Has someone made osmocom.org login redirect to projects.osmocom.org? Because since recently I observe this:
I go to osmocom.org, click on "Sign in". It *redirects* me to projects.osmocom.org/login. I log in.
I go to gerrit, enter, as always
I get another login screen, this time on osmocom.org without 'projects.' Interesting, there seem to be two realms, maybe from cookie rules.
Ok then, I add projects to the openid, for gerrit login:
https://projects.osmocom.org/openid
and it works, nice.
However, now I seem to be logged in as a kind of ghost of my user. I'm logged in as 'nhofmeyr@sysmocom.de', but no patches are on my page and I don't have the voting nor admin permissions I normally have.
When instead of clicking on "Sign in" on osmocom.org redmine, I *manually* enter https://osmocom.org/login (omitting projects.), I can login on osmocom.org and my gerrit user works out.
I notice that with projects.osmocom.org I am user ID 1000073, while with osmocom.org I am 1000005.
In the gerrit user database, I see distinct user IDs:
▶ ssh go 'gerrit gsql -c "select * from account_external_ids where account_id = 1000073 or account_id = 1000005"' ACCOUNT_ID | EMAIL_ADDRESS | EXTERNAL_ID -----------+-----------------------+-------------------------------------------- 1000005 | nhofmeyr@sysmocom.de | https://osmocom.org/openid/user/91 1000005 | NULL | username:neels 1000073 | nhofmeyr@sysmocom.de | https://projects.osmocom.org/openid/user/91
When I manually patch up the 1000073 to 1000005 in the last row, both openid URLs work out to the correct user.
So gerrit potentially gets confused by one and the same user, fails to match the email addresses rather than the openid provider.
Looking at the other registered users, most use the osmocom.org and not projects.osmocom.org, so you all may be susceptible to the same issue.
I also see that four have entered http:// as openid, without SSL, which seems to me is something we should rather not allow.
For example, laforge's user is shadowed in the same way just because of the non-https:
1000004 | laforge@gnumonks.org | https://osmocom.org/openid/user/7 1000021 | laforge@gnumonks.org | http://osmocom.org/openid/user/7
If redirecting to projects.o.o is intentional and the way to go (TM), I should probably pre-empt problems for existing users by creating external ids with 'projects' in the openid url, pointing at the proper existing users.
Otherwise we should avoid magical forwarding of osmocom.org logins to projects.osmocom.org.
~N
On 20 Mar 2017, at 05:30, Neels Hofmeyr nhofmeyr@sysmocom.de wrote:
Has someone made osmocom.org login redirect to projects.osmocom.org? Because since recently I observe this:
I go to osmocom.org, click on "Sign in". It *redirects* me to projects.osmocom.org/login. I log in.
hmm... I did this https://osmocom.org/issues/1728 could you try with curl -v?
If redirecting to projects.o.o is intentional and the way to go (TM), I should probably pre-empt problems for existing users by creating external ids with 'projects' in the openid url, pointing at the proper existing users.
Otherwise we should avoid magical forwarding of osmocom.org logins to projects.osmocom.org.
No. that is not intended. I tried to block opening /login as http though. So maybe $server_name in nginx doesn't work as it should(tm).
$ curl -v http://osmocom.org/login/ 2>&1 | grep Location < Location: https://projects.osmocom.org/login/
I changed $server_name to $host. It looks better?
holger
On Wed, Mar 22, 2017 at 08:11:18AM +0100, Holger Freyther wrote:
I changed $server_name to $host. It looks better?
Ah, I noticed a detail:
httpS://osmocom.org/login doesn't redirect to projects,
but httP://osmocom.org/login still does to httpS://PROJECTS.osmocom.org/login
When I pull up osmocom.org I end up at httP, then clicking 'Sign in' goes to httpS projects.
So technically this could be fixed for me with the https-everywhere browser plugin, which I have active, but seems to have outdated/incomplete osmocom.org rules :)
I also have access to the osmocom nginx ... I'm probably not very adept at it, so don't mind at all if you do it, just let me know if I should try to fix it myself instead; now that I know the intention.
~N
On 22 Mar 2017, at 12:05, Neels Hofmeyr nhofmeyr@sysmocom.de wrote:
but httP://osmocom.org/login still does to httpS://PROJECTS.osmocom.org/login
curl -v httP://osmocom.org/login 2>&1 | grep Loca < Location: https://osmocom.org/login
=> your browser has the redirect cached?
holger
On Thu, Mar 23, 2017 at 04:10:21PM +0100, Holger Freyther wrote:
On 22 Mar 2017, at 12:05, Neels Hofmeyr nhofmeyr@sysmocom.de wrote:
but httP://osmocom.org/login still does to httpS://PROJECTS.osmocom.org/login
curl -v httP://osmocom.org/login 2>&1 | grep Loca < Location: https://osmocom.org/login
=> your browser has the redirect cached?
Seems to have been the case, at least now I'm not redirected anymore. Thanks!
~N
-
Holger Freyther -
Neels Hofmeyr