fsebugoutzone.org:9999

       Post Azdj7dBar9mvb4pZwW by dos@social.librem.one
 (DIR) More posts by dos@social.librem.one
 (DIR) Post #Azdj7ZxIrpZhZt7cki by dos@social.librem.one
       2025-10-23T09:47:10Z
       
       0 likes, 0 repeats
       
       Just witnessed the new authentication flow on matrix.org in Element and it&#39;s so bad it managed to scare me that I somehow got phished, doesn&#39;t handle multiple profiles and doesn&#39;t work at all when there&#39;s no handler registered in the user&#39;s browser (there&#39;s no fallback!). I&#39;m also amazed at how it launches the auth flow in an external browser (causing all these issues) despite of Electron being... a browser.What&#39;s going on there? 🤨 #element #matrix
       
 (DIR) Post #Azdj7b4Qiorz2HSpV2 by bart@mastodon.fam-ribbers.com
       2025-10-23T16:06:12Z
       
       0 likes, 0 repeats
       
       @dos Eh, that&#39;s just SSO/OAuth2, I don&#39;t really see the problem with it?
       
 (DIR) Post #Azdj7cEkNwiUeZIaDg by dos@social.librem.one
       2025-10-23T16:08:51Z
       
       0 likes, 0 repeats
       
       @bart It&#39;s how it only implements the happy path and fails to consider anything deviating from it. I literally couldn&#39;t login today without hacking up a script to point the browser to because there was no way to pass the token back to the running Element instance.
       
 (DIR) Post #Azdj7dBar9mvb4pZwW by dos@social.librem.one
       2025-10-23T16:12:09Z
       
       0 likes, 0 repeats
       
       @bart And that&#39;s just the beginning - just clicking on the button that initiated the passing of the token was enough for it to consider it consumed, so it errored out on retry - but that did not stop it from considering the session active and listing it in the panel, with &quot;last activity&quot; suggesting that the authentication actually succeeded somewhere else 😱
       
 (DIR) Post #Azdj7e0dnMca9OiLVg by dos@social.librem.one
       2025-10-23T16:13:48Z
       
       0 likes, 0 repeats
       
       @bart It turned out to be just a careless OAuth implementation, but it did manage to scare me for a moment.
       
 (DIR) Post #Azdj7euISR8mw0knGC by dos@social.librem.one
       2025-10-23T16:21:29Z
       
       0 likes, 0 repeats
       
       @bart Compare it to, for example, the flow in Tuba and Mastodon, which tries to do the same thing by default, but recognizes that it may not work and gives you the option to copy the authorization token back to the app manually. No such thing in Element.
       
 (DIR) Post #Azdj7gGfOkd39gEAlc by quentin@piaille.fr
       2025-10-27T09:25:35Z
       
       0 likes, 0 repeats
       
       @dos @bart Hey! I&#39;m the developer who introduced OAuth in Matrix. Getting the redirect back to native client is a very complex topic, and also highly dependant on how the native app is being shipped.This is especially a problem on Linux where Element doesn&#39;t maintain the many of the packages themselves, plus the many ways to run it (Flatpak, snaps, community repos), so we have no guarantee that the custom scheme handler is correctly installed.When I implemented the redirect back to the client, I foolishly assumed that a HTTP redirect to the native scheme was enough; which was the most convenient way to have the whole flow JS-free
       
 (DIR) Post #Azdj7hKbRbN6SB4pXc by quentin@piaille.fr
       2025-10-27T09:30:09Z
       
       0 likes, 0 repeats
       
       @dos @bart I&#39;m looking for a few ways to improve the flow in those edge cases. One way is to consider the Device Code Grant (https://github.com/matrix-org/matrix-spec-proposals/pull/4341) in cases where we&#39;re not sure the redirect will work.Another thing is to give a nice proper link to users to get back to their client instead of relying on an HTTP redirect that can&#39;t be replayed. The suggestion to give out the code to copy back to the client as a last resort is interesting, even though ideally we should really not need those kind of potentially confusing workaround :(
       
 (DIR) Post #Azdj7iJvlaQbWNlo8G by quentin@piaille.fr
       2025-10-27T09:36:31Z
       
       0 likes, 0 repeats
       
       @dos @bart I know this is probably not the answer you would like to hear (nor one I&#39;m really happy giving) but part of the truth is, we&#39;re really resource constrained, and sometime cannot afford spending resources to fix problems that don&#39;t affect customers paying us (this one mostly affects Linux users on community packages). It&#39;s on my personal list of &#39;things to do/fix when I have spare time&#39;, but that list is long and spare time is not something I have much of :)
       
 (DIR) Post #Azdj7jAOcWOa96JhuS by dos@social.librem.one
       2025-10-27T16:14:55Z
       
       1 likes, 0 repeats
       
       @quentin @bart Hey! Thanks for replying and sorry about my ranty tone 😅 I&#39;m just surprised that this got deployed as-is, it doesn&#39;t seem ready for prime time.It&#39;s not just about lack of scheme handlers. In my case, Element was being successfully launched... on the wrong profile, giving this nonsensical error message. Same thing could happen with &quot;portable&quot; installations, sandboxed browsers etc. on any platform.Also, the &quot;device&quot; shows up on the list even when the token never reached the app.