Project

General

Profile

Actions

action #125459

closed

[o3-logwarn] error naive_verify_failed_return: Direct contact invalidated ID provider response. size:M

Added by okurz almost 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Regressions/Crashes
Target version:
Start date:
2023-03-06
Due date:
% Done:

0%

Estimated time:

Description

Observation

From email:

[2023-03-06T12:37:33.186220Z] [error] naive_verify_failed_return: Direct contact invalidated ID provider response.

access_log:

192.168.47.102 - - [06/Mar/2023:12:37:32 +0000] "POST /response?return_page=…&oic.time=… HTTP/1.1" 302 - "https://id.opensuse.org/" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 F
irefox/109.0" 316

Acceptance criteria

  • AC1: We know what the error means
  • AC2: The problem is dealt with or the error is ignored

Suggestions

  • It is likely an error from Net::OpenID::Consumer.
Actions #1

Updated by jbaier_cz almost 2 years ago

That looks like an error from Net::OpenID::Consumer

Actions #2

Updated by mkittler almost 2 years ago

  • Subject changed from [o3-logwarn] error naive_verify_failed_return: Direct contact invalidated ID provider response. to [o3-logwarn] error naive_verify_failed_return: Direct contact invalidated ID provider response. size:M
  • Description updated (diff)
  • Status changed from New to Workable
Actions #3

Updated by mkittler almost 2 years ago

  • Assignee set to mkittler
Actions #4

Updated by mkittler almost 2 years ago

  • Status changed from Workable to In Progress

It comes from Net::OpenID::Consumer, indeed:

=item C<naive_verify_failed_return>

(V) An attempt to confirm a positive assertion via direct contact (check_authentication) received an explicitly negative response (C<openid.is_valid = FALSE>).
Actions #5

Updated by mkittler almost 2 years ago

  • Status changed from In Progress to Feedback

We're explicitly logging this error from the provider's error callback. We're also showing it the user in form of a flash message.

I've tried to provoke this locally but couldn't reproduce it playing around with our OpenID provider (e.g. clicking on the "Reject" button or entering false credentials didn't trigger the problem). According to the specification the error means that the signature of the verification request is not valid. I suspect there was something wrong on the remote side. Especially since it is working again, there's likely nothing to be fixed on our side.

For now I've created https://github.com/os-autoinst/openQA/pull/5034 for better context of the error message.

I guess we should decide whether we want to be alerted about this problem in the future. This time the alert wasn't really actionable (besides a slight improvement of the error message). I don't think it'll be actionable next time as well. So it would likely be best to ignore it in our alerting. We could either just ignore naive_verify_failed_return specifically or (when the PR has been merged) all OpenID-related errors. To be on the safe side, I'd created https://github.com/os-autoinst/openqa-logwarn/pull/44 to ignore only the specific error for now.

Actions #6

Updated by mkittler almost 2 years ago

  • Status changed from Feedback to Resolved

Both PRs have been merged so I'm considering this resolved.

Actions #7

Updated by okurz almost 2 years ago

For such cases I suggest to use the "warn" loglevel and not "error". Just excluding from logwarn makes the issue not visible "for us" but not for other users of openQA.

Actions

Also available in: Atom PDF