Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 391179

Summary: Persona login gives error message
Product: [ECD] Orion Reporter: Ken Walker <ken_walker>
Component: ClientAssignee: Mark Macdonald <mamacdon>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: john.arthorne, mamacdon, simon_kaegi
Version: 1.0Flags: simon_kaegi: review+
Target Milestone: 1.0 RC2   
Hardware: PC   
OS: All   
Whiteboard:

Description Ken Walker CLA 2012-10-04 21:36:13 EDT 
I'm trying to login with my Persona ID and get:

"Persona verification failed: audience mismatch: scheme mismatch"
Comment 1 Mark Macdonald CLA 2012-10-04 22:42:50 EDT 
Ugh. This may be because of the proxy that orion.eclipse.org is behind. The Persona backend on our server constructs an "audience" string from the scheme, host, and port in the incoming request. If the server thinks it's talking over HTTP orion.eclipse.org on port 8080, but the client is talking to HTTPS orion.eclipse.org port 80, then perhaps the server is constructing an audience that fails to match what the client provides.

There is a config option [1] for setting the hostname component in the audience, but that is not sufficient to fix the problem with the scheme and port being proxied to something else. So perhaps the entire audience string needs to be configurable from the config file. Then in the config file orion.eclipse.org, we can explicitly set it to "https://orion.eclipse.org:80" and it will hopefully match what Persona clients provide.

[1] http://wiki.eclipse.org/Orion/Server_admin_guide#Configuring_Mozilla_Persona_authentication
Comment 2 Mark Macdonald CLA 2012-10-04 23:40:04 EDT 
The fix is in the 'bug391179' branches. Didn't merge to master as I'm not sure what the target for this bug is.

server:
http://git.eclipse.org/c/orion/org.eclipse.orion.server.git/commit/?h=bug391179

client:
http://git.eclipse.org/c/orion/org.eclipse.orion.client.git/commit/?h=bug391179
Comment 4 Mark Macdonald CLA 2012-10-10 21:34:23 EDT 
Got a preliminary +1 from Simon. Merging to master so I can test on orion.eclipse.org in advance of RC2.

merged:
http://git.eclipse.org/c/orion/org.eclipse.orion.client.git/commit/?id=927783398a7a38ab371d0647f78b9aead87c1163
http://git.eclipse.org/c/orion/org.eclipse.orion.server.git/commit/?id=141f332163de5b36fe8513b116c442c7c72beb72

Leaving bug open so can iterate on the isLoopback case...
Comment 5 Mark Macdonald CLA 2012-10-11 15:30:15 EDT 
pushed part 2 to master:
- http://git.eclipse.org/c/orion/org.eclipse.orion.client.git/commit/?id=0099e27ea6ec503906b98eabe2f992fa5b3407f5
- http://git.eclipse.org/c/orion/org.eclipse.orion.server.git/commit/?id=3d5f2cfacd7b4cd9fa6d4aec12e5000192802de5

Note that logging into self-hosting sites using Persona will not work. I will open another bug for that.
Comment 6 Mark Macdonald CLA 2012-10-11 16:56:29 EDT 
reopened
Comment 7 Mark Macdonald CLA 2012-10-11 17:11:00 EDT 
When the auth host is configured in the server settings, do not attempt to validate the serverName/scheme/port provided in the client request, but rather use the auth host to generate the Persona audience. Fall back to the 'is-loopback' logic only when there is not auth host configured.

http://git.eclipse.org/c/orion/org.eclipse.orion.server.git/commit/?h=bug391179_6
Comment 8 Mark Macdonald CLA 2012-10-11 20:27:31 EDT 
pushed 5e1d8af842f870cb11819cefdc3c0741337d9ffa

This was reviewed by Simon, he's going to flip the review flag when he gets a spare minute.