Page MenuHomePhabricator
Create Task
Maniphest T105387

Unexpected 301 redirect when calling Special:OAuth/identify during OAuth exchange
Closed, ResolvedPublic
Actions

Description

As of a couple hours ago (probably the new wmf13 deployment) my OAuth app breaks on attempts to log in via OAuth. After clicking 'allow', I get what I think is a JSON decode error, "JWT::DecodeError | Not enough or too many segments"

Details

SubjectRepoBranchLines +/-
Never canonicalize Special:OAuth URLsmediawiki/extensions/OAuthmaster+4 -4
text varnish: pass all "Authorization: OAuth " requestsoperations/puppetproduction+30 -0
Prevent canonical redirect when OAuth is in usemediawiki/extensions/OAuthwmf/1.26wmf13+16 -0
Prevent canonical redirect when OAuth is in usemediawiki/extensions/OAuthmaster+16 -0
Customize query in gerrit

Related Objects

Event Timeline

Ragesoss created this task.Jul 9 2015, 7:11 PM
Ragesoss raised the priority of this task from to Unbreak Now!.
Ragesoss updated the task description. (Show Details)
Ragesoss added a project: MediaWiki-Core-AuthManager.
Ragesoss subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 9 2015, 7:11 PM
Ragesoss set Security to None.Jul 9 2015, 7:11 PM
Ragesoss added a subscriber: bd808.
Ragesoss added a comment.Jul 9 2015, 7:39 PM

The Omniauth-mediawiki gem, https://github.com/timwaters/omniauth-mediawiki, breaks because of newly introduced redirection. There's a response object that was previously handled fine, and now it's an unexpected 301 Moved Permanently response.

Ragesoss added a comment.Jul 9 2015, 7:43 PM

The example hello world is broken too: https://tools.wmflabs.org/oauth-hello-world/

bd808 added a comment.Jul 9 2015, 7:54 PM

Possibly related to T67402: URLs for the same title without extra query parameters should have the same canonical link and https://gerrit.wikimedia.org/r/#/c/219446/

gerritbot subscribed.Jul 9 2015, 8:40 PM

Change 223952 had a related patch set uploaded (by BryanDavis):
Prevent canonical redirect when OAuth is in use

https://gerrit.wikimedia.org/r/223952

gerritbot added a project: Patch-For-Review.Jul 9 2015, 8:40 PM
gerritbot added a comment.Jul 9 2015, 8:56 PM

Change 223952 merged by jenkins-bot:
Prevent canonical redirect when OAuth is in use

https://gerrit.wikimedia.org/r/223952

Anomie mentioned this in rMEXTc45794472ded: Updated mediawiki/extensions Project: mediawiki/extensions/OAuth….Jul 9 2015, 8:56 PM
bd808 mentioned this in rEOAUb1b824cb3c98: Prevent canonical redirect when OAuth is in use.Jul 9 2015, 9:00 PM
Forrestbot added a project: WMF-deploy-2015-07-14_(1.26wmf14).Jul 9 2015, 9:00 PM
gerritbot added a comment.Jul 9 2015, 9:06 PM

Change 223961 had a related patch set uploaded (by Gergő Tisza):
Prevent canonical redirect when OAuth is in use

https://gerrit.wikimedia.org/r/223961

gerritbot added a comment.Jul 9 2015, 9:10 PM

Change 223961 merged by jenkins-bot:
Prevent canonical redirect when OAuth is in use

https://gerrit.wikimedia.org/r/223961

Tgr mentioned this in rEOAU7066ab7c14bf: Prevent canonical redirect when OAuth is in use.Jul 9 2015, 9:10 PM
Anomie mentioned this in rMW5153eb27a994: Updated mediawiki/core Project: mediawiki/extensions/OAuth….Jul 9 2015, 9:10 PM
Ragesoss added a comment.Jul 9 2015, 9:43 PM

The app breaks at line 82 of the OAuth gem: https://github.com/timwaters/omniauth-mediawiki/blob/master/lib/omniauth/strategies/mediawiki.rb#L82

