NOTE
If your issue is for security or deals with sensitive info please mark it as private using the checkbox below.
---- Fix the Labs download links on the website. No way to obtain v40 Design lab version, has no links. ---- Logins to various areas on Fedora sites fail regularly. Most commonly public forums. ---- Can't get into anywhere else to post this, so here it is.
---- No rush, after all these problems, I don't think I'll be in any hurry to use your products anytime soon.
The design suite was not produced for f40 due to problems with the blender package. Since thats a non blocking deliverable, the entire release wasn't blocked on it.
You could use the f39 one: https://dl.fedoraproject.org/pub/alt/releases/39/Labs/x86_64/iso/Fedora-Design_suite-Live-x86_64-39-1.5.iso and upgrade.
We will need more information on which "public forums" you are seeing failures on? Also, how does it fail? time out? error message?
This latest error was...
400 - Bad Request Invalid transaction id
...And that was trying to get in here to reply. On the third refresh of this page to view, the login link worked and popped me in without prompts. Previous errors were usually invalid username/password messages. They came from these forums, the GitLab site, and another I can't remember.
I wanted to thank you for that link to download. Going previous and upgrading is a perfectly acceptable solution.
Metadata Update from @zlopez: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: Needs investigation
Strangely I can't seem to find any errors in the identity provider logs. All the entries there show successful.
Perhaps @zlopez or @abompard can see where this might be going awry?
I noticed that as well, it throws 400 - Bad Request and after visiting the service again you are logged in.
400 - Bad Request
I got one of the login errors yesterday on notifications.fedoraproject.org. I got the same error again today when logging in to post this.
Yesterday I pasted "https://notifications.fedoraproject.org/rules/246" into Firefox (because that program is too fancy to work in Seamonkey). The login form was displayed. Credentials were filled in from my keyring. I submitted the form and got 400 Bad Request. I then pasted the same URL again, and saw the notification rule without logging in again.
A log from Firefox follows. I have redacted everything that looked like it might possibly be secret. Some of the messages are translated, but those look like they're only warnings about things that will stop working in some future version. What they say is that some cookies lack valid "SameSite" attributes and that sizeToContent is deprecated.
11:41:16,919 Fetched service configuration Object { authorizationEndpoint: "https://id.fedoraproject.org/openidc/Authorization", tokenEndpoint: "https://id.fedoraproject.org/openidc/Token", revocationEndpoint: undefined, userInfoEndpoint: "https://id.fedoraproject.org/openidc/UserInfo", endSessionEndpoint: undefined } index-ujsPPI9n.js:39:14240 11:41:16,926 Making authorization request Object { authorizationEndpoint: "https://id.fedoraproject.org/openidc/Authorization", tokenEndpoint: "https://id.fedoraproject.org/openidc/Token", revocationEndpoint: undefined, userInfoEndpoint: "https://id.fedoraproject.org/openidc/UserInfo", endSessionEndpoint: undefined } Object { crypto: {}, usePkce: true, clientId: "fmn-frontend", redirectUri: "https://notifications.fedoraproject.org/login/fedora", scope: "openid profile email https://id.fedoraproject.org/scope/groups", responseType: "code", state: "REDACTED", extras: undefined, internal: undefined } index-ujsPPI9n.js:39:14596 11:41:16,928 Making a request to Object { crypto: {}, usePkce: true, clientId: "fmn-frontend", redirectUri: "https://notifications.fedoraproject.org/login/fedora", scope: "openid profile email https://id.fedoraproject.org/scope/groups", responseType: "code", state: "REDACTED", extras: {…}, internal: {…} } https://id.fedoraproject.org/openidc/Authorization?redirect_uri=https%3A%2F%2Fnotifications.fedoraproject.org%2Flogin%2Ffedora&client_id=fmn-frontend&response_type=code&state=REDACTED&scope=openid%20profile%20email%20https%3A%2F%2Fid.fedoraproject.org%2Fscope%2Fgroups&code_challenge=REDACTED&code_challenge_method=S256 index-ujsPPI9n.js:38:7598 11:41:16,937 Error: Unable to preload CSS for /assets/TrackingRule-xsjE9iaN.css s https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:14 s https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:14 s https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:14 Qs https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:14 component https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:43 