OpenID failed

Bug #510866 reported by Mariano Cabrera on 2010-01-21
342
This bug affects 84 people
Affects Status Importance Assigned to Milestone
Ubuntu One Client
Undecided
Unassigned
Ubuntu One Servers
Critical
James Henstridge
django-openid-auth
Critical
James Henstridge

Bug Description

When i sign in, this appears:

OpenID failed

OpenID authentication failed: Nonce already used or out of range

ProblemType: Bug
.home.mariano..cache.ubuntuone.log.syncdaemon.exceptions.log:

.home.mariano..config.ubuntuone.syncdaemon.conf:
 [bandwidth_throttling]
 read_limit = 0
 write_limit = 0
 on = False
.home.mariano..config.ubuntuone.ubuntuone.client.conf:
 [ubuntuone]
 connected = True
 connect = 0
 show_applet = 1
 bookmarked = True
Architecture: i386
CrashDB: ubuntuone
Date: Thu Jan 21 17:38:21 2010
DistroRelease: Ubuntu 9.10
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release i386 (20091028.5)
Package: ubuntuone-client 1.1.1+r321-0ubuntu1~ppa1~karmic
PackageArchitecture: all
ProcEnviron:
 LANG=es_AR.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-17.54-generic
SourcePackage: ubuntuone-client
ThirdParty: True
Uname: Linux 2.6.31-17-generic i686

Related branches

Joe (jhartley425) wrote :

I also get "OpenID authentication failed: Nonce already used or out of range"

If I then go to https://one.ubuntu.com/files/ I have really been logged in and I can see my files.

Elliot Murphy (statik) wrote :

Hi James, can you help figure this out? People started running into this in the dev environment yesterday, and then we just started getting reports after the web rollout today. Any chance this is triggered by the updated code in django-openid-auth?

Changed in ubuntuone-client:
assignee: nobody → James Henstridge (jamesh)
importance: Undecided → Critical
status: New → Triaged
James Henstridge (jamesh) wrote :

This particular error message is only generated in one instance by the python-openid library: when the OpenID authentication process is being completed and the provider passes control back to us, it includes an "openid.response_nonce" parameter. If our code thinks it has seen that nonce from the provider, then it treat the message as a replay attack and give that error.

The nonce is generated by the OpenID Provider as the current time in UTC (down to second accuracy) with 6 characters of random data.

On our end, we accept the nonce if the timestamp is within 5 hours of the current time and we haven't seen the (timestamp, random data) pair before. The code in django-openid-auth used to store nonces in the DB has not changed since 2008, so I don't think it would be the problem.

I asked one of our sysadmins if there had been any obvious clock skew problems. He said there wasn't any evidence of anything that scale, so I'm now getting some log excerpts that might help shed some light on the issue.

James Henstridge (jamesh) wrote :

I've been checking through the excerpts from the Apache logs, and there are a fair number of cases where the /auth/complete URL is hit multiple times with the same OpenID response.

In these cases, the first request gets answered by a 302 response (a redirect back to whatever other page needed authentication), and the subsequent ones in a 403 respone (forbidden, presumably with the "Nonce already used or out of range" message).

So that leaves the question of why the user's machine is making multiple requests here.

To Mariano and Joe: when you were trying to log in, did anything weird happen during the process? Did any page take an unusually long time to load? Did you hit the reload button at any point?

Strangely enough, both teknico and beuno got this error in the dev environment.

--
Elliot Murphy | https://launchpad.net/~statik/

Martin Albisetti (beuno) wrote :

If it helps in any way, I can reproduce this locally 100% of the times.

--
Martin

aimpau (aimpau323) wrote :

Reproduced 100%:
OS:
Windows XP
Windows Mobile 6.1

Browser:
Opera 10

Same here. Though even the error exists, I was logged in to Launchpad. Even the password reset(ter) wouldn't go through though I don't know if it did changed my password.

Roman Yepishev (rye) wrote :

Guys, there is 302 response after the original POST that redirects to itself:

POST https://login.launchpad.net/+login-register
  302 Moved Temporarily

GET https://one.ubuntu.com/auth/complete/?janrain_nonce=***&openid.assoc_handle=***&\
  [...]&openid.return_to=https%3A%2F%2Fone.ubuntu.com%2Fauth%2Fcomplete%2F%3F
  302 Found
  The Location header then says:
    Location: https://one.ubuntu.com/auth/complete/...

GET https://one.ubuntu.com/auth/complete/?janrain_nonce=2010-01-22T11%3A16%3A00...
  403 Forbidden

So that's why browser loads the page for the second time.

