Page MenuHomePhabricator

OAuth: authorization fails if the user never visited a foreign wiki (and account was created before centralauth autocreation was enabled)
Closed, ResolvedPublic

Description

From T74469#1172647:

If you create a new account on en.wiki and then try to log in to an OAuth app that is authenticates on en.wiki (for example, http://wizard.wikiedu.org), you will get that same error ["Unified login needed, E008"] every time until you visit another wiki.

The central OAuth wiki (for now, mediawiki.org meta.wikimedia.org) is auto-attached to the global account the first time the user visits a wiki where he does not have a local account. That never happens if the user registers on the same wiki where the app authenticates (as long as that wiki is not the central one).


See also T74469 and T104932

UPDATE: This appears to be fixed for new users, but can still affect users who created their accounts before the other related fixes for this task.

Related Objects

Event Timeline

Tgr created this task.Apr 2 2015, 7:11 PM
Tgr claimed this task.
Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added a subscriber: Tgr.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 2 2015, 7:11 PM

@Tgr: Yeah, same issue as T74791, which I previously closed as the same as T74469.

Tgr updated the task description. (Show Details)Apr 2 2015, 7:36 PM
Tgr set Security to None.
Tgr added a comment.Apr 2 2015, 8:35 PM

Sorry for the confusion then. The title of T74469 describes this issue pretty accurately but the reproduction steps recreate a different issue (there is an account on the central wiki, and it's attached to the global account, but due to stale caches some parts of the code see it as unattached).

The fix for this issue seems straightforward: just attach to the central wiki on account creation (CentralAuthPlugin::addUser() seems like a good place for that). Although from the last remark in T74791#760831, I might be missing some of the complexity here.

Tgr added a comment.Apr 3 2015, 6:19 AM

Two possible approaches:

  • Lightweight: do account autocreation right after registration, instead of first login. Not 100% effective (user might have restrictive cookie settings etc) but would make this issue rare enough to be ignored.
  • Heavyweight: create an API for autocreation of account on a given wiki, add a "list of wikis where account should be autocreated instantly" setting to CentralAuth and execute from addUser().
Tgr triaged this task as Normal priority.Apr 3 2015, 7:02 AM
Legoktm added a subscriber: Legoktm.Apr 7 2015, 6:17 PM
In T94885#1177066, @Tgr wrote:
  • Lightweight: do account autocreation right after registration, instead of first login. Not 100% effective (user might have restrictive cookie settings etc) but would make this issue rare enough to be ignored.

I like this approach.

Tgr added a comment.Apr 13 2015, 7:22 PM

Apparently the control flow for registration and login is not significantly different: autologin icons are displayed in both cases, they just don't create accounts deterministically. According to T18864, account creation on autologin is a bug. That leaves the hard way...

Change 204059 had a related patch set uploaded (by Gergő Tisza):
Autocreate some local accounts when global account is created

https://gerrit.wikimedia.org/r/204059

Change 204059 merged by jenkins-bot:
Autocreate some local accounts when global account is created

https://gerrit.wikimedia.org/r/204059

Change 220970 had a related patch set uploaded (by Gergő Tisza):
Autocreate local versions of global accounts on meta, mw.o

https://gerrit.wikimedia.org/r/220970

Change 220970 merged by jenkins-bot:
Autocreate accounts on meta, mediawiki.org, loginwiki

https://gerrit.wikimedia.org/r/220970

Change 223209 had a related patch set uploaded (by Gergő Tisza):
Invalidate cache after account autocreation from job

https://gerrit.wikimedia.org/r/223209

Change 223209 merged by jenkins-bot:
Invalidate cache after account autocreation from job

https://gerrit.wikimedia.org/r/223209

Change 223211 had a related patch set uploaded (by Gergő Tisza):
Invalidate cache after account autocreation from job

https://gerrit.wikimedia.org/r/223211

Change 223211 merged by jenkins-bot:
Invalidate cache after account autocreation from job

https://gerrit.wikimedia.org/r/223211

Tgr closed this task as Resolved.Jul 7 2015, 12:46 AM
Ragesoss renamed this task from OAuth: authorization fails if the user never visited a foreign wiki to OAuth: authorization fails if the user never visited a foreign wiki (and account was created before centralauth autocreation was enabled).Aug 11 2015, 7:01 PM
Ragesoss reopened this task as Open.
Ragesoss updated the task description. (Show Details)

I watched a user hit this again yesterday, using an already-existing account.