Fu https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 N https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 promise callback*N https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 O https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 _ https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 install https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 use https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:1 <anonymous> https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:43 index-ujsPPI9n.js:34:21195 11:41:16,939 Uncaught (in promise) Error: Unable to preload CSS for /assets/TrackingRule-xsjE9iaN.css s https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:14 s https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:14 s https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:14 Qs https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:14 component https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:43 Fu https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 N https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 promise callback*N https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 O https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 _ https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 install https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 use https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:1 <anonymous> https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:43 index-ujsPPI9n.js:14:1660 11:41:18,148 Vissa kakor missbrukar det rekommenderade attributet "SameSite" 2 11:41:18,148 Kaka "REDACTED" har inte ett korrekt "SameSite" attributvärde. Snart kommer kakor utan attributet "SameSite" eller med ett ogiltigt värde att behandlas som "Lax". Detta innebär att kakan inte längre skickas i externa sammanhang. Om din applikation beror på att denna kaka är tillgänglig i sådana sammanhang, lägg till attributet "SameSite=None" till den. Läs https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite om du vill veta mer om attributet "SameSite" negotiate 11:41:18,148 Kaka "fedora_ipsilon_session_id" har inte ett korrekt "SameSite" attributvärde. Snart kommer kakor utan attributet "SameSite" eller med ett ogiltigt värde att behandlas som "Lax". Detta innebär att kakan inte längre skickas i externa sammanhang. Om din applikation beror på att denna kaka är tillgänglig i sådana sammanhang, lägg till attributet "SameSite=None" till den. Läs https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite om du vill veta mer om attributet "SameSite" negotiate 11:41:18,215 sizeToContent() är föråldrad och kommer att tas bort i framtiden. commonDialog.js:132:10 11:42:00,941 Kaka "fedora_ipsilon_session_id" har inte ett korrekt "SameSite" attributvärde. Snart kommer kakor utan attributet "SameSite" eller med ett ogiltigt värde att behandlas som "Lax". Detta innebär att kakan inte längre skickas i externa sammanhang. Om din applikation beror på att denna kaka är tillgänglig i sådana sammanhang, lägg till attributet "SameSite=None" till den. Läs https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite om du vill veta mer om attributet "SameSite" Continue 11:42:43,566 AbortError: Actor 'Conduits' destroyed before query 'RuntimeMessage' was resolved ConduitsParent.sys.mjs:379 _raceResponses resource://gre/modules/ConduitsParent.sys.mjs:379 11:42:44,069 Fetched service configuration Object { authorizationEndpoint: "https://id.fedoraproject.org/openidc/Authorization", tokenEndpoint: "https://id.fedoraproject.org/openidc/Token", revocationEndpoint: undefined, userInfoEndpoint: "https://id.fedoraproject.org/openidc/UserInfo", endSessionEndpoint: undefined } index-ujsPPI9n.js:39:14240 11:42:44,072 Making authorization request Object { authorizationEndpoint: "https://id.fedoraproject.org/openidc/Authorization", tokenEndpoint: "https://id.fedoraproject.org/openidc/Token", revocationEndpoint: undefined, userInfoEndpoint: "https://id.fedoraproject.org/openidc/UserInfo", endSessionEndpoint: undefined } Object { crypto: {}, usePkce: true, clientId: "fmn-frontend", redirectUri: "https://notifications.fedoraproject.org/login/fedora", scope: "openid profile email https://id.fedoraproject.org/scope/groups", responseType: "code", state: "REDACTED", extras: undefined, internal: undefined } index-ujsPPI9n.js:39:14596 11:42:44,075 Making a request to Object { crypto: {}, usePkce: true, clientId: "fmn-frontend", redirectUri: "https://notifications.fedoraproject.org/login/fedora", scope: "openid profile email https://id.fedoraproject.org/scope/groups", responseType: "code", state: "REDACTED", extras: {…}, internal: {…} } https://id.fedoraproject.org/openidc/Authorization?redirect_uri=https%3A%2F%2Fnotifications.fedoraproject.org%2Flogin%2Ffedora&client_id=fmn-frontend&response_type=code&state=REDACTED&scope=openid%20profile%20email%20https%3A%2F%2Fid.fedoraproject.org%2Fscope%2Fgroups&code_challenge=REDACTED&code_challenge_method=S256 index-ujsPPI9n.js:38:7598 11:42:44,086 Error: Unable to preload CSS for /assets/TrackingRule-xsjE9iaN.css s https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:14 s https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:14 s https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:14 Qs https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:14 component https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:43 Fu https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 N https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 promise callback*N https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 O https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 _ https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 install https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 use https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:1 <anonymous> https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:43 index-ujsPPI9n.js:34:21195 11:42:44,087 Uncaught (in promise) Error: Unable to preload CSS for /assets/TrackingRule-xsjE9iaN.css s https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:14 s https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:14 s https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:14 Qs https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:14 component https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:43 Fu https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 N https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 promise callback*N https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 O https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 _ https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 install https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:34 use https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:1 <anonymous> https://notifications.fedoraproject.org/assets/index-ujsPPI9n.js:43 index-ujsPPI9n.js:14:1660 11:42:45,950 Fetched service configuration Object { authorizationEndpoint: "https://id.fedoraproject.org/openidc/Authorization", tokenEndpoint: "https://id.fedoraproject.org/openidc/Token", revocationEndpoint: undefined, userInfoEndpoint: "https://id.fedoraproject.org/openidc/UserInfo", endSessionEndpoint: undefined } index-ujsPPI9n.js:39:14240 11:42:45,955 Checking to see if there is an authorization response to be delivered. index-ujsPPI9n.js:38:7631 11:42:45,955 Potential authorization request https://notifications.fedoraproject.org/login/fedora Object { code: "REDACTED", state: "REDACTED" } REDACTED REDACTED undefined index-ujsPPI9n.js:38:7598 11:42:45,956 Delivering authorization response index-ujsPPI9n.js:38:7631 11:42:45,956 Authorization request complete Object { crypto: {}, usePkce: true, clientId: "fmn-frontend", redirectUri: "https://notifications.fedoraproject.org/login/fedora", scope: "openid profile email https://id.fedoraproject.org/scope/groups", responseType: "code", state: "REDACTED", extras: {…}, internal: {…} } Object { code: "REDACTED", state: "REDACTED" } null index-ujsPPI9n.js:39:15987 11:42:46,100 Got OIDC token response: Object { accessToken: "REDACTED", tokenType: "Bearer", expiresIn: 3600, refreshToken: "REDACTED", scope: undefined, idToken: "REDACTED", issuedAt: 1717494166 } index-ujsPPI9n.js:39:17994 11:42:47,100 Got user info response: Object { name: "Björn Persson", nickname: "rombobeorn", preferred_username: "rombobeorn", zoneinfo: "Europe/Stockholm", locale: "sv", email: "bjorn@xn--rombobjrn-67a.se", groups: (5) […], sub: "rombobeorn" } index-ujsPPI9n.js:39:18268 11:42:47,101 Will redirect to /rules/246 LoginFedora-Zf54K93T.js:1:1206 11:43:42,979 <Provider> does not support changing `store` on the fly. It is most likely that you see this error because you updated to Redux 2.x and React Redux 2.x which no longer hot reload reducers automatically. See https://github.com/reactjs/react-redux/releases/tag/v2.0.0 for the migration instructions. react-redux.js:881:13
Here on pagure.io I use Seamonkey. I clicked on "Log in" at the bottom of this page. The login form was displayed. Credentials were filled in from my keyring. I submitted the form and got 400:
Invalid transaction id
I then went back and clicked on "Log in" again, and was immediately logged in.
