"Server denied check_authentication" from bazaar.launchpad.net private branch since 11926 deployed

Bug #676372 reported by Robert Collins
48
This bug affects 7 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Critical
William Grant

Related branches

Changed in launchpad:
importance: High → Critical
Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

Looking at the openid code, this seems to be the case where the RP checks directly with the OP that the user really was authenticated by the OP and this is failing.

It looks like python-openid logs some messages about what is going on -- to stderr, of all places! Do we keep the stderr of codebrowse anywhere?

Revision history for this message
William Grant (wgrant) wrote :

This turns out to be because we have two instances of codebrowse which don't share OpenID associations. So an OpenID response signature is only valid for the instance that requested auth in the first place, which is often not the one that is redirected back to. Upon seeing the invalid signature, the instance tries to use check_authentication, which consistently fails. staging/dev only have a single codebrowse instance, so the check_authentication code is never used.

Revision history for this message
William Grant (wgrant) wrote :

After poking around locally and in the OpenID spec, it turns out that check_authentication only works with a stateless association handle. But codebrowse's requests and their responses have a stateful association, so check_authentication attempts fail.

As a quick fix we can change RootApp._make_consumer to not pass in a store. This will force it to use check_authentication every time, which works. Longer-term we may want to share a store between the instances.

William Grant (wgrant)
Changed in launchpad:
assignee: nobody → William Grant (wgrant)
status: Triaged → In Progress
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :
Changed in launchpad:
milestone: none → 11.02
tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Revision history for this message
William Grant (wgrant) wrote :

There is another failure in this stack of fail. Production check_authentication requests often exceed 1KiB of POST data, which causes curl to send Expect: 100-continue, so Apache sends 100 Continue, which python-openid chokes on. We should probably suppress the Expect header.

tags: added: qa-bad
removed: qa-needstesting
William Grant (wgrant)
tags: added: bad-commit-12290 qa-ok
removed: qa-bad
William Grant (wgrant)
Changed in launchpad:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.