Special:OpenIDXRDS returns URLs based on $wgCanonicalServer. But when it attempts to redirect the user to these URLs, the forceHTTPS cookie kicks in and triggers a redirect to the corresponding https URL, which then fails due to loss of POST data.
Chris suggests this be worked around somehow in OpenID rather than having core use a 307 redirect instead of a 302.
Version: master
Severity: normal
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | Feature | None | T66475 Make crosswiki bits and pieces truly global (tracking) | ||
| Declined | Feature | None | T15631 Wikimedia should become an OpenID provider | ||
| Declined | None | T31254 [SUGGESTION] Expose group memberships for query through OpenID teams extension | |||
| Declined | Wikinaut | T25735 Allow different user grouping for OpenID users | |||
| Declined | None | T61631 Enable Facebook login on Wikimedia wikis | |||
| Declined | None | T11604 Get OpenID extension to a state where it could be used on Wikimedia projects as a provider | |||
| Declined | BUG REPORT | None | T56512 E:OpenID needs to work with $wgSecureLogin |
This is a problem with the id provider has $wgSecureLogin enabled. Since the WMF is running $wgSecureLogin, we need the extension to work with this in order to deploy it.
I tried to hack on it for a couple hours while reviewing it, and it's a difficult issue. But let me add what I know.
But that's about as far as I was able to get. So it may be a fix inside of the library, or it might be a fix for the return of Special:OpenIDXRDS.
(In reply to comment #5)
difficult issue. But let me add what I know.
- Since it was mentioned above, 307 redirects don't seem to work in FF or
Chrome for this, otherwise I'd be happy to do that in core.
- The issue seems to be that when the consumer does the XRDS querries, the
provider gives back http:// urls, even with wgSecureLogin enabled.
...
But that's about as far as I was able to get. So it may be a fix inside of
the library
This is also my view of the story. But my current thinking is, it _could_ be fixed in the library.
Only as a remark, not related to this bug:
I found - and fixed in E:OpenID - already at least one other issue with the library (the library does not return a correct return value for certificate errors)
see also
which appear to be related bug reports on the extension's talk page.
[Resetting task assignee to avoid cookie-licking. Please reclaim the task when you plan to actively work on this task. Thanks!]