I got a log of many HTTP requests in Seamonkey. Unforunately copying the log works really poorly. I have to edit it extensively to make it readable, which would take too long to do with the whole log. Here are the headers of the two most relevant-looking requests and responses:
POST https://id.fedoraproject.org/login/pam Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: sv,en;q=0.5 Connection: keep-alive Content-Length: 130 Content-Type: application/x-www-form-urlencoded Cookie: REDACTED=openid; fedora_ipsilon_session_id=REDACTED; REDACTED=login; REDACTED=login DNT: 1 Host: id.fedoraproject.org Origin: https://id.fedoraproject.org Referer: https://id.fedoraproject.org/login/gssapi/negotiate?ipsilon_transaction_id=REDACTED Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 HTTP/2.0 303 See Other X-Firefox-Spdy: h2 apptime: D=1874078 cache-control: no-cache, no-store, must-revalidate, private content-length: 256 content-security-policy: frame-ancestors 'none' content-type: text/html;charset=utf-8 date: Wed, 05 Jun 2024 13:17:51 GMT location: https://id.fedoraproject.org/openidc/Continue?ipsilon_transaction_id=REDACTED pragma: no-cache referrer-policy: same-origin server: Apache set-cookie: REDACTED=login; HttpOnly; Max-Age=300; Path=/; Secure fedora_ipsilon_session_id=REDACTED; expires=Wed, 05 Jun 2024 13:32:51 GMT; HttpOnly; Max-Age=900; Path=/; Secure ipsilon_default_username=rombobeorn; HttpOnly; Max-Age=1296000; Path=/; Secure strict-transport-security: max-age=31536000; preload x-content-type-options: nosniff x-fedora-appserver: ipsilon02.iad2.fedoraproject.org x-fedora-proxyserver: proxy36.fedoraproject.org x-fedora-requestid: REDACTED x-frame-options: SAMEORIGIN, deny x-xss-protection: 1; mode=block GET https://id.fedoraproject.org/openidc/Continue Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: sv,en;q=0.5 Connection: keep-alive Cookie: REDACTED=openid; fedora_ipsilon_session_id=REDACTED; REDACTED=login; REDACTED=login; REDACTED=login; ipsilon_default_username=rombobeorn DNT: 1 Host: id.fedoraproject.org Referer: https://id.fedoraproject.org/login/gssapi/negotiate?ipsilon_transaction_id=REDACTED Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 HTTP/2.0 400 Bad Request X-Firefox-Spdy: h2 access-control-allow-origin: * apptime: D=198484 cache-control: no-cache, no-store, must-revalidate, private content-length: 4336 content-security-policy: frame-ancestors 'none' content-type: text/html; charset=UTF-8 date: Wed, 05 Jun 2024 13:17:53 GMT pragma: no-cache referrer-policy: same-origin server: Apache set-cookie: fedora_ipsilon_session_id=REDACTED; expires=Wed, 05 Jun 2024 13:32:53 GMT; HttpOnly; Max-Age=900; Path=/; Secure strict-transport-security: max-age=31536000; preload x-content-type-options: nosniff x-fedora-appserver: ipsilon01.iad2.fedoraproject.org x-fedora-proxyserver: proxy36.fedoraproject.org x-fedora-requestid: REDACTED sx-frame-options: SAMEORIGIN, deny x-xss-protection: 1; mode=block
I currently had for some time always:
401 - Unauthorized Transaction expired, or cookies not available
I have never problems with ending up on the FAS login page. But once I entered credentials and then click to login, then the issue occurs. Beyond "unauthorized", I have had "time out" and "bad request" in the past. Sometimes it is only once, and then I try again and it works. But sometimes this condition can remain for many attempts.
