Package: sso.debian.org Hi guys,
Please see below. It seems that users can get locked out of sso.debian.org (temporarily? permanently?) as a result of too many bad password attempts, and that it's not obvious to the user that this will happen, when it will happen, or that it has happened. Even assuming that this is actually what's going on in the problem described here. Given that Steve reports he was still seeing the problem in one browser, but able to log in successfully with another, maybe the problem lies elsewhere? ----- Forwarded message from Steve McIntyre <st...@einval.com> ----- Date: Tue, 6 May 2014 00:04:37 +0100 From: Steve McIntyre <st...@einval.com> To: Steve Langasek <vor...@debian.org>, debconf-t...@lists.debconf.org Subject: Re: [Debconf-team] SSO problems? User-Agent: Mutt/1.5.21 (2010-09-15) On Mon, May 05, 2014 at 03:30:55PM -0700, Steve Langasek wrote: >On Mon, May 05, 2014 at 10:19:11PM +0100, Steve McIntyre wrote: >> I've tried to log in a couple of times using my SSO password, now I'm >> getting this: > >> Forbidden > >> You don't have permission to access /o/authorize on this server. >> Apache Server at sso.debian.org Port 443 > >Someone else has reported this on IRC, but gone idle before I could get any >details. Maybe helpful if you can drop in one of the appropriate channels >so we can debug this in realtime. It's getting too late here for me to jump into IRC tonight, I'm afraid. So here's as much detail as I can give by mail... >I'm not able to reproduce the described problem. Can you please give: > > - the URL of the page on summit.debconf.org that you followed the link from Following a link from http://debconf14.debconf.org/registration.xhtml , pointing at https://summit.debconf.org/debconf14/registration/ . That redirected to https://sso.debian.org/o/authorize?scope=openid+email+profile&state=WRVFSOMpGbT2Gsd0wBlSsZYqnnF5Tc1q&redirect_uri=https://summit.debconf.org/complete/debian-oauth2/&response_type=code&client_id=HUL=1jMcEEjGjYJecEI@xuJKF2N8i!LmVXpaeusm which is the page with the 403. > - the full URL of the link you were following > - if you had failed login attempts before hitting the error, how many times > that happened before you got the Forbidden error (i.e., is this an > account lockout kind of thing) I think it may well be that. I couldn't remember my SSO password (maybe 2 attempts there), so went and changed it. I tried again with the new password a couple of times (I'm guessing before settings had synced somewhere?), and that's when I started getting the 403 page. I'm still seeing it now if I try again from the same browser (iceweasel). Switching to chromium a little later, I was able to log in successfully using the new SSO password. >Sorry for the trouble. It seems that DebConf registration is really finding >the corner cases on the new SSO service. Assuming the SSO team don't go on >strike in protest, I'm sure we'll have it all sorted out before too much >longer. Hopefully... :-) -- Steve McIntyre, Cambridge, UK. st...@einval.com "Every time you use Tcl, God kills a kitten." -- Malcolm Ray ----- End forwarded message ----- Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: Digital signature
