E:OpenID does not accept the temporary password when attaching an OpenID to an existing account.
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Wikinaut
	Nov 14 2013, 6:20 PM

Description

Szenario:

existing wiki "User" account with a confirmed e-mail address. This account was created earlier via createaccount or createaccount-by-mail, a standard mediawiki account ;
User wants to attach their XYZ-OpenID to their account because there is no OpenID yet ; and
User has forgotten the password for the wiki User account

User can send a temporary password via Special:PasswordReset to their (previously confirmed) e-mail address.

A password is mandatory when you want to attach an OpenID to an existing account.

Bug:

Current OpenID version do not accept the _temporary_ password when attaching an OpenID to an existing account.

Patch ready.

Version: master
Severity: major
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=57289

Details

Reference: bz57065

Related Objects
Search...

Status	Subtype	Assigned	Task
Open	Feature	None	T66475 Make crosswiki bits and pieces truly global (tracking)
Declined	Feature	None	T15631 Wikimedia should become an OpenID provider
Declined		None	T31254 [SUGGESTION] Expose group memberships for query through OpenID teams extension
Declined		Wikinaut	T25735 Allow different user grouping for OpenID users
Declined		None	T61631 Enable Facebook login on Wikimedia wikis
Declined		None	T11604 Get OpenID extension to a state where it could be used on Wikimedia projects as a provider
Resolved		Wikinaut	T59065 E:OpenID does not accept the temporary password when attaching an OpenID to an existing account.

Event Timeline

• bzimport raised the priority of this task from to High.Nov 22 2014, 2:40 AM

• bzimport added a project: MediaWiki-extensions-OpenID.

• bzimport set Reference to bz57065.

Wikinaut created this task.Nov 14 2013, 6:20 PM

Change 95461 had a related patch set (by Wikinaut) published:
Bug 57065: E:OpenID does not accept temporary password when attaching an OpenID to an existing account

https://gerrit.wikimedia.org/r/95461

I believe the issue with the change password form showing twice is that the first time, the user is partially logged in with their temporary password, and the ChangePassword form writes out the user's edit token into the token hidden field. When the user submits the form (the first time), they are completely logged out, and the edit token on the form doesn't match the anonymous edit token ('+\'). The second time the form is displayed, the anonymous edit token is written into the token field, and the ChangePassword form submission is correctly processed.

(In reply to comment #2)

I believe the issue with the change password form showing twice is that the
first time, the user is partially logged in with their temporary password,
and
the ChangePassword form writes out the user's edit token into the token
hidden
field. When the user submits the form (the first time), they are completely
logged out, and the edit token on the form doesn't match the anonymous edit
token ('+\'). The second time the form is displayed, the anonymous edit token
is written into the token field, and the ChangePassword form submission is
correctly processed.

Chris,

arguendo you are right with your view,

why is that then working (usually, showing the page only once) in *normal* MediaWiki context, on - let's say - English Wikipedia, when you come as anon and log-in with your temp.password ?

But perhaps(????) it is related to what I found in https://bugzilla.wikimedia.org/show_bug.cgi?id=57289

solved in verion 4.00 20131122
https://gerrit.wikimedia.org/r/#/c/94977/

currently, the password change page appears twice. This will be tracked in a new bug.

Change 95461 abandoned by Wikinaut:
Bug 57065: does not accept temporary password when attaching OpenID to existing account

Reason:
thsi patch is not needed