When I try to log into production Koschei web app and I don't have Kerberos ticket active, I get infinite redirect between id.fedoraproject.org and Koschei frontend. With Kerberos ticket login works fine on first attempt. Staging works fine with or without ticket.
Steps to reproduce: 1. Make sure you don't have Kerberos ticket (kdestroy -A) and browse to https://apps.fedoraproject.org/koschei/login to try to login. Firefox shows "The page isn’t redirecting properly" page. 2. Obtain Kerberos ticket (kinit -k mizdebsk@FEDORAPROJECT.ORG) and try to login again. This attempt succeeds.
kdestroy -A
kinit -k mizdebsk@FEDORAPROJECT.ORG
Originally reported on IRC by @raphgro:
<RaphGro> hi, I try to connect to koschei. my firefox plays ping-pong between apps and id.fedoraproject.org till it reports a redirection error
This is caused by Koschei using mod_auth_openidc with memory storage. This means that everytime you hit the other web server, the state is reset.
You'll want to look at https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf#L484 and on and line 465 to set session across servers.
Metadata Update from @mizdebsk: - Issue assigned to mizdebsk
It should be fixed now - thanks @puiterwijk for the pointer. I've switched to keeping login session data in cookies rather than server-side, which is less secure, but we are keeping application sessions in cookies anyway.
https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=1d734a2
Metadata Update from @mizdebsk: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Thanks. Login to Koschei works again.
Login to comment on this ticket.