Roman Yepishev (rye) on 2010-01-22
Changed in ubuntuone-servers:
status: New → Confirmed
Dave Walker (davewalker) wrote :

I can reproduce this error using trunk django-openid-auth on an entirely different web app, authenticating against a launchpad edge. Therefore I would suggest that the bug is not related to ubuntuone directly.

Using django-openid-auth, revision pre r45 the following error is encountered:
 frames = self.get_traceback_frames()
File "python2.6/site-packages/django/views/debug.py", line 205, in get_traceback_frames
pre_context_lineno, pre_context, context_line, post_context = self._get_lines_from_file(filename, lineno, 7, loader, module_name)
File "python2.6/site-packages/django/views/debug.py", line 186, in _get_lines_from_file
  context_line = source[lineno].strip('\\n')
IndexError: list index out of range

Between revision 45 (which adds sane handling of errros) to trunk it raises the "OpenID authentication failed: Nonce already used or out of range"

Dave Walker (davewalker) wrote :

I've attached a webapp apache logs with semi-sensitive information redacted.

Mike (bild85) wrote :

About an hour ago this happened multiple times for me as well. I was able to get through after about 6-10 times of clicking forward/back, and reposting cache data.

Roman Yepishev (rye) wrote :

The workaround for this is as follows:
Upon receiving OpenID failed error with 'nonce' info, go to https://one.ubuntu.com/
The login attempt _was_ successful, the problem is that the page is not redirected properly.

I have the same problem. I use Ubuntu 9.04

William (wyznaga) wrote :

Hi, could you FIX the bug, thanks. Subscriber: Will

On Sun, Jan 24, 2010 at 12:20 PM, Jaka Škodnik <email address hidden> wrote:

> I have the same problem. I use Ubuntu 9.04
>
> --
> OpenID failed
> https://bugs.launchpad.net/bugs/510866
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in Ubuntu One Client: Triaged
> Status in Ubuntu One Servers: Confirmed
>
> Bug description:
> When i sign in, this appears:
>
> OpenID failed
>
> OpenID authentication failed: Nonce already used or out of range
>
> ProblemType: Bug
> .home.mariano..cache.ubuntuone.log.syncdaemon.exceptions.log:
>
> .home.mariano..config.ubuntuone.syncdaemon.conf:
> [bandwidth_throttling]
> read_limit = 0
> write_limit = 0
> on = False
> .home.mariano..config.ubuntuone.ubuntuone.client.conf:
> [ubuntuone]
> connected = True
> connect = 0
> show_applet = 1
> bookmarked = True
> Architecture: i386
> CrashDB: ubuntuone
> Date: Thu Jan 21 17:38:21 2010
> DistroRelease: Ubuntu 9.10
> InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release i386 (20091028.5)
> Package: ubuntuone-client 1.1.1+r321-0ubuntu1~ppa1~karmic
> PackageArchitecture: all
> ProcEnviron:
> LANG=es_AR.UTF-8
> SHELL=/bin/bash
> ProcVersionSignature: Ubuntu 2.6.31-17.54-generic
> SourcePackage: ubuntuone-client
> ThirdParty: True
> Uname: Linux 2.6.31-17-generic i686
>
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/ubuntuone-client/+bug/510866/+subscribe
>

James Henstridge (jamesh) wrote :

Thank you for the additional information. I now realise what I was doing wrong in trying to reproduce the bug (I was doing something that required authorisation rather than just going directly to the login view).

I've put together a fix (see the branch attached to the bug) that should fix the problem for any app using django-openid-auth. I'll update the bug when the fix has been rolled out to the U1 servers.

saab_ken (iceman-ca) on 2010-01-26
Changed in ubuntuone-client:
status: Triaged → Fix Released
status: Fix Released → Confirmed
status: Confirmed → Incomplete
bulldog (tomsimonite) wrote :

I still experience this 100% of the time on either Chromium or Firefox, using Ubuntu 9.10.

Ofer (oferfrid-gmail) wrote :

For me this just disappeared... (all OK for now).

Ofer Fridman
http://ofer.fridmanfamily.org/

nomnex (nomnex) wrote :

> OpenID failed
> OpenID authentication failed: Nonce already used or out of range

Not for me (recurrent message). Last checked on Wednesday, January 27 2010 at 16:14 JST, on Firefox (Karmic) ver. 3.5.7

Changed in django-openid-auth:
assignee: nobody → James Henstridge (jamesh)
importance: Undecided → Critical
milestone: none → 0.2
status: New → Fix Committed
Changed in ubuntuone-client:
status: Incomplete → Fix Released
status: Fix Released → Incomplete
reeboker (reeboker-cz) wrote :

"I still experience this 100% of the time on either Chromium or Firefox, using Ubuntu 9.10