OAuth error when connecting to Alby Account

[ZenulAbidin]

Problem

After running Alby Hub, integration with Alby Account is broken because after pasting the Authorization code, this status 500 error appears in the logs:

{"error":"oauth2: \"invalid_request\" \"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed\"","level":"error","msg":"Failed to handle Alby OAuth callback","time":"2025-01-29T09:53:18+01:00"}
{"host":"redacted","level":"info","msg":"handled API request","remote_ip":"redacted","request_id":"fadzTubTMSFgwGbEGDCrmxccwzHDbAcZ","status":500,"time":"2025-01-29T09:53:18+01:00","uri":"/api/alby/callback","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"}

The error message on the screen:

Failed to connect

500 Failed to handle Alby OAuth callback: oauth2: "invalid_request" "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed"

This prevents the Hub from connecting to Alby Account.

The problem occurs with both the docker containers and the one-click install script.

EDIT: In the callback URL endpoint there seems to be having some problem running the albyHttpSvc.albyOAuthSvc.CallbackHandler method that causes the above error:

hub/http/alby_http_service.go

Lines 100 to 109 in d64233f

	func (albyHttpSvc *AlbyHttpService) albyCallbackHandler(c echo.Context) error {
	code := c.QueryParam("code")
	err := albyHttpSvc.albyOAuthSvc.CallbackHandler(c.Request().Context(), code, albyHttpSvc.svc.GetLNClient())
	if err != nil {
	logger.Logger.WithError(err).Error("Failed to handle Alby OAuth callback")
	return c.JSON(http.StatusInternalServerError, ErrorResponse{
	Message: fmt.Sprintf("Failed to handle Alby OAuth callback: %s", err.Error()),
	})
	}

Software Information

AlbyHub v1.13.0

System Information

copied and pasted from neofetch

OS: Debian GNU/Linux 12 (bookworm) x86_64
Host: KVM/QEMU (Standard PC (i440FX + PIIX, 1996) pc-i440fx-8.1)
Kernel: 6.1.0-25-amd64
Uptime: 125 days, 3 hours, 6 mins
Packages: 470 (dpkg)
Shell: bash 5.2.15
Resolution: 1280x800
CPU: QEMU Virtual version 2.5+ (2) @ 3.499GHz
GPU: 00:02.0 Vendor 1234 Device 1111
Memory: 1313MiB / 15957MiB

[ZenulAbidin]

It doesn't work in v1.12.0 either.

[bumi]

thanks for debugging this.
to confirm you enter the correct access token that you get after the redirect?

[ZenulAbidin]

thanks for debugging this. to confirm you enter the correct access token that you get after the redirect?

That's right.

I have tried this with Alby's default callback endpoint and also with the Hub's own callback. The result was the same in both cases - it appears that the oauth exchange method cannot generate the token because the POST method body is wrong.

I can successfully generate a token if I construct my own API request:

I've checked the oauth2 module that Alby is using as well as its source and it looks like the same parameters are being added too.

But I have no idea what payload is being sent by the module.

[ZenulAbidin]

I have managed to get a hold of the request that the OAuth2 library is making to Alby by injecting some HTTP logging into the codebase. Here's the branch for reference if you want to run it yourself.

POST /oauth/token HTTP/1.1
Host: api.getalby.com
User-Agent: Go-http-client/1.1
Content-Length: 121
Authorization: Basic <client id:client secret combo - redacted>
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

code=&grant_type=authorization_code&redirect_uri=http%3A%2F%2Fnodes.blitz.zerstrorer.space%3A8080%2Fapi%2Falby%2Fcallback

It looks like the code parameter is not being set properly in the golang source, which causes the oauth2 module to not send it to Alby.

Client authentication seems to work whether the client ID and secret are in the Authorization header or in the form body though.

Let me see if I can make a fix for this.

---

edit: it looks like there's other errors in the GetMe function after I retrieve the token. It's weird because it happens whether or not I set the password.

