Ticket #940 (closed defect: wontfix)

Opened 3 years ago

Last modified 3 years ago

OpenID login via google for same user generates 2 different openid urls

Reported by: rgrp Owned by: pudo
Priority: blocker Milestone: ckan-v1.3
Component: ckan Keywords:
Cc: Repository:
Theme:

Description

This has been noted twice in the last couple of weeks.

Checking around my guess is this is due to someone logging in to www.ckan.net and ckan.net. Google generates openid based on the RP (requesting party) which is the requesting domain url unless the openid.realm is set. See:

To fix this we should set the openid.realm (not sure how atm).

If this is not possible an alternative is to make sure we redirect all users to a single site url (perhaps using ckan config option site_url, or doing this in apache).

Cost: 1h

Change History

comment:1 Changed 3 years ago by pudo

  • Status changed from new to assigned

It seems like even with openid.realm set we could only create two "zones": *.ckan.net and ckan.net. We do not want *.ckan.net because it interferes with ccCKANs.

My vote for the moment would be to 303 www.ckan.net to ckan.net.

comment:2 Changed 3 years ago by rgrp

I agree with pudo (though it would not be the end of the world if these were treated as the same realm!). I've now created a permanent redirect for www.ckan.net to ckan.net.

    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^www\.ckan\.net$ [NC]
    RewriteRule ^(.*)$ http://ckan.net$1 [R=301,L]

comment:3 Changed 3 years ago by rgrp

  • Status changed from assigned to closed
  • Resolution set to wontfix

Listing as wontfix now since:

  1. Have workaround
  2. Better for most sites to converge on a single domain anyway (for SEO etc) -- via std redirect approach or otherwise
  3. Seems problematic to fix this via openid realm
Note: See TracTickets for help on using tickets.