#"Not Found" error when attempting to Login using OAuth2

I'm working on an Android app that would allow users to login to their Lichess account and play against others. I have read the documentation for https://lichess.org/api#tag/OAuth/operation/oauth and I believe I am sending everything that is required. My app will open a webview to the lichess login, but once I enter my credentials and press login I get a notification that says "lichess.org says Not Found". I've double checked I'm sending all of the required fields, but I can't seem to figure out what the issue is.

Maybe you can try to explain how you do things, for instance how you build the requests and to which URLs you send them.

Note, you are not supposed to try to render the Lichess sign in page in your application for users to enter their username and password.
You are supposed to send the user to the /oauth page (where they are often already signed in because their browser has a session cookie, unless they've signed out) - and they can choose to grant or not to grant your application the right to fetch a token.

my guess would be, you're sending a relative redirect url

but yeah, seeing the actual url you're sending users to would be helpful

I'm using AppAuth to create the requests that send the user to the site. Here is the code:

    companion object {
        private const val LICHESS_HOST = "https://lichess.org"
        private const val CLIENT_ID = "myapp.com"//This is not the real one but it is similar
        private val SCOPES = listOf("email:read", "challenge:read", "challenge:write", "board:play")
    }
    
    private val serviceConfiguration = AuthorizationServiceConfiguration(
        Uri.parse("$LICHESS_HOST/oauth"), //authorization endpoint
        Uri.parse("$LICHESS_HOST/api/token") //token endpoint
    )
    
    
     val authorizationRequest = AuthorizationRequest.Builder(
            serviceConfiguration,
            CLIENT_ID,
            ResponseTypeValues.CODE,
            Uri.parse("myapp.com://oauth2callback")
        ).setScopes(SCOPES)
            .setCodeVerifier(codeVerifier, codeChallenge, codeChallengeMethod)
            .setAdditionalParameters(
                mapOf(
                    "schema" to "application/x-www-form-urlencoded"
                )
            )
            .build()

It appears to be taking me to lichess.org instead of lichess.org/oauth. The site says "Sign in" and has the fields for username and password. @thin breach this is running on a multiline braille display that is running Android. No one who will use this app will already be signed in.

are you sure that . is a legal character in a url custom protocol?

Hm, seems like it should be

still, it very much sounds like there's something wrong with the redirect url

I can change that and see if that works.

Doing that breaks the whole request. It seems my redirect url was correct. It has to be in the format "com.example://something".

can you somehow debug the webview and see the actual url you're getting directed to (either on lichess or afterwards).

I messed up when posting my example code. My actual redirect url is "com.example://oauth2callback"

actually, "schema" to "application/x-www-form-urlencoded" seems very strange. the value is the content type, not the schema. is that maybe telling AppAuth that you want to use that as a schema and then it prepends that to your redirect url?

although then it would be strange that your change just now broke the request

that's not even the correct content type for this request though. either way try removing that part.

I had seen on the api webpage that the request body needed to be "application/x-www-form-urlencoded". Adding that code did not change anything. I added it because of the issue I am experiencing. I will remove that.

I can't really debug the webview because it's on a braille display. I can see a visual output but it is super tiny. The webview actually shorten what the website url was and when I click to see the full url I get something like: https://lichess.org/login?referer=%2Foauth%3Fredirect_uri=com.example but when I change the redirect url to just example the site url changed to something like https://lichess/oauth?redirect_url=example. When doing that I get a "Bad Request" error.

the second one seems very strange. the first one seems better but if that's the full url, it's missing a bunch of things and the redirect_uri is definitely wrong

That's not the full url for the first or second one. Let me try to get you as close to the full one as I can. It's very hard to read.

can you maybe run your app in an android emulator or on another android device? or maybe you can use chrome remote debugging to debug the webview from your pc. i assume the device is already in debugging mode so you can run your app. as long as the webview is chromium, this should be very easy: https://developer.chrome.com/docs/devtools/remote-debugging

https://lichess.org/login?referrer=%2Foauth%3Fredirect_url%3Dcom.example%253A%252F

Unfortunately my code only works on this braille device and the only web browser on it is Ecosia which I have never really used.

it looks like ecosia is based on chromium so chrome remote debugging probably works

that url above looks cut off though

I also think it is cut off, but I can't figure out how to get the full thing. Give me a minute and I'll see if I can figure out how to get the complete url.