Kevin, you asked in the mailing list for information that indicates which proxy it is. Here an extract from tcpdump. The very "click" to login was 13:08:28:
13:08:25.190849 IP fedora.45278 > 192.229.XXX.XXX.http: Flags [.], ack 2230300768, win 497, options [nop,nop,TS val 1368748353 ecr 3202042858], length 0 13:08:25.214931 IP 192.229.XXX.XXX.http > fedora.45278: Flags [.], ack 1, win 131, options [nop,nop,TS val 3202053099 ecr 1368686865], length 0 13:08:25.706740 IP fedora.36036 > dns.google.domain: 62850+ [1au] PTR? 195.152.2.10.in-addr.arpa. (54) 13:08:25.731302 IP dns.google.domain > fedora.36036: 62850 NXDomain 0/0/1 (54) 13:08:28.800132 IP fedora.50422 > proxy-iad02.fedoraproject.org.https: Flags [S], seq 1255371569, win 64240, options [mss 1460,sackOK,TS val 4207315726 ecr 0,nop,wscale 7], length 0 13:08:28.893917 IP proxy-iad02.fedoraproject.org.https > fedora.50422: Flags [S.], seq 3566394504, ack 1255371570, win 26844, options [mss 1380,sackOK,TS val 2336283230 ecr 4207315726,nop,wscale 7], length 0 13:08:28.894051 IP fedora.50422 > proxy-iad02.fedoraproject.org.https: Flags [.], ack 1, win 502, options [nop,nop,TS val 4207315820 ecr 2336283230], length 0 13:08:28.897068 IP fedora.50422 > proxy-iad02.fedoraproject.org.https: Flags [P.], seq 1:1298, ack 1, win 502, options [nop,nop,TS val 4207315823 ecr 2336283230], length 1297 13:08:28.977992 IP proxy-iad02.fedoraproject.org.https > fedora.50422: Flags [.], ack 1298, win 200, options [nop,nop,TS val 2336283315 ecr 4207315823], length 0 13:08:28.979219 IP proxy-iad02.fedoraproject.org.https > fedora.50422: Flags [P.], seq 1:255, ack 1298, win 200, options [nop,nop,TS val 2336283316 ecr 4207315823], length 254 13:08:28.979275 IP fedora.50422 > proxy-iad02.fedoraproject.org.https: Flags [.], ack 255, win 501, options [nop,nop,TS val 4207315905 ecr 2336283316], length 0 13:08:28.980379 IP fedora.50422 > proxy-iad02.fedoraproject.org.https: Flags [P.], seq 1298:1378, ack 255, win 501, options [nop,nop,TS val 4207315906 ecr 2336283316], length 80 13:08:28.981300 IP fedora.50422 > proxy-iad02.fedoraproject.org.https: Flags [P.], seq 1378:1548, ack 255, win 501, options [nop,nop,TS val 4207315907 ecr 2336283316], length 170 13:08:28.982262 IP fedora.50422 > proxy-iad02.fedoraproject.org.https: Flags [P.], seq 1548:2067, ack 255, win 501, options [nop,nop,TS val 4207315908 ecr 2336283316], length 519 13:08:29.061108 IP proxy-iad02.fedoraproject.org.https > fedora.50422: Flags [P.], seq 255:305, ack 1378, win 200, options [nop,nop,TS val 2336283399 ecr 4207315906], length 50 13:08:29.061524 IP fedora.50422 > proxy-iad02.fedoraproject.org.https: Flags [P.], seq 2067:2098, ack 305, win 501, options [nop,nop,TS val 4207315988 ecr 2336283399], length 31 13:08:29.062669 IP proxy-iad02.fedoraproject.org.https > fedora.50422: Flags [P.], seq 305:336, ack 1548, win 199, options [nop,nop,TS val 2336283400 ecr 4207315907], length 31 13:08:29.098143 IP proxy-iad02.fedoraproject.org.https > fedora.50422: Flags [P.], seq 336:3072, ack 2067, win 195, options [nop,nop,TS val 2336283436 ecr 4207315908], length 2736 13:08:29.098147 IP proxy-iad02.fedoraproject.org.https > fedora.50422: Flags [P.], seq 3072:5271, ack 2067, win 195, options [nop,nop,TS val 2336283436 ecr 4207315908], length 2199 13:08:29.098267 IP fedora.50422 > proxy-iad02.fedoraproject.org.https: Flags [.], ack 3072, win 499, options [nop,nop,TS val 4207316024 ecr 2336283400], length 0 13:08:29.098450 IP fedora.50422 > proxy-iad02.fedoraproject.org.https: Flags [.], ack 5271, win 482, options [nop,nop,TS val 4207316024 ecr 2336283436], length 0 13:08:29.178431 IP proxy-iad02.fedoraproject.org.https > fedora.50422: Flags [.], ack 2098, win 195, options [nop,nop,TS val 2336283516 ecr 4207315988], length 0
This time, after about 4 or 5 attempts, it worked.
