fedora-infra/noggin

new users sometimes have expired password

nirik opened this issue · 3 comments

nirik commented

See: https://pagure.io/fedora-infrastructure/issue/10946

mattdm:

See the reports here https://ask.fedoraproject.org/t/fedora-account-creation-issues-report/25447 from various users. Although they are trying to log in to Ask Fedora, the errors are coming from the Fedora SSO side, and it isn't necessarily Discourse-specific problem.

We do continue to get new signups, so it's not universal -- but seems like enough people are hitting the problem that we're getting numerous reports from people who persisted and got through -- as one person in that thread kind of crankily points out (but it is a good point), there are probably many more who give up at that point.

kevin:

I'm not sure what could be going on here.

It's almost like sometimes when a new user activates their account and sets their initial password it's somehow expiring that password right away?

I just made a test user and when I activated it and entered my initial password, I got an error:

Your account has been created, but an error occurred while setting your password ( <title>200 Success</title>

Password change rejected

The old password or username is not correct.

). You may need to change it after logging in.

and sure enough, checking the user in the admin ui I see:

Password expiration: 2022-10-27 22:42:19Z

mattdm commented

We're still seeing users running into this on Ask Fedora. Since they are often already coming for help with a problem, they are often in a not-great mood already...

abompard commented

In the IPA server logs, I see something looking like the error you describe:

[Fri Jan 13 03:44:33.598542 2023] ipa: INFO: WSGI change_password.__call__:
[Fri Jan 13 03:44:33.601019 2023] ipa: INFO: WSGI change_password: start password change of user 'updatecreative'
[Fri Jan 13 03:44:33.615743 2023] ipa: INFO: 200 Success: The old password or username is not correct.

I'll keep looking and keep you posted.

abompard commented

I think I may have found the reason. The final phase of registration is a multi-step process that has some steps run as the noggin admin user, and some steps run as the new user. The IPA client we use in noggin can pick a random IPA server in our pool of 3, but there is no guarantee that the admin client and the user client will pick the same IPA server. And since the steps are done very quickly one after another, IPA doesn't have time to replicate before the next command is run on another server.
I hope this makes sense. I'll add something to make sure they pick the same server.