[openstreetmap/openstreetmap-website] HTTP 500 error when trying to get access-token from master.apis.dev.openstreetmap.org with "openid" scope (Issue #4334)

Hauke Stieler notifications at github.com
Sat Nov 11 22:35:11 UTC 2023 

### URL

https://master.apis.dev.openstreetmap.org/oauth2/token

### How to reproduce the issue?

It seems that adding the scope `openid` to the list of requested scopes returns a HTTP 500 error on the `https://master.apis.dev.openstreetmap.org/oauth2/token` endpoint. Yes, I gave permission to that scope and yes I used all correct client-id and -secret values. Removing `openid` from the list of wanted scopes solves the problem.

The error does _not_ appear on the productive www.openstreetmap.org server!

This bug does not affect me (and would have a very low priority for me personally), I just saw it by accident.

### Reproduce

Requires python3 `authlib` dependency:

```python
from authlib.integrations.requests_client import OAuth2Session

# dev server:
client_id = "..."
client_secret = "..."
domain = "master.apis.dev"

# prod server:
#client_id = "..."
#client_secret = "..."
#domain = "www"

redirect_uri = 'http://127.0.0.1:8000/callback'

# Remove the "openid" entry here and it'll work
scope = ["read_prefs", "openid"]

oauth = OAuth2Session(client_id=client_id, redirect_uri=redirect_uri, scope=scope)

authorization_url, state = oauth.create_authorization_url('https://'+domain+'.openstreetmap.org/oauth2/authorize')
print("Please visit:\n" + authorization_url)
print("")
authorization_response = input('Enter the redirect url from your browser and paste it here:\n')
token = oauth.fetch_token(
        'https://'+domain+'.openstreetmap.org/oauth2/token',
        authorization_response=authorization_response,
        client_secret=client_secret)
print("")
print("Access token is:")
print(token["access_token"])
```

1. Execute the script
2. Click on the presented link to open the OSM login form and grant access
3. The browser will redirect to `http://127.0.0.1:8000/callback?...`, copy the whole url from the browsers address bar, paste it into the terminal and press Enter
4. If everything works, the access token should appear. In the above script, the error message `requests.exceptions.HTTPError: 500 Server Error: Internal Server Error for url: https://master.apis.dev.openstreetmap.org/oauth2/token` comes up.

This situation also appears using golang and the `golang/oauth2` library.

### Screenshot(s) or anything else?

_No response_

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/4334
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/4334 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20231111/ad01f1e3/attachment-0001.htm>

More information about the rails-dev mailing list