Page MenuHomePhabricator

E:OpenID needs to work with $wgSecureLogin
Open, Needs TriagePublic

Description

Special:OpenIDXRDS returns URLs based on $wgCanonicalServer. But when it attempts to redirect the user to these URLs, the forceHTTPS cookie kicks in and triggers a redirect to the corresponding https URL, which then fails due to loss of POST data.

Chris suggests this be worked around somehow in OpenID rather than having core use a 307 redirect instead of a 302.


Version: master
Severity: normal

Details

Reference
bz54512

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 2:14 AM
bzimport set Reference to bz54512.
Anomie created this task.Sep 24 2013, 4:19 PM

This is a problem with the id provider has $wgSecureLogin enabled. Since the WMF is running $wgSecureLogin, we need the extension to work with this in order to deploy it.

  • This bug has been marked as a duplicate of bug 44353 ***
  • Bug 44353 has been marked as a duplicate of this bug. ***

perhaps better the other way around, you are right.

Can you help to fix it ?

I tried to hack on it for a couple hours while reviewing it, and it's a difficult issue. But let me add what I know.

  • Since it was mentioned above, 307 redirects don't seem to work in FF or Chrome for this, otherwise I'd be happy to do that in core.
  • The issue seems to be that when the consumer does the XRDS querries, the provider gives back http:// urls, even with wgSecureLogin enabled. When it's hacked to only return https:// something else in the Auth library is failing. When I return both, it will POST to the https url, but later it gives throws an exception about a missmatch in the urls.

But that's about as far as I was able to get. So it may be a fix inside of the library, or it might be a fix for the return of Special:OpenIDXRDS.

(In reply to comment #5)

difficult issue. But let me add what I know.

  • Since it was mentioned above, 307 redirects don't seem to work in FF or

Chrome for this, otherwise I'd be happy to do that in core.

  • The issue seems to be that when the consumer does the XRDS querries, the

provider gives back http:// urls, even with wgSecureLogin enabled.
...

But that's about as far as I was able to get. So it may be a fix inside of
the library

This is also my view of the story. But my current thinking is, it _could_ be fixed in the library.

Only as a remark, not related to this bug:

I found - and fixed in E:OpenID - already at least one other issue with the library (the library does not return a correct return value for certificate errors)

Aklapper removed Wikinaut as the assignee of this task.Jun 18 2015, 2:08 PM
Aklapper added a subscriber: Aklapper.

[Resetting task assignee to avoid cookie-licking. Please reclaim the task when you plan to actively work on this task. Thanks!]