Tgr added a comment.Aug 11 2015, 7:54 PM

That affects users who have created their account before July 6, and have never logged in to another wiki since then. (I would have expected logging in to the original wiki again to also trigger account creation, but apparently that is not the case.) Do you think that's frequent enough to worry about it? I can create a script to go through all Xwiki accounts that are not connected to to mediawikiwiki/metawiki, and autocreate an account for them. I'm just not sure it's less work than doing it by hand every time it happens.

It's not a huge deal, and will be partly addressed if we deploy the error message update to guide users to visit another wiki and try again. But from my experience with my OAuth app, it's quite common for people to have a Wikipedia account that they've never used to visit another wiki. It's probably affected a fifth of the users I've tested with (plus another maybe two fifths who created an account during the OAuth login process, but who should hopefully not run into problems anymore).

I think a script to create these accounts would save a lot of people a lot of frustration, in the long run. That's just shooting from the hip, though, without knowing what proportion of existing (say) en.wiki accounts don't have a centralauth account.

Tgr added a comment.Aug 14 2015, 9:16 PM

There are about 20 million users on enwiki alone with no mw.org or meta username. I am not sure suddenly creating that many accounts would be welcome.

Tgr added a comment.Aug 17 2015, 7:05 AM

Since swamping the meta/mw.org user creation logs with tens of millions of users is not really an option, and creating those users without logging them is also problematic, the only way out I can see is to do account autocreation within the authorization dialog. Not sure if that is doable or not.

What can a user do himself to fix his login and access Phabricator again?

Background: One user (account created in April 2015 on mw.org) seems to be facing this issue after changing his password on mw.org. It blocks using Phabricator (after login on mw.org and clicking "Login or Register" on Phabricator, on mediawiki.org no OAuth dialog is displayed but "There was a problem with logging you in globally [...] E008" instead.

@Aklapper: probably: log in on mw.org or wherever, and then visit meta.wikimedia.org (which is now the location of the central OAuth accounts) and then try logging in to Phabricator again. That worked for someone else recently.

Ragesoss updated the task description. (Show Details)Oct 16 2015, 4:34 PM
Tgr added a comment.Oct 16 2015, 6:43 PM

Yeah, making sure you are logged in on meta should do the trick. Phabricator's OAuth login would probably be more stable if it happened on meta now that OAuth has moved there, although maybe that could be confusing for users?

@Aklapper: probably: log in on mw.org or wherever, and then visit meta.wikimedia.org (which is now the location of the central OAuth accounts) and then try logging in to Phabricator again. That worked for someone else recently.

That worked for me. Thank you!!

@Tgr: This is not completely fixed for new users. I've gotten a few reports lately from users running into the E008 error when trying to use OAuth soon after creating their account.

This happened today with User:MATH1203Instructor.

Tgr added a comment.Aug 31 2016, 12:38 AM

Some kind of autocreation error, meta has not been attached at the time of account creation: https://meta.wikimedia.org/wiki/Special:CentralAuth/MATH1203Instructor

I'll be lazy and wait another week and see whether https://gerrit.wikimedia.org/r/#/c/307057/ helps. Aaron says it will reduce the number of transactions that need to be rolled back due to DB replication lag.

Ragesoss renamed this task from OAuth: authorization fails if the user never visited a foreign wiki (and account was created before centralauth autocreation was enabled) to OAuth: authorization occasionally fails with brand new accounts.Oct 18 2016, 6:29 PM
Ragesoss added a subscriber: Pharos.
Tgr added a comment.Oct 18 2016, 8:56 PM

Do you have some examples?

@Tgr: It happened for User:Ppfl090 on en.wiki September 16.

That's the most recent case I know of specifically.

Tgr added a comment.Oct 19 2016, 10:44 PM

As with MATH1203Instructor, Ppfl090 was not autocreated on meta (note different account creation date).

Tgr renamed this task from OAuth: authorization occasionally fails with brand new accounts to OAuth: authorization fails if the user never visited a foreign wiki (and account was created before centralauth autocreation was enabled).Oct 19 2016, 10:51 PM
Tgr closed this task as Resolved.

Let's kill this task off, too much history (and it was about different bugs in different periods of its life). I filed T148696.

Tgr added a comment.Oct 19 2016, 11:16 PM

Are these users created normally? I find nothing in the logs about Ppfl090 before Sep. 19.

Tgr added a comment.Oct 19 2016, 11:17 PM
In T94885#2730290, @Tgr wrote:

Are these users created normally? I find nothing in the logs about Ppfl090 before Sep. 19.

...which I guess makes sense as today is Oct 19. We probably have a 30 day limit on retaining logs.

The starting point for account creation for these may be https://dashboard.wikiedu.org/users/auth/mediawiki_signup

But they do get created normally, just with a rather complex bunch of redirect parameters that take them to OAuth and then back to dashboard.wikiedu.org afterwards.