Has someone made
osmocom.org login redirect to projects.osmocom.org?
Because since recently I observe this:
I go to
osmocom.org, click on "Sign in".
It *redirects* me to
projects.osmocom.org/login.
I log in.
I go to gerrit, enter, as always
https://osmocom.org/openid
I get another login screen, this time on
osmocom.org without 'projects.'
Interesting, there seem to be two realms, maybe from cookie rules.
Ok then, I add projects to the openid, for gerrit login:
https://projects.osmocom.org/openid
and it works, nice.
However, now I seem to be logged in as a kind of ghost of my user. I'm logged
in as 'nhofmeyr(a)sysmocom.de'.de', but no patches are on my page and I don't have
the voting nor admin permissions I normally have.
When instead of clicking on "Sign in" on
osmocom.org redmine, I *manually*
enter
https://osmocom.org/login
(omitting projects.), I can login on
osmocom.org and my gerrit user works out.
I notice that with
projects.osmocom.org I am user ID 1000073,
while with
osmocom.org I am 1000005.
In the gerrit user database, I see distinct user IDs:
▶ ssh go 'gerrit gsql -c "select * from account_external_ids where account_id =
1000073 or account_id = 1000005"'
ACCOUNT_ID | EMAIL_ADDRESS | EXTERNAL_ID
-----------+-----------------------+--------------------------------------------
1000005 | nhofmeyr(a)sysmocom.de |
https://osmocom.org/openid/user/91
1000005 | NULL | username:neels
1000073 | nhofmeyr(a)sysmocom.de |
https://projects.osmocom.org/openid/user/91
When I manually patch up the 1000073 to 1000005 in the last row, both openid
URLs work out to the correct user.
So gerrit potentially gets confused by one and the same user, fails to match
the email addresses rather than the openid provider.
Looking at the other registered users, most use the
osmocom.org and not
projects.osmocom.org, so you all may be susceptible to the same issue.
I also see that four have entered http:// as openid, without SSL, which seems
to me is something we should rather not allow.
For example, laforge's user is shadowed in the same way just because of the
non-https:
1000004 | laforge(a)gnumonks.org |
https://osmocom.org/openid/user/7
1000021 | laforge(a)gnumonks.org |
http://osmocom.org/openid/user/7
If redirecting to projects.o.o is intentional and the way to go (TM), I should
probably pre-empt problems for existing users by creating external ids with
'projects' in the openid url, pointing at the proper existing users.
Otherwise we should avoid magical forwarding of
osmocom.org logins to
projects.osmocom.org.
~N