support OAUTHBEARER

[slingamn]

https://emersion.fr/blog/2022/irc-and-oauth2/

In terms of ergo, all we need to do is:

1. Add a config option (to the auth-script block?) to enable advertising the OAUTHBEARER mechanism
2. Modify authenticateHandler to process OAUTHBEARER by forwarding it to an auth-script
3. Extend the auth-script protocol to take an additional oauthbearer field in the input (the output type is already sufficiently expressive)

[slingamn]

See #336 and #502 for related prior discussions.

[prologic]

Is anyone working on this at all? 🤔

[slingamn]

I started a draft but didn't finish it. Is this something you're interested in? I could prioritize it for the next release.

[prologic]

@slingamn Yes! 👌 Please 🙏 I'm looking to potentially do the following:

• Stand up an Ergo instance
• Stand up a gamja instance with OAuth2 support configured
• Use my already working (quite well) Authelia for auth and OpenID/OAuth2 flows

This should enable me to stand up a mostly decent small team/startup chat/comms platform that is fully self-hosted without the issues I've been facing with Matrix (Synapse+Element).

[slingamn]

Nice, I'll plan to do this soon. You could help test :-)

[prologic]

Absolutely! 🙏🙇‍♂️

[slingamn]

@prologic sorry about the delay; I have a draft of this over at #2122. (See the changes to default.yaml for how to enable the feature.)

I successfully tested with Gamja and a local Authelia, but I had to patch out a couple checks in Authelia's libs relating to Gamja-Authelia interactions (i.e. unrelated to Ergo's OAUTHBEARER implementation itself):

1. A CSRF check here: https://github.com/ory/fosite/blob/f4114878826c6d26b6751a1ea61f69ebbc25d4f2/authorize_request_handler.go#L401-L410
2. Redirect URI validation here: https://github.com/ory/fosite/blob/f4114878826c6d26b6751a1ea61f69ebbc25d4f2/handler/oauth2/flow_authorize_code_token.go#L78-L85 (it expected https://example.com/gamja/ but received https://example.com/gamja/?scope=)

It's very likely that one or both of these issues is caused by my misconfiguration of Gamja and/or Authelia, but be advised that things may not work out of the box.

[slingamn]

(Ignore the jwt-auth config block or anything related to draft/bearer; those are for a related but distinct specification)

[slingamn]

@prologic any thoughts on when you might be able to test this? I was thinking of doing an early release that includes this change. (Sorry to pester you after I took so long implementing it ;-)

[prologic]

I haven't had an opportunity to try this out yet, been very busy with my day job. But it'son my list!

[slingamn]

Thanks! I'm pretty confident in the PR so I'm going to merge it now and you can test it from the master branch.