Page MenuHomePhabricator

OAuth authorization with a just-created account sometimes fails with 'mwoauthdatastore-access-token-not-found'
Closed, ResolvedPublic

Description

On dashboard.wikiedu.org, we have a signup flow for users who do not already have Wikipedia accounts, which uses 'returntoquery' to send a user to the account creation page and then immediately redirect them to an auth page for the dashboard once they've created their account. Here are the entry points for this flow:

en.wiki: https://dashboard.wikiedu.org/users/auth/mediawiki_signup
test.wiki: https://dashboard-testing.wikiedu.org/users/auth/mediawiki_signup

This usually works, but seems occasionally fail with 'mwoauthdatastore-access-token-not-found'. @Tgr suggests that this might be caused by master-slave lag.

Event Timeline

Ragesoss created this task.Jan 27 2016, 6:37 PM
Ragesoss raised the priority of this task from to Needs Triage.
Ragesoss updated the task description. (Show Details)
Ragesoss added subscribers: Ragesoss, Tgr.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptJan 27 2016, 6:37 PM

Change 266800 had a related patch set uploaded (by Gergő Tisza):
Fall back to master DB for access token lookup

https://gerrit.wikimedia.org/r/266800

aaron added a subscriber: aaron.EditedJan 28 2016, 4:10 AM

Seems like this should already be covered by ChronologyProtector, unless there was a >10sec lag spike and timeout. Though I don't see many log entries under

+channel:DBPerformance +message:"Waiting" +url:*OAuth*

@awight @Abit This bug will affect the all instances of the dashboard, creating a confusing situation for newcomers who try to create their account at the same time they join a course. It's hit-or-miss; often you can create an account and sign up in one smooth flow, but a significant fraction of the time, you'll instead get stopped by an OAuth error message.

Tgr added a comment.EditedFeb 18 2016, 7:07 PM

@aaron: ChronologyProtector uses IP+user agent to persist the master position, but the OAuth request that fails is sent by the WikiEdu server, if I understand the bug report correctly, so the IP/agent won't match that of the authorization request.

What's the status with that patch? Is waiting for more review, or is it not the right fix? Users run into this problem all the time at Wiki Ed events.

Tgr added a subscriber: Anomie.Jul 6 2016, 12:40 AM

IMO it is ready to merge. @Anomie asked for some code quality improvements but I can do those in a follow-up.

Change 266800 merged by jenkins-bot:
Fall back to master DB for access token lookup

https://gerrit.wikimedia.org/r/266800

Tgr added a comment.Sep 6 2016, 10:30 PM

@Ragesoss any impression on whether this is resolved?

@Tgr I think this one is resolved. I haven't heard of this error coming up lately (unlike the E008 error). I'll keep an eye out for reports of it, though. These next few weeks are when a few thousand users will go through the account creation and OAuth login flow via dashboard.wikiedu.org.

Tgr closed this task as Resolved.Sep 7 2016, 11:48 PM
Tgr claimed this task.

Thanks! Please reopen if you run into it again.