Instead of the expected data, it's a Net:HTTPPermanentRedirect

Tgr subscribed.Jul 9 2015, 9:51 PM
gtisza@GergoTisza:~$ curl -sSv -o/dev/null 'https://en.wikipedia.org/w/index.php?title=Special:OAuth/identify'
(...)
< HTTP/1.1 301 Moved Permanently
* Server nginx/1.9.2 is not blacklisted
< Server: nginx/1.9.2
< Date: Thu, 09 Jul 2015 21:50:10 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: HHVM/3.6.1
< X-Content-Type-Options: nosniff
< Vary: Accept-Encoding,X-Forwarded-Proto,Cookie
< Location: https://en.wikipedia.org/wiki/Special:OAuth/identify
< Last-Modified: Thu, 09 Jul 2015 21:50:10 GMT
< X-Varnish: 4239197068, 3689971860, 3766942613
< Via: 1.1 varnish, 1.1 varnish, 1.1 varnish
< Age: 0
< X-Cache: cp1054 miss (0), cp4017 miss (0), cp4017 frontend miss (0)
< Strict-Transport-Security: max-age=31536000
< Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
< Set-Cookie: GeoIP=US:CA:San_Francisco:37.7898:-122.3942:v4; Path=/; Domain=.wikipedia.org
< X-Analytics: https=1
< Set-Cookie: WMF-Last-Access=09-Jul-2015;Path=/;HttpOnly;Expires=Mon, 10 Aug 2015 12:00:00 GMT
Forrestbot added a project: WMF-deploy-2015-07-07_(1.26wmf13).Jul 9 2015, 10:00 PM
Tgr added a comment.Jul 9 2015, 10:05 PM
gtisza@GergoTisza:~$ curl -sSv -o/dev/null 'https://en.wikipedia.org/w/index.php?title=Special:OAuth/identify&&&&&&&&&&&&&&&&&' |& grep -P 'HTTP/|Location|X-Cache'
> GET /w/index.php?title=Special:OAuth/identify&&&&&&&&&&&&&&&&& HTTP/1.1
< HTTP/1.1 301 Moved Permanently
< Location: https://en.wikipedia.org/wiki/Special:OAuth/identify
< X-Cache: cp1055 miss (0), cp4018 miss (0), cp4017 frontend miss (0)
gtisza@GergoTisza:~$ curl -sSv -o/dev/null 'https://en.wikipedia.org/w/index.php?title=Special:OAuth/identify&&&&&&&&&&&&&&&&&' |& grep -P 'HTTP/|Location|X-Cache'
> GET /w/index.php?title=Special:OAuth/identify&&&&&&&&&&&&&&&&& HTTP/1.1
< HTTP/1.1 301 Moved Permanently
< Location: https://en.wikipedia.org/wiki/Special:OAuth/identify
< X-Cache: cp1055 miss (0), cp4018 miss (0), cp4017 frontend hit (1)
gtisza@GergoTisza:~$ curl -sSv -o/dev/null -H 'Authorization: OAuth fake="yes"' 'https://en.wikipedia.org/w/index.php?title=Special:OAuth/identify&&&&&&&&&&&&&&&&&' |& grep -P 'HTTP/|Location|X-Cache'
> GET /w/index.php?title=Special:OAuth/identify&&&&&&&&&&&&&&&&& HTTP/1.1
< HTTP/1.1 301 Moved Permanently
< Location: https://en.wikipedia.org/wiki/Special:OAuth/identify
< X-Cache: cp1055 miss (0), cp4018 miss (0), cp4017 frontend hit (2)

The 301 gets cached in Varnish which ignores Cache-Control: private and does not vary on the Authorization header.

bd808 added a comment.Jul 9 2015, 10:28 PM

http://dashboard-testing.wikiedu.org/ seems to work again now. We are still debating if there are cached 301 responses in Varnish that will need to be forced out of cache.

gerritbot added a comment.Jul 9 2015, 11:03 PM

Change 223980 had a related patch set uploaded (by Gergő Tisza):
Never canonicalize Special:OAuth URLs

https://gerrit.wikimedia.org/r/223980

Tgr added a comment.EditedJul 9 2015, 11:42 PM

Recap of IRC discussion: MediaWiki sends Cache-control: s-maxage=1200, must-revalidate, max-age=0 on its tryNormalizeRedirect 301s (which is completely independent from the Cache-Control header that's put by Varnish on outgoijng requests). Varnish would normally ignore that because it doesn't cache requests with an Authorization header (the RfC allows but does not require caching of authorization-enabled requests with cache-control: public) but it seems like we tell it not to; that should probably be fixed.

The current state is that requests without an OAuth header get redirected and that redirect gets cached and that affects subsequent requests even if they have an OAuth header. (See P931 for a reproduction.) There is no non-OAuth traffic going to Special:OAuth/identify which is the only affected endpoint, so this is no immediate priority, but should be fixed soon.

gerritbot added a comment.Jul 10 2015, 1:54 AM

Change 223997 had a related patch set uploaded (by BBlack):
text varnish: pass all "Authorization: OAuth " requests

https://gerrit.wikimedia.org/r/223997

zhuyifei1999 merged a task: T105375: Login fail with "Curl error: " due to 301 generated by OAuth provider.Jul 10 2015, 2:31 PM
zhuyifei1999 added subscribers: Krinkle, csteipp, Rillke and 2 others.
bd808 renamed this task from OAuth login response has changed, no longer works for dashboard.wikedu.org to Unexpected 301 redirect when calling Special:OAuth/identify during OAuth exchange.Jul 10 2015, 4:35 PM
gerritbot added a comment.Jul 10 2015, 5:38 PM

Change 223997 merged by BBlack:
text varnish: pass all "Authorization: OAuth " requests

https://gerrit.wikimedia.org/r/223997

BBlack mentioned this in rOPUPb156921ce6e6: text varnish: pass all "Authorization: OAuth " requests.Jul 10 2015, 5:38 PM
Tgr added a project: MediaWiki-extensions-OAuth.Jul 10 2015, 6:01 PM
Tgr closed this task as Resolved.Jul 10 2015, 6:10 PM
Tgr claimed this task.
Tgr mentioned this in T78314: Add tests against beta to catch OAuth integration issues.Jul 10 2015, 6:12 PM
gerritbot added a comment.Jul 10 2015, 8:17 PM

Change 223980 abandoned by Gergő Tisza:
Never canonicalize Special:OAuth URLs

Reason:
Obsoleted by I805cbc12792411395073cbc404ba7430867c8ecc

https://gerrit.wikimedia.org/r/223980

Tgr mentioned this in T59576: GET call to Special:OAuth/$par without query strings (but with Authorization header) shouldn't be redirected to pretty URLs.Jan 22 2017, 8:27 PM
Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptMay 31 2018, 7:31 PM
Anomie merged a task: T59576: GET call to Special:OAuth/$par without query strings (but with Authorization header) shouldn't be redirected to pretty URLs.May 31 2018, 7:31 PM
Anomie added subscribers: liangent, Ricordisamoa, Anomie and 4 others.
Aklapper removed subscribers: wikibugs-l-list, Anomie.Oct 16 2020, 5:38 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL