openid-based login broken since upgrade to 8.0.0?

Question

openid-based login broken since upgrade to 8.0.0?

decathorpe opened this issue 10 months ago · 13 comments

Browsing the URL that used to work with older bodhi versions:
https://bodhi.fedoraproject.org/login?method=openid

This returns a HTTP 500 / Internal Server Error page now.

Answer 1 · 2024-02-19T06:59:48.000Z

Not sure what's going on there. The openid authentication seems to be handled totally by pyramid-fas-openid and I cannot even see any line in the logs when the HTTP 500 / Internal Server Error page is triggered.
Maybe @abompard has some ideas and can solve this in two seconds?

Answer 2 · 2024-02-19T19:55:12.000Z

Thanks for looking into it!

Looks like I will soon need to bite the bullet anyway and implement OIDC or GSSAPI auth for fedora-update-feedback :(

Answer 3 · 2024-02-21T15:59:34.000Z

Yeah it looks like the log configuration is wrong, it does not log requests. I'll try to fix that

Answer 4 · 2024-02-22T15:38:45.000Z

OK I got the logs back in, and I see a traceback!

2024-02-22 15:37:02,476 ERROR [gunicorn.error][ThreadPoolExecutor-0_0] Error handling request /dologin.html?openid=https%3A%2F%2Fid.fedoraproject.org%2F
Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/gunicorn/workers/gthread.py", line 271, in handle
    keepalive = self.handle_request(req, conn)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/gunicorn/workers/gthread.py", line 323, in handle_request
    respiter = self.wsgi(environ, resp.start_response)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/paste/deploy/config.py", line 291, in __call__
    return self.app(environ, start_response)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/pyramid/router.py", line 270, in __call__
    response = self.execution_policy(environ, self)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/pyramid/router.py", line 276, in default_execution_policy
    return router.invoke_request(request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/pyramid/router.py", line 248, in invoke_request
    request._process_response_callbacks(response)
  File "/usr/lib/python3.11/site-packages/pyramid/request.py", line 85, in _process_response_callbacks
    callback(self, response)
  File "/usr/lib/python3.11/site-packages/pyramid/session.py", line 258, in set_cookie_callback
    self._set_cookie(response)
  File "/usr/lib/python3.11/site-packages/pyramid/session.py", line 325, in _set_cookie
    serializer.dumps((self.accessed, self.created, dict(self)))
  File "/usr/lib/python3.11/site-packages/webob/cookies.py", line 659, in dumps
    cstruct = self.serializer.dumps(appstruct) # will be bytes
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/webob/cookies.py", line 560, in dumps
    return bytes_(json.dumps(appstruct), encoding='utf-8')
                  ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.11/json/__init__.py", line 231, in dumps
    return _default_encoder.encode(obj)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.11/json/encoder.py", line 200, in encode
    chunks = self.iterencode(o, _one_shot=True)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.11/json/encoder.py", line 258, in iterencode
    return _iterencode(o, 0)
           ^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.11/json/encoder.py", line 180, in default
    raise TypeError(f'Object of type {o.__class__.__name__} '
TypeError: Object of type YadisServiceManager is not JSON serializable

It does look familiar.

Answer 5 · 2024-02-22T15:48:19.000Z

Yeah I'm betting it's the default serializer that was switched to JSON in Pyramid 2.0 that's causing the problem, but I thought we had fixed that a long time ago to avoid having non-json-serializable stuff in the session.

Answer 6 · 2024-02-22T16:59:11.000Z

Yeah, I see it was handled in #4356 but pyramid_fas_openid is still used for login?method=openid calls... should we drop openid authentication?

Answer 7 · 2024-02-22T17:00:49.000Z

Yeah I think so... Sorry @decathorpe !

Answer 8 · 2024-02-22T18:01:47.000Z

I understand :(

I know OpenID support was only kept for backwards compatibility, but I didn't know that I'd have to deal with this so soon 🫣

Answer 9 · 2024-02-23T10:23:29.000Z

Yeah... You can have a look at how the bodhi client handles OIDC, if that can help.

Answer 10 · 2024-02-23T13:47:22.000Z

@decathorpe you know how fedora-easy-karma handles the auth process? It seems not to be affected, its working correctly until now.

Answer 11 · 2024-02-23T13:49:24.000Z

I think fedora-easy-karma got kerberos and / or OIDC support since it uses the official bodhi client bindings?

Answer 12 · 2024-02-23T14:49:12.000Z

I think it is this yeah https://pagure.io/fedora-easy-karma/blob/master/f/fedora-easy-karma.py
It seems it uses some oraculum-endpoint, I don't know what this is...
But when I used it the first time, it gave me the link for getting a api key at my Fedora account page, and then I paste it at the terminal and since then I don't need to validate it anymore.

Answer 13 · 2024-04-10T13:28:22.000Z

If bodhi-server is not going to fix the OpenID endpoint, should it be removed and documented that it's no longer working?