How to enable /export in an OAuth authentication scope?

1

As mentioned somewhere else, we are using mlz_export plugin to retrieved the registrant information using a REST API. This plugin relies on OAuth to authenticate the user so that it get access to this event-admin restricted information. In the same script, we’d like to access also information about the event (through the /export API) but the request fails and I guess that it is because the connection open to Indico for /mlz_export doesn’t have the /export in its scopes. What should I do to enable access to /export (that also requires an authentication if the event is not public) through OAuth2, ideally through the same connection?

Thanks in advance for any hint. Cheers,

Michel

2

So you need to use OAuth with the registrants scope.

To access the regular /export/... API, you need the read:legacy_api scope:

As typical with OAuth, the user needs to have access to any event they want to access through the API.

3

Thanks. I have read:legacy_api, I was not sure it was enough, so it should be something else. I’ll look more carefully !

Michel

4

Looking at indico.log, I see that every request to /export/... results in:

2020-10-14 20:31:03,556  INFO     12af3e6b3f0c4411  indico.rh                 POST /oauth/token [IP=134.158.76.241] [PID=29221]
2020-10-14 20:31:03,647  ERROR    2e0b664685d64f88  indico.flask              error_message
Traceback (most recent call last):
  File "/opt/indico/.venv/lib/python2.7/site-packages/flask/app.py", line 1950, in full_dispatch_request
    rv = self.dispatch_request()
  File "/opt/indico/.venv/lib/python2.7/site-packages/flask/app.py", line 1936, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/opt/indico/.venv/lib/python2.7/site-packages/indico/web/http_api/handlers.py", line 137, in handler
    elif g.get('received_oauth_token') and oauth_request.error_message == 'Bearer token not found.':
  File "/opt/indico/.venv/lib/python2.7/site-packages/oauthlib/common.py", line 435, in __getattr__
    raise AttributeError(name)
AttributeError: error_message

It seems an error message cannot be logged, isn’t it?

This doesn’t append when It execute a request on /mlz_export.

Michel

5

Huh looks like there’s no error message in this case… now the interesting question is what actually went wrong! How did you send the oauth token?

6

Basically we reuse the code from the mlz_export plugin example, i.e.:

  • Open a OAuth2 session with OAuth2Session() from requests_oauthlib module
  • Execute the method `fetch_token()’ of the created session which is also used for querying Indico afterwards.

It works well when accessing /mlz_export and fails (but without error message causing an exception in the logs!) when accessing /export. I can imagine we are doing something wrong but it is not clear what…

Michel

7

So this AttributeError: error_message seems to be a bug in Indico. Another user here had the same issue. We’ll probably have a fix for this soon (but as usual you’ll need to either apply it manually or wait for 2.3.1).

8

Thanks! I"ll be happy to apply the fix manually and test it when you have it ready. Let me know.

Michel

9
10

Thanks! Tested and working fine!

Michel

11

If you applied this to your instance, make sure to apply the other commit from the PR as well or disable API caching in the admin area due to a security fix I added to the PR. This was not exploitable due to OAuth access being broken, but with the oauth fix applied you could possible leak data from oauth-authenticated requests to public ones.