After logging into the new accounts system today, I attempted to log into the Fedora Wiki, and was met with an error that reads, "You need to have at least CLA+1 (cla)"
After speaking with nirik in #fedora-aaa, I attempted another login, and was met with the error "Fatal error authenticating user." on the Special:PluggableAuthLogin page on-wiki.
According to FAS (old system), I am a member of cla_done, cla_fedora and cla_fpca. I do not appear to be a member of these groups in the new accounts system.
No rush.
Okay, it looks like it is working in staging, but not in prod for some reason.
This is the config section for the wiki that controls the openidc settings for the wiki:
https://pagure.io/fedora-infra/ansible/blob/main/f/roles/mediawiki/templates/LocalSettings.php.fp.j2#_528
the only real difference between stg and prod here is the client secret
side note that the scope names there https://id.fedoraproject.org/scope/groups and https://id.fedoraproject.org/scope/agreements' are really just names rather than real URIs, so they dont need the .stg prefix.
https://id.fedoraproject.org/scope/groups
So I changed prod from looking for cla to agreements scope (like stg).
I see in ipsilon logs:
[Wed Mar 24 23:44:25.611231 2021] [wsgi:error] [pid 91598:tid 91602] [remote 192.168.1.13:38118] [24/Mar/2021:23:44:25] Responding with error: invalid_scope, message: unknown scope https://id.fedoraproject.org/scope/agreements requested
Did we add a scope somewhere in stg that we didn't add to prod?
Metadata Update from @humaton: - Issue tagged with: authentication
Fixed by https://pagure.io/fedora-infra/ansible/c/6e68f8fe4f96918b6f69d0993a6b21d43e835c41?branch=main
Metadata Update from @abompard: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.