Description
Having configured one MoinMoin wiki as an OpenID provider, and the second to use MoinMoin authentication, I find that attempting to log into the second wiki with an OpenID from the first results in the following error:
- "OpenID discovery failure, not a valid OpenID."
Steps to reproduce
- Create wiki #1
set openid_server_enabled = True
- Create a user in wiki #1
- Create a home page for the user and copy its URL to the clipboard
- Create wiki #2
set auth = [MoinMoin.auth.openidrp.OpenIDAuth ()]
- Log into wiki #2 with the user's URL
- "OpenID discovery failure, not a valid OpenID." error displayed
Example
You can just use https://robots.org.uk/ as an !OpenID url if you want, that's the wiki #1 in my example above.
Component selection
MoinMoin.web.contexts.Context.isSpiderAgent
Details
Here's the web server error log created when wiki #2 tries to access wiki #1:
10.0.0.2 - [15/Nov/2011:15:14:41 +0000] "GET /HomePage?action=serveopenid&yadis=ep HTTP/1.1" 403 4486 text/html "-" "python-openid/2.2.1 (linux2) libcurl/7.21.0 GnuTLS/2.8.6 zlib/1.2.3.4 libidn/1.15" 5934
Notice libcurl in the user agent. This matches the default ua_spiders regex which contains a branch that simply matches curl.
MoinMoin Version |
1.9.3 |
OS and Version |
Debian GNU/Linux 6.0 |
Python Version |
2.6.6 |
Server Setup |
Apache/2.2 mod_fcgid/2.3.6 flup/1.0.2 |
Workaround
Provide an alternative ua_spiders regex that does not contain 'curl'.
- Except the serveopenid action from the spider check
Discussion
I tried logging in with my !OpenID to a Moin wiki hosted by a friend and found that it worked without performing the above workarounds.
192.0.2.1 - [16/Nov/2011:14:15:40 +0000] "GET /HomePage?action=serveopenid&yadis=ep HTTP/1.1" 200 2635 application/xrds+xml "-" "python-openid/2.2.1 (linux2) Python-urllib/2.6" 22812
Note the differing user agent string. I think this is because that host does not have the pycurl Python module installed, therefore the openid module falls back to using urllib. So if you can't reproduce the bug, install pycurl, restart Moin, and try again.
On my system, I see the following user agent string in the log: "python-openid/2.2.1 (linux2) Python-urllib/2.5"
I think the fix to ua_spiders is the right fix: there is no legitimate reason to completely block all user agents that happen to use curl; if you block curl you could easily advocate blocking urllib since both can be used for badly behaved programs. -- PaulBoddie 2011-11-16 23:16:58
Plan
- Priority:
- Assigned to:
Status: fixed by http://hg.moinmo.in/moin/1.9/rev/d0599106e17a