Page MenuHomePhabricator

Unexpected 301 redirect when calling Special:OAuth/identify during OAuth exchange
Closed, ResolvedPublic

Description

As of a couple hours ago (probably the new wmf13 deployment) my OAuth app breaks on attempts to log in via OAuth. After clicking 'allow', I get what I think is a JSON decode error, "JWT::DecodeError | Not enough or too many segments"

Event Timeline

Ragesoss created this task.Jul 9 2015, 7:11 PM
Ragesoss raised the priority of this task from to Unbreak Now!.
Ragesoss updated the task description. (Show Details)
Ragesoss added a subscriber: Ragesoss.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 9 2015, 7:11 PM
Ragesoss set Security to None.Jul 9 2015, 7:11 PM
Ragesoss added a subscriber: bd808.

The Omniauth-mediawiki gem, https://github.com/timwaters/omniauth-mediawiki, breaks because of newly introduced redirection. There's a response object that was previously handled fine, and now it's an unexpected 301 Moved Permanently response.

Change 223952 had a related patch set uploaded (by BryanDavis):
Prevent canonical redirect when OAuth is in use

https://gerrit.wikimedia.org/r/223952

Change 223952 merged by jenkins-bot:
Prevent canonical redirect when OAuth is in use

https://gerrit.wikimedia.org/r/223952

Change 223961 had a related patch set uploaded (by Gergő Tisza):
Prevent canonical redirect when OAuth is in use

https://gerrit.wikimedia.org/r/223961

Change 223961 merged by jenkins-bot:
Prevent canonical redirect when OAuth is in use

https://gerrit.wikimedia.org/r/223961

The app breaks at line 82 of the OAuth gem: https://github.com/timwaters/omniauth-mediawiki/blob/master/lib/omniauth/strategies/mediawiki.rb#L82

Instead of the expected data, it's a Net:HTTPPermanentRedirect

Tgr added a subscriber: Tgr.Jul 9 2015, 9:51 PM
gtisza@GergoTisza:~$ curl -sSv -o/dev/null 'https://en.wikipedia.org/w/index.php?title=Special:OAuth/identify'
(...)
< HTTP/1.1 301 Moved Permanently
* Server nginx/1.9.2 is not blacklisted
< Server: nginx/1.9.2
< Date: Thu, 09 Jul 2015 21:50:10 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: HHVM/3.6.1
< X-Content-Type-Options: nosniff
< Vary: Accept-Encoding,X-Forwarded-Proto,Cookie
< Location: https://en.wikipedia.org/wiki/Special:OAuth/identify
< Last-Modified: Thu, 09 Jul 2015 21:50:10 GMT
< X-Varnish: 4239197068, 3689971860, 3766942613
< Via: 1.1 varnish, 1.1 varnish, 1.1 varnish
< Age: 0
< X-Cache: cp1054 miss (0), cp4017 miss (0), cp4017 frontend miss (0)
< Strict-Transport-Security: max-age=31536000
< Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
< Set-Cookie: GeoIP=US:CA:San_Francisco:37.7898:-122.3942:v4; Path=/; Domain=.wikipedia.org
< X-Analytics: https=1
< Set-Cookie: WMF-Last-Access=09-Jul-2015;Path=/;HttpOnly;Expires=Mon, 10 Aug 2015 12:00:00 GMT
Tgr added a comment.Jul 9 2015, 10:05 PM
gtisza@GergoTisza:~$ curl -sSv -o/dev/null 'https://en.wikipedia.org/w/index.php?title=Special:OAuth/identify&&&&&&&&&&&&&&&&&' |& grep -P 'HTTP/|Location|X-Cache'
> GET /w/index.php?title=Special:OAuth/identify&&&&&&&&&&&&&&&&& HTTP/1.1
< HTTP/1.1 301 Moved Permanently
< Location: https://en.wikipedia.org/wiki/Special:OAuth/identify
< X-Cache: cp1055 miss (0), cp4018 miss (0), cp4017 frontend miss (0)
gtisza@GergoTisza:~$ curl -sSv -o/dev/null 'https://en.wikipedia.org/w/index.php?title=Special:OAuth/identify&&&&&&&&&&&&&&&&&' |& grep -P 'HTTP/|Location|X-Cache'
> GET /w/index.php?title=Special:OAuth/identify&&&&&&&&&&&&&&&&& HTTP/1.1
< HTTP/1.1 301 Moved Permanently
< Location: https://en.wikipedia.org/wiki/Special:OAuth/identify
< X-Cache: cp1055 miss (0), cp4018 miss (0), cp4017 frontend hit (1)
gtisza@GergoTisza:~$ curl -sSv -o/dev/null -H 'Authorization: OAuth fake="yes"' 'https://en.wikipedia.org/w/index.php?title=Special:OAuth/identify&&&&&&&&&&&&&&&&&' |& grep -P 'HTTP/|Location|X-Cache'
> GET /w/index.php?title=Special:OAuth/identify&&&&&&&&&&&&&&&&& HTTP/1.1
< HTTP/1.1 301 Moved Permanently
< Location: https://en.wikipedia.org/wiki/Special:OAuth/identify
< X-Cache: cp1055 miss (0), cp4018 miss (0), cp4017 frontend hit (2)

The 301 gets cached in Varnish which ignores Cache-Control: private and does not vary on the Authorization header.

bd808 added a comment.Jul 9 2015, 10:28 PM

http://dashboard-testing.wikiedu.org/ seems to work again now. We are still debating if there are cached 301 responses in Varnish that will need to be forced out of cache.

Change 223980 had a related patch set uploaded (by Gergő Tisza):
Never canonicalize Special:OAuth URLs

https://gerrit.wikimedia.org/r/223980

Tgr added a comment.EditedJul 9 2015, 11:42 PM

Recap of IRC discussion: MediaWiki sends Cache-control: s-maxage=1200, must-revalidate, max-age=0 on its tryNormalizeRedirect 301s (which is completely independent from the Cache-Control header that's put by Varnish on outgoijng requests). Varnish would normally ignore that because it doesn't cache requests with an Authorization header (the RfC allows but does not require caching of authorization-enabled requests with cache-control: public) but it seems like we tell it not to; that should probably be fixed.

The current state is that requests without an OAuth header get redirected and that redirect gets cached and that affects subsequent requests even if they have an OAuth header. (See P931 for a reproduction.) There is no non-OAuth traffic going to Special:OAuth/identify which is the only affected endpoint, so this is no immediate priority, but should be fixed soon.

Change 223997 had a related patch set uploaded (by BBlack):
text varnish: pass all "Authorization: OAuth " requests

https://gerrit.wikimedia.org/r/223997

bd808 renamed this task from OAuth login response has changed, no longer works for dashboard.wikedu.org to Unexpected 301 redirect when calling Special:OAuth/identify during OAuth exchange.Jul 10 2015, 4:35 PM

Change 223997 merged by BBlack:
text varnish: pass all "Authorization: OAuth " requests

https://gerrit.wikimedia.org/r/223997

Tgr closed this task as Resolved.Jul 10 2015, 6:10 PM
Tgr claimed this task.

Change 223980 abandoned by Gergő Tisza:
Never canonicalize Special:OAuth URLs

Reason:
Obsoleted by I805cbc12792411395073cbc404ba7430867c8ecc

https://gerrit.wikimedia.org/r/223980

Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptMay 31 2018, 7:31 PM