it looks more or less correct until there though

https://lichess.org/login?referrer=%2Foauth%3Fredirect_uri%3Dcom.example%253A%252F%252Foath2callback%26client_id%3Dcom.example%26response_type%3Dcode%26state%3DFwVKmY6drTmbD6V41cC0rA%26nonce%3D8T3OUFIMxkmLU32QOMxwiA%26scope%3Demail%253Aread%2520challenge%253Aread%2520challenge%253Awrite%2520board%253Aplay%26code_challenge%3Djtcq5zoRi8aveX9hgHmxeAV01AT_herLF9qfC4djpGk%26code_challenge_method%3DS256

I've tried using my username and my email to log in and it just tells me "Not Found" every time.

hm, are you actually handling requests to your custom scheme?

also, you mentioned above that is says "lichess.org says Not Found" after you login. what url does it show then?

It's a notification that pops up on the webpage. It has the title "lichess.org says" and the message body says "Not Found"

I guess the "Not Found" means that it can't find anything that uses my redirect uri. I just ran it with my debugger on and it never tries to go back to my app after I enter my username and password.

Hm, can you login on lichess.org regularly on that device's browser?

No...I can't

Well I guess there is my problem right there.

I wonder why that is?

Ugh. I'm sorry for wasting your time with this. I should have checked that first.

tbh that "Not Found" alert still seems very strange

have you tried whether you can get chrome remote debugging to work? seeing the network requests probably would make it a lot clearer where the problem might be.

The plot thickens. I download and installed Ecosia on my desktop device, but I am able to login to Lichess from there. I just can't login to lichess from the version that is on my braille display.

I will try to get the remote bugging to work.

They have no developer tools option for Ecosia on my device.

There was a setting that blocked all pop-ups and redirects and I've changed that to allow and it still does not work. It says it is in Beta so maybe its just broken on android.

have you tried just doing what it says here? https://developer.chrome.com/docs/devtools/remote-debugging

i assume you already have your device connected via usb and usb debugging enabled to run your app?

since ecosia seems to be chromium based, there should be a pretty high chance that you can just debug it via chrome on your pc

I can see it in the devices, but when I click inspect I get 404 error.

I'm working on a trace of the Chrome developer tools. hopefully something in there shows up.

I managed to get the debugger working using Edge. When I click the "login" button I get a 404 error because it failed to load a resource.

What ever it is trying to fetch when the login button is pressed can't be found.

can you see which resource it's trying to fetch?

e.g. in the network panel

Request URL:
https://lichess.org/login?referrer=https%3A%2F%2Flichess.org%2F
Request Method:
POST
Status Code:
404 Not Found
Remote Address:
37.187.205.99:443
Referrer Policy:
strict-origin-when-cross-origin

Hm, can you see the response body? does it say anything?

I don't get a response unfortunately.

There actually is a response it just took some time to load. It says "Not Found"

Hmmmmm, can you see the user agent header that is sent?

I looked at the payload and it has my user name and password but there is no token.

no, in headers, the "User-Agent" header

something like user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36 but the value is probably very different for you

user-agent:
Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 (Ecosia android@119)

yeah, ok, Lichess apparently specifically blocks user agents with "Ecosia" as bots i'll have to check if i can find out why

But I can login using Ecosia on my desktop though. Very weird.

it probably sends a different user agent on desktop

It does. Dang it

I would like to say thank you for all of the help you've given. I really appreciate it.

np. i asked Thibault if he still remembers details about the Ecosia crawler he was trying to block so that the check can be made more specific and won't exclude the browser.

I would really appreciate it and all of the blind/low vision users would appreciate it as well.

The way our device is set up I don't think it would be possible for our users to install a different browser since we do not has access to the Google Play Store.

Thank you so much for helping me work through this problem. I cannot stress that enough.

Thibault removed the restriction. It'll need a deployment to take effect though. The next one is planned for tomorrow morning (EU-time). You can also check the last boot time here at the top to see whether it was already done: https://lichess.org/source

Thank you so much!

@empty drift I see that the server has been updated and I no longer get the "Not Found" error, but I'm hoping you can help me figure out the new error I'm getting. Every time I try to sign in I get the error "Must be at least 2 characters long" for my username. I've tried both my username (5 characters long) and my email (13 characters long) and it gives the same error. This is not using the Oauth web address. This is just on lichess.org since I wanted to make sure that was working properly.

I will open this as a new post with more detail.