Let me know if you prefer something else.
ok, interesting.
Is there any delay from when it redirects you to the id page and when you submit it? ie, you try and login, and don't see the id page for a time? or do you always see it and enter your data right after?
I'll look and see if I can see anything more in logs based on your info. Thanks!
Is there any delay from when it redirects you to the id page and when you submit it?
From a subjective point of view, the delay is widely equal to attempts that are successful or attempts in which no issue occurs at all.
The only exceptions are cases that fail with time out: I think it was 30 or 60 seconds before the actual error occurred.
A problem is that I often forget to enable tcpdump, and when I then try to re-attempt with it, the failure does not always re-occur.
But I will try to keep documenting login attempts and provide data about it. Let me know if something else is more helpful than tcpdumps.
ie, you try and login, and don't see the id page for a time?
Off the cuff, I tend to say the loading times are normal (except the time out fails). But one has to say that FAS login pages often need a moment to load, so in general, not just in failed attempts.
My feeling is indeed more vice versa: if login fails with unauthorized or bad request, it is faster than usual.
or do you always see it and enter your data right after?
I enter my data, click enter, and at the time when I should be redirected to the very page (e.g., discourse or pagure), the respective error occurs. Usually, I go then back with my browser, but I have to admit, I do not know if I then end up again on the login page or if it is expired. Anyway, I tend to do then F5 to ensure the page is "fresh". But this does not impact the likelihood to succeed in the subsequent attempt. I also already re-started the browser (with deleting cookies+cache), but although my feeling says that this increases likelihood of succeeding then, I is not a guarantee...
Another question is if the issues are all the same. I have to say that I have not had a time out for many weeks. This also leads to the question if one error is solved by clearing cookies/cache and the other not or something like that.
I try to keep your questions in mind and observe that behavior with more awareness next time. I will also document a little more if it is "bad request" or "not authorized".
In any case, it is not critical.
Thanks for gathering data. This is an anoying problem and we want to get it solved.
I did not log in often in the recent weeks, but I haven't had another incident. Not sure if you already fixed something?
There's been various changes... but other folks were reporting problems this morning, so I am not convinced it's fixed.
Interesting. I still have not experienced it since my last report. But I keep logging. I'll report with logs if the issue reoccurs. Let me know if I shall test or verify something, but preferably on another channel as it seems that I no longer get email notifications of posts here.
Odd. It should be mailing you unless you specifically 'unwatched' this issue. ;(
So, how about we close this and if it happens again, please reopen it or file a new ticket and we can go from there.
I'm not sure it's fixed, but aside the other issue (with httpd upgrades) I have not seen anyone else note issues either.
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
It is there again.
Maybe Barry can provide data that can help to finally solve it: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/7PBZWQK3BXDBS5SORTA22DFG7FEXMWEK/
If he cannot log in at all, you might talk in the mailing list thread.
I'm already responding on the thread.
This problem is back. My case does not seem to be #12321 because Bugzilla isn't involved.
I was going to vote on elections.fedoraproject.org. The "vote now" button took me to the login form. After I submitted the form there was a delay of several seconds that ended with the same error as in June:
I went back and clicked on "vote now" again, and was logged in without seeing the login form again.
