Last modified: 2014-03-26 06:59:03 UTC
Special:OpenIDXRDS returns URLs based on $wgCanonicalServer. But when it attempts to redirect the user to these URLs, the forceHTTPS cookie kicks in and triggers a redirect to the corresponding https URL, which then fails due to loss of POST data. Chris suggests this be worked around somehow in OpenID rather than having core use a 307 redirect instead of a 302.
This is a problem with the id provider has $wgSecureLogin enabled. Since the WMF is running $wgSecureLogin, we need the extension to work with this in order to deploy it.
*** This bug has been marked as a duplicate of bug 44353 ***
*** Bug 44353 has been marked as a duplicate of this bug. ***
perhaps better the other way around, you are right. Can you help to fix it ?
I tried to hack on it for a couple hours while reviewing it, and it's a difficult issue. But let me add what I know. * Since it was mentioned above, 307 redirects don't seem to work in FF or Chrome for this, otherwise I'd be happy to do that in core. * The issue seems to be that when the consumer does the XRDS querries, the provider gives back http:// urls, even with wgSecureLogin enabled. When it's hacked to only return https:// something else in the Auth library is failing. When I return both, it will POST to the https url, but later it gives throws an exception about a missmatch in the urls. But that's about as far as I was able to get. So it may be a fix inside of the library, or it might be a fix for the return of Special:OpenIDXRDS.
(In reply to comment #5) > difficult issue. But let me add what I know. > > * Since it was mentioned above, 307 redirects don't seem to work in FF or > Chrome for this, otherwise I'd be happy to do that in core. > > * The issue seems to be that when the consumer does the XRDS querries, the > provider gives back http:// urls, even with wgSecureLogin enabled. > ... > But that's about as far as I was able to get. So it may be a fix inside of > the library This is also my view of the story. But my current thinking is, it _could_ be fixed in the library. Only as a remark, not related to this bug: I found - and fixed in E:OpenID - already at least one other issue with the library (the library does not return a correct return value for certificate errors)
see also - https://www.mediawiki.org/wiki/Thread:Extension_talk:OpenID/Return_to_Special:Badtitle_instead_of_the_main_page_after_verification_has_succeeded - https://www.mediawiki.org/wiki/Thread:Extension_talk:OpenID/https_site_and_Special:Badtitle which appear to be related bug reports on the extension's talk page.