There is a new web form that supports publishing waivers for failed/missing tests and supports OpenID Connect authentication.
Unfortunately, redirect URL HTTP header in the OIDC request is incorrect - it uses http:// instead of https:// (redirect_uri: http://waiverdb.stg.fedoraproject.org/oidc_callback).
http://
https://
redirect_uri: http://waiverdb.stg.fedoraproject.org/oidc_callback
It has been suggested before to update Router OpenShift object but that did not help.
The new web form: https://waiverdb.stg.fedoraproject.org/api/v1.0/waivers/new
To reproduce: 1. Open web developer tools in a new tab in Firefox (Ctrl+Shift+I), 2. Switch to the Network tab in the tools panel, 3. Enter the web form URL in the URL entry of the new tab: https://waiverdb.stg.fedoraproject.org/api/v1.0/waivers/new 4. See that the first request to id.stg.fedoraproject.org in the dev tools finishes with HTTP 400 status code and it shows the incorrect header value.
Metadata Update from @phsmoura: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: dev, medium-gain, medium-trouble
I poked at this some, it's weird. ipsilon is getting the http:// as redirect_uri...
perhaps @abompard can look?
Maybe this could fix the problem: https://pagure.io/fedora-infra/ansible/pull-request/1346
It's now passing:
https%3A%2F%2Fwaiverdb.stg.fedoraproject.org%2Foidc_callback
but still getting the invalid redirect_uri. ;(
I guess I need to request allowing the new redirect_uri for waiverdb client? I changed the URI recently from the original https://waiverdb-waiverdb.app.os.stg.fedoraproject.org/, and I assume that something like localhost is also allowed for CLI tool to work.
https://waiverdb-waiverdb.app.os.stg.fedoraproject.org/
localhost
I see that "destination" in the "state" GET parameter is http://waiverdb.stg.fedoraproject.org/api/v1.0/waivers/new. Maybe the protocol/host must match the one in redirect_uri.
http://waiverdb.stg.fedoraproject.org/api/v1.0/waivers/new
This could fix the wrong "destination": https://pagure.io/fedora-infra/ansible/pull-request/1348#request_diff
Pushed that, didn't seem to help. ;(
This is probably needs to be set in gunicorn: https://docs.gunicorn.org/en/stable/settings.html#secure-scheme-headers
Actually, the redirect_uri value had not been set in Ipsilon. I've set it for staging, does it work for you now?
redirect_uri
@abompard Thanks, the redirect now works! :thumbsup:
Yet another configuration fix for waiverdb: https://pagure.io/fedora-infra/ansible/pull-request/1353
Awesome. Thanks! I guess we can close this?
I merged and pushed that fix...
Metadata Update from @kevin: - Issue close_status updated to: Fixed with Explanation - Issue status updated to: Closed (was: Open)
@abompard Can we please have this also fixed for production service? https://waiverdb.fedoraproject.org :pray:
prod was done at the same time. ;) So it should be all set.
Ah, then it is caused by the outdated configuration.
Can you apply the new playbooks to prod? I can see that "/etc/waiverdb/settings.py" in pods does not contain the new options:
OVERWRITE_REDIRECT_URI = 'https://waiverdb.fedoraproject.org/oidc_callback' PREFERRED_URL_SCHEME='https'
Done
Perfect, thanks! All works now.
Login to comment on this ticket.