[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#747150: non-obvious password lockout? [steve@einval.com: Re: [Debconf-team] SSO problems?]



Package: sso.debian.org

Hi guys,

Please see below.  It seems that users can get locked out of sso.debian.org
(temporarily? permanently?) as a result of too many bad password attempts,
and that it's not obvious to the user that this will happen, when it will
happen, or that it has happened.

Even assuming that this is actually what's going on in the problem described
here.  Given that Steve reports he was still seeing the problem in one
browser, but able to log in successfully with another, maybe the problem
lies elsewhere?


----- Forwarded message from Steve McIntyre <steve@einval.com> -----

Date: Tue, 6 May 2014 00:04:37 +0100
From: Steve McIntyre <steve@einval.com>
To: Steve Langasek <vorlon@debian.org>, debconf-team@lists.debconf.org
Subject: Re: [Debconf-team] SSO problems?
User-Agent: Mutt/1.5.21 (2010-09-15)

On Mon, May 05, 2014 at 03:30:55PM -0700, Steve Langasek wrote:
>On Mon, May 05, 2014 at 10:19:11PM +0100, Steve McIntyre wrote:
>> I've tried to log in a couple of times using my SSO password, now I'm
>> getting this:
>
>> Forbidden
>
>> You don't have permission to access /o/authorize on this server.
>> Apache Server at sso.debian.org Port 443
>
>Someone else has reported this on IRC, but gone idle before I could get any
>details.  Maybe helpful if you can drop in one of the appropriate channels
>so we can debug this in realtime.

It's getting too late here for me to jump into IRC tonight, I'm
afraid. So here's as much detail as I can give by mail...

>I'm not able to reproduce the described problem.  Can you please give:
>
> - the URL of the page on summit.debconf.org that you followed the link from

Following a link from

  http://debconf14.debconf.org/registration.xhtml

, pointing at

   https://summit.debconf.org/debconf14/registration/ 

. That redirected to

  https://sso.debian.org/o/authorize?scope=openid+email+profile&state=WRVFSOMpGbT2Gsd0wBlSsZYqnnF5Tc1q&redirect_uri=https://summit.debconf.org/complete/debian-oauth2/&response_type=code&client_id=HUL=1jMcEEjGjYJecEI@xuJKF2N8i!LmVXpaeusm

which is the page with the 403.

> - the full URL of the link you were following
> - if you had failed login attempts before hitting the error, how many times
>   that happened before you got the Forbidden error (i.e., is this an
>   account lockout kind of thing)

I think it may well be that. I couldn't remember my SSO password
(maybe 2 attempts there), so went and changed it. I tried again with
the new password a couple of times (I'm guessing before settings had
synced somewhere?), and that's when I started getting the 403
page. I'm still seeing it now if I try again from the same browser
(iceweasel). Switching to chromium a little later, I was able to log
in successfully using the new SSO password.

>Sorry for the trouble.  It seems that DebConf registration is really finding
>the corner cases on the new SSO service.  Assuming the SSO team don't go on
>strike in protest, I'm sure we'll have it all sorted out before too much
>longer.

Hopefully... :-)

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"Every time you use Tcl, God kills a kitten." -- Malcolm Ray


----- End forwarded message -----

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: Digital signature


Reply to: