OAuth Connection issue (with WFS Module and QGIS)

I’m having issues with getting QGIS to connect to farmOS with farmOS_wfs module.

Background. I’m running 2.0.0-beta2, farmos_wfs 1.2.1, and QGIS 3.22.3. I believe I have configured QGIS correctly ar at least as per instillation instructions.

Screenshot 2022-02-16 1327071778×861 374 KB

When I try to add the WFS layer it just keeps asking for my username and password. I’m not super familiar with QGIS and I’m not seeing any errors it may be providing, so not really sure where to look next.

Besides installing the WFS module in farmOS is there anything I need to configure with Oauth2? Any other ideas on where to look for troubleshooting?

Try turning on the “Log Messages” and “Debugging/Development Tools” panels in QGIS;

image1468×958 155 KB

If you post screenshots of what messages and request errors you’re getting, I bet we can sort it out…

You could also check the “Recent Log Messages” on the farmOS side at /admin/reports/dblog;

image1304×1074 52.4 KB

Thanks @Symbioquine!. I thought there had to be some sort of log in QGIS, just didn’t know where to look.

When I try to add the layer and push connect the username/password box appears. I can try username and password over and over again with nothing until I push cancel. Then it pops up with this error and log messages.

dev tools1870×925 103 KB

I get no messages around the same time stamp on the ‘Recent Log Messages’ in farmOS.

Do you have the curl command?

What happens if you do;

curl -i -X POST -d "client_id=farm&client_secret=&username=Nick&password=my_secret_password_here&grant_type=password&scope=openid" https://mydomain.com/oauth/token

Replacing:

• my_secret_password_here with your password
• mydomain.com with your domain

Don’t post the actual token if it works, but it would be useful to see if it succeeds or fails and what headers/response-code/error-messages come back…

Same type of error.

HTTP/2 401
server: nginx/1.21.6
date: Thu, 17 Feb 2022 17:55:25 GMT
content-type: application/json
content-length: 118
www-authenticate: Basic realm="OAuth"
cache-control: must-revalidate, no-cache, private
x-ua-compatible: IE=edge
content-language: en
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
permissions-policy: interest-cohort=()
expires: Sun, 19 Nov 1978 05:00:00 GMT
x-generator: Drupal 9 (https://www.drupal.org)
strict-transport-security: max-age=31536000

{"error":"invalid_client","error_description":"Client authentication failed","message":"Client authentication failed"}

Ah invalid_client might be a clue?

@BOTLFarm go to /admin/config/services/consumer - do you see a client named “Farm default”?

No I don’t. The only 2 listed are “Default Consumer” and “Field Kit”.

Oh huh… well that’s your problem!

It seems that the code in the farmOS API module’s install hook didn’t run on your instance: farmOS/farm_api.install at 2.x · farmOS/farmOS · GitHub

Specifically these two chunks (but presumably the whole thing):

This may have happened because you upgraded from an alpha release to beta (is that correct? i forget…)

Or… maybe you don’t have the farm_api installed at all?

In either case, you may be able to fix this by uninstalling and reinstalling that module. Take a db backup first, just in case…

This was a fresh install of beta2. A week ago or so I accidentally moved to the 2.x-dev version before moving back to beta2.

farm_ui was installed. I uninstalled it and reinstalled it and have the same clients listed.

I’m still using 1.x for my main production and just playing with 2.x in the mean time. I’m waiting for beta3 before I move over completely on a fresh install. If this seems to be a weird instillation error I can just hold off until the fresh new install.

Thanks for the troubleshooting help.

Oh! I wonder if this is causing an issue: farmOS/farm_api.install at eb6f1043da00b7b21d122d3cba626c4d026371c3 · farmOS/farmOS · GitHub

That code tries to create keys for OAuth2, but if it fails then the rest of that function doesn’t run. Maybe that’s happening to you? Do you see a farm_api error in Administration > Reports > Recent Log Messages?

We should probably remove that return; do you agree @paul121? It only prevents the farm consumer from being created, which isn’t helpful.

@BOTLFarm if you comment out that return; statement, and reinstall farm_api, I bet you’ll see the farm client show up.

That doesn’t resolve the keys issue though… that code is essentially trying to create a keys directory one level up from the webroot. If you create that yourself, and make it writable by Apache (before you reinstall the module) then maybe it will work!

@mstenta Looks like you may had a mistake in your past post when mentioned farm_ui instead of farm_api?

I did uninstall farm_api and reinstall it. This did create the farm client for me but I was still having key issues not having a directory assigned. I was able to provide a temporary directory for testing and this all works now. WFS connection to QGIS is working.

Im looking to a clean install now that I have played around with 2.x for a while and ready to switch over my production site soon.

Thanks again everyone for your help. This community is amazing!

Glad you got it working!

If it’s cool with you, I think I might rename this thread to make it clearer that it was mostly an OAuth connection issue.

Oops! My bad @BOTLFarm - thanks for pointing that out - I edited my previous comment to prevent future confusion.

Glad you got it working! I will open an issue to make that keys/clients installation more robust…

Im looking to a clean install now that I have played around with 2.x for a while and ready to switch over my production site soon.

FYI @BOTLFarm I’m hoping to tag 2.0.0-beta3 very soon!

@Symbioquine I have renamed the thread, hopefully it is clear now for others.

Looks good to me!

Looks like I’m still having an issue with this on a clean install of beta-3. The farm client was made but there is still the issue of it not creating the directory opt/drupal/keys/. Should this be done automatically with a docker-compose install or is it something that would need to be manually made and permissions set? Also this folder is outside the sites directory so wouldn’t it get deleted every time the container was closed?

Should this be done automatically with a docker-compose install or is it something that would need to be manually made and permissions set?

No, unfortunately this is not something that the Docker Composer installation currently handles automatically - so we should open an issue for this. In the meantime you need to create the directory manually and set the permissions so they are readable only by Apache (www-data user).

Also this folder is outside the sites directory so wouldn’t it get deleted every time the container was closed?

Yes this is true! Sounds like we need some additions to the documentation to describe best practice around this.

The best thing to do is probably mount that directory as another Docker volume.

Thanks. I am working on documenting this whole install and will add this to it.

Im not super familiar with how to do this but some quick searching looks like inside the farmOS image I can run this.

chown -R www-data:www-data keys
chmod -R 770 keys

This appears to work, not sure it is best practices.