Then I came here to Pagure to report this. In my first attempt there was a long wait after I submitted the login form, which ended with "gateway timeout". In my second attempt there was a delay of only one or two seconds followed by the same "Invalid transaction id" error as above. In my third attempt I was already logged in.
I don't see a "reopen" button on this issue.
Metadata Update from @zlopez: - Issue status updated to: Open (was: Closed)
I re-opened the issue as requested from @rombobeorn. Do you still see the issue?
I got "Invalid transaction id" when logging in to post this comment, so yes. There was no "gateway timeout" this time, but otherwise the symptoms are still the same.
The issue feels to have strongly decreased in the number of occurrences (subjective perception). However, it still occurs from time to time. Unfortunately, it occurs too seldom to always create a tcpdump before logging in (too time/power intensive; couldn't catch an occurrence since my report above).
As mentioned above, I had different errors in the past (including the one @rombobeorn mentions). But I think at the moment it is mostly (if not all) "400 - Bad Request", but I no longer count the errors or their outputs as long as its nothing new.
Is there other means that can be deployed to gather information useful for you but without imposing a tcpdump or so? Something that does not need to be enabled before the issue occurs and that does not disrupt the workflow, power use, etc.?
I'm happy to try to gather more information.
@rombobeorn Do you connect from Europe? I think in the first evaluation of the issue, it seems to have only affected people in Europe.
@rombobeorn Do you connect from Europe?
Yes.
I currently experience a "wave" of "400 - Bad Error" and "401 - Unauthorized" when trying to log in using FAS. I attempted from location Zurich/Switzerland. Does it make sense to log the exact time+timezone ? I assume you can that way compare the exact time to the very logs of the services and identify the affected proxy or so?
Since I just could reproduce it several times in a row, I might be able to capture another occurrence with a tcpdump, but does another dump add value to the investigation?
I am not good with web development stuff, but I just attempted once again, received a 400 - Bad Request, and then checked the Firefox console at the moment I was on the Bad Request page:
Cookie “fedora_ipsilon_session_id” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Not sure if that is useful?
(My firefox is configured the same way and has the same add-ons as during the last FAS login: the way it is configured for a long time, so I don't think its configuration can be the origin of the issue, especially as it seems to affect systems in Europe only)
It's been a month, how are things currently.
I dont think that cookie warning would cause the issue... we have done some more updates on our auth servers, perhaps that will have some effect?
I didn't use the FAS login much lately, but I try to use it more often in the next days and give you some feedback :+1:
I don't have a lot of statistics. It's not like I log in every day. I logged in twice today without errors, and also a week or two ago I think. It may have been luck, as the errors have been intermittent before.
I did now 6 logins spread over 3 days and always several hours in between. No issues have occurred, and my subjective perception is that the speed of the logins has increased.
Like Björn said, this can be luck, but since we have no other means to verify it, I suggest we take this as indication and therefore that we close this topic again and wait to see how it develops: if the issue reoccurs, the ticket can be reopened by whoever experiences it.
Thanks again to invest time in this :)
ok. Please do reopen or file a new issue if you see failures like that again...
Metadata Update from @kevin: - Issue close_status updated to: Fixed with Explanation - Issue status updated to: Closed (was: Open)
I had "400 - Bad Request Invalid transaction id" a few minutes ago. As usual, it went away after retrying (once).
edit: while logging in for https://src.fedoraproject.org/rpms/ocaml-gettext/pull-request/3
That usually happens when the login screen is open for longer time and the session is no longer valid.
It also occurs in the issue described in this ticket: it could happen even if the FAS login was open just 10 seconds. I saw it many times in the past, just like other outputs. However, so far I have not experienced the issue again myself since my last post (but I logged in only once since then). So it can be both: an expired session or the very issue occurs again.
Just reporting that this happened again yesterday, and a few minutes ago today. In both cases retrying caused the login to go through successfully.
In both cases when logging in to https://pagure.io/packager-sponsors/issue/, and in both cases the login screen had only been opened for a few seconds so nothing could have expired.
Log in to comment on this ticket.