codebase and see what I can do about getting full support for 3rd party auth. 

In the meantime people will have to use their bugzilla credentials, we may still implement this but it wont block v1
Assignee: dale → nobody
No longer blocks: 1134701
> user matching is probably the best one to hit - you need to be logged in, and we 
> ignore queries which are too short so the impact on bmo is minimal.

> https://bugzilla.mozilla.org/rest/user?match=x&api_key=...

Thanks a lot, will do it this way if / when we get to implementing API keys on bzlite
FTR, that is not blocking because a Persona logged-in user can still set a Bugzilla password and login with it on the app, and continue to use Persona on Desktop for instance.
See Also: → bug 1155069
Summary: Allow users to enter API key → Support newly developed outh flow for bugzilla login
Duplicate of this bug: 1155069
(In reply to Dale Harvey (:daleharvey) from comment #7)
> In the meantime people will have to use their bugzilla credentials, we may
> still implement this but it wont block v1

FWIW, I don't know if it's the case for many people at Mozilla, but I think my account is a Persona-only one. I've never managed to log in with the default authentication system.
Keywords: dogfood
(In reply to Johan Lorenzo [:jlorenzo] (QA) from comment #11)
> FWIW, I don't know if it's the case for many people at Mozilla, but I think
> my account is a Persona-only one. I've never managed to log in with the
> default authentication system.

when you log in to bmo with persona you're actually creating a normal account without a usable password.. bugzilla hands off just the password verification phase to persona.  as per comment 9 it's possible to use bugzilla's "password reset" mechanism to set a password on your account -- doing so won't prevent you from continuing to use persona for auth.
Duplicate of this bug: 1177225
Duplicate of this bug: 1177442
Duplicate of this bug: 1177853
This has landed and almost ready to implement, documentation is @ https://bugzilla.readthedocs.org/en/latest/integrating/auth-delegation.html#auth-delegation, Dylan can you give me a ping when token api change and UI have landed? Cheers
Flags: needinfo?(dylan)
Keywords: dogfood → foxfood
Duplicate of this bug: 1180586
QA Whiteboard: [foxfood-triage]
Blocks: 1180660
feature-b2g: --- → 2.5+
feature-b2g: 2.5+ → ---
Assignee: nobody → dale
Created attachment 8645366 [details] [review]
https://github.com/mozilla-b2g/bzlite/pull/34

So because this cant be tested against a test installation I have pushed the commit up to http://www.bzlite.com/ so it can be tested. 

The bugzilla UX doesnt work great on mobile, I have filed a follow up for that @ https://bugzilla.mozilla.org/show_bug.cgi?id=1192538

It does however seem to work, tested persona login and it went good
Attachment #8645366 - Flags: review?(dietrich)
Comment on attachment 8645366 [details] [review]
https://github.com/mozilla-b2g/bzlite/pull/34

r=me with a few comments on the PR to fix
Attachment #8645366 - Flags: review?(dietrich) → review+
Thanks so much for these reviews, Fixed nits and filing follow up

Merged in https://github.com/mozilla-b2g/bzlite/commit/43e54fbb82a0454ad2f4d119e47cc1ef11305c3b
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Summary: Support newly developed outh flow for bugzilla login → Support newly developed oauth flow for bugzilla login
feature-b2g: --- → 2.5+
Keywords: verifyme
QA trying to verify this bug. Can we have an STR here? Is it just go to http://www.bzlite.com/ on DUT browser and try to log in there?
Flags: needinfo?(dylan)
NI Naoki since he's the one that put verifyme on there. Please address comment 21.
Flags: needinfo?(nhirata.bugzilla)
Yes, you would just try to login with your account.

Having said this, there's a UX flow bug when you tap the bugzilla login.  There's no way you can go back to the regular login screen.  Could you verify and file the bug please?
Flags: needinfo?(nhirata.bugzilla) → needinfo?(pcheng)
This issue is verified fixed. I was able to log in to bugzilla lite via app or via browser using my login.

Also filed bug 1214456 for the issue Naoki described at comment 23.

Verified via:
Device: Aries 2.5
BuildID: 20151013110851
Gaia: d400cda6bf0f8b30dcf7d7d71bfa61f29a3f1588
Gecko: 607a236c229994df99766c005f9ec729532d7747
Gonk: 2916e2368074b5383c80bf5a0fba3fc83ba310bd
Version: 44.0a1 (2.5) 
Firmware Version: D5803_23.1.A.1.28_NCB.ftf
User Agent: Mozilla/5.0 (Mobile; rv:44.0) Gecko/44.0 Firefox/44.0
Status: RESOLVED → VERIFIED
QA Whiteboard: [foxfood-triage] → [foxfood-triage][QAnalyst-Triage?]
Flags: needinfo?(pcheng) → needinfo?(jmercado)
Keywords: verifyme
QA Whiteboard: [foxfood-triage][QAnalyst-Triage?] → [foxfood-triage][QAnalyst-Triage+]
Flags: needinfo?(jmercado)
When I try to log in I get: 'Auth delegation received an HTTP response other than 200 OK from auth consumer. Code: 404"

STR:
Open bzlite
Enter bugzilla username and password, press Login - The following message displays: "API key authentication is required." - Press OK
Press 'Or login via Bugzilla'
Enter bugzilla username and password + 2FA token - The following displays (from bmo website): Auth Delegation Request ...
Press Accept


When I look at the API keys listed in my Bugzilla preferences, there is indeed 1 API key for Bugzilla Lite (created as a result of this process) and its status is "never used". 

I have tried this flow several times, after a restart, and after logging in and out of Bugzilla.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Yup seeing this too, not sure if something else has changed (or I forgot to push) checking now
There was a line missing in my last commit, r=me'd it, should all be working now, apologies 

https://github.com/mozilla-b2g/bzlite/commit/149a995cc5a0fb97003b8dd8084a0c9fd3e0b2b2
Status: REOPENED → RESOLVED
Last Resolved: 2 years ago2 years ago
Resolution: --- → FIXED

Comment 28

a year ago
$callback_uri may not be accessible from the bugzilla instance. 
For example I can have an internal application which want to connect to external bugzilla instance on behalf of user. User can open callback uri (e.g. in browser), but bugzilla instance can not.
You need to log in before you can comment on or make changes to this bug.