{"level":"info","msg":"Outbound request:\nGET /internal/users HTTP/1.1\r\nHost: api.getalby.com\r\nUser-Agent: AlbyHub/\r\nAuthorization: Bearer <redacted>\r\nContent-Type: application/json\r\nAccept-Encoding: gzip\r\n\r\n\n","time":"2025-01-30T10:16:48+01:00"}
{"level":"info","msg":"Inbound response:\nHTTP/2.0 401 Unauthorized\r\nAccess-Control-Allow-Headers: DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-User-Agent\r\nAccess-Control-Allow-Methods: GET, PUT, POST, DELETE, PATCH, OPTIONS\r\nAccess-Control-Allow-Origin: *\r\nAccess-Control-Max-Age: 5\r\nCache-Control: no-cache\r\nCf-Cache-Status: DYNAMIC\r\nCf-Ray: 90a05d836bd5d385-FRA\r\nContent-Type: text/html\r\nDate: Thu, 30 Jan 2025 09:16:48 GMT\r\nNel: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}\r\nReferrer-Policy: strict-origin-when-cross-origin\r\nReport-To: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v4?s=lh9YrBKqtHwuph0ku4jsM8Qy%2F2o6X30Pzh4LTkJ%2BWA4%2FoBK5rN8jLFiX4b46CQ9kp72JsyGjYw2jU1%2FiMww11CIe8%2B5zjrdWLTxYHnx5aCdsIqnO44xbK67xte53Vt7qFg%3D%3D\"}],\"group\":\"cf-nel\",\"max_age\":604800}\r\nServer: cloudflare\r\nServer-Timing: cfL4;desc=\"?proto=TCP\u0026rtt=1046\u0026min_rtt=992\u0026rtt_var=251\u0026sent=9\u0026recv=14\u0026lost=0\u0026retrans=0\u0026sent_bytes=5383\u0026recv_bytes=2147\u0026delivery_rate=4305252\u0026cwnd=192\u0026unsent_bytes=0\u0026cid=d81e27c14376d170\u0026ts=102\u0026x=0\"\r\nStrict-Transport-Security: max-age=15724800; includeSubDomains\r\nX-Content-Type-Options: nosniff\r\nX-Download-Options: noopen\r\nX-Frame-Options: SAMEORIGIN\r\nX-Permitted-Cross-Domain-Policies: none\r\nX-Rack-Cors: miss; no-origin\r\nX-Request-Id: 0f15bd394d12f7c9a954c5936fb3652d\r\nX-Runtime: 0.013617\r\nX-Xss-Protection: 1; mode=block\r\nContent-Length: 0\r\n\r\n\n","time":"2025-01-30T10:16:48+01:00"}
{"body":"","level":"error","msg":"users endpoint returned non-success code","statusCode":401,"time":"2025-01-30T10:16:48+01:00"}
{"error":"users endpoint returned non-success code: ","level":"error","msg":"Failed to fetch user me","time":"2025-01-30T10:16:48+01:00"}
{"error":"users endpoint returned non-success code: ","level":"error","msg":"Failed to handle Alby OAuth callback","time":"2025-01-30T10:16:48+01:00"}

It's calling an internal method of api.getalby.com if I'm understanding correctly?

[rolznz]

Hi @ZenulAbidin , there are some internal API endpoints used by Alby Hub that are only available to certain OAuth Clients maintained by Alby. It looks like you are using an OAuth client you created yourself, is this correct?

Is there a reason why you do not use the default OAuth client? do you plan to host many Alby Hub nodes on your own infrastructure?

[ZenulAbidin]

Actually, I am using the oauth client that's built into Hub as well as Alby's server. Both without environment variables and with ABLY_OAUTH_CLIENT_ID and secret set from https://getalby.com/developer. It's a bit strange because I can't consistently reproduce this issue. Basically, I am trying to get people to set up Lightning nodes with software such as Alby Hub so that's why I wanted to try running it myself first. So these errors have me confused, to be honest. Perhaps I should check if this resolves itself after I wipe the current installation and re-install Server. Without using git or the source tree, just binaries.

…

On Friday, January 31st, 2025 at 12:39 PM, Roland ***@***.***> wrote: Hi ***@***.***(https://github.com/ZenulAbidin) , there are some internal API endpoints used by Alby Hub that are only available to certain OAuth Clients maintained by Alby. It looks like you are using an OAuth client you created yourself, is this correct? Is there a reason why you do not use the default OAuth client? do you plan to host many Alby Hub nodes on your own infrastructure? — Reply to this email directly, [view it on GitHub](#1042 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AKE46J2FBK4642PQS5OQAIT2NNVJPAVCNFSM6AAAAABWCMA62OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMRXGE4DSNRUGI). You are receiving this because you were mentioned.Message ID: ***@***.***>

[rolznz]

@ZenulAbidin so even when you do not set the ALBY_OAUTH_CLIENT_ID and ALBY_OAUTH_CLIENT_SECRET, you still get intermittent issues?

Unfortunately Alby Hub will not work properly with custom-created OAuth clients from the https://getalby.com/developer page. The only OAuth client that will work is the default one (which does a redirect to getalby.com and the user must copy the code and paste it in the hub to login)

[ZenulAbidin]

Yes, that's right. But only on Server for some reason. Desktop works properly and is what I'm using in lieu of the server. The part about the oauth credentials from the developer page not working is good to know, thanks. I still haven't re-installed Alby Hub Server yet. So once I do that I will take note of the log output.

…

On Saturday, February 1st, 2025 at 5:04 AM, Roland ***@***.***> wrote: ***@***.***(https://github.com/ZenulAbidin) so even when you do not set the ALBY_OAUTH_CLIENT_ID and ALBY_OAUTH_CLIENT_SECRET, you still get intermittent issues? Unfortunately Alby Hub will not work properly with custom-created OAuth clients from the https://getalby.com/developer page. The only OAuth client that will work is the default one (which does a redirect to getalby.com and the user must copy the code and paste it in the hub to login) — Reply to this email directly, [view it on GitHub](#1042 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AKE46JYN2XCYDTTHARY2A7T2NRIV3AVCNFSM6AAAAABWCMA62OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMRYG43TMOBXHA). You are receiving this because you were mentioned.Message ID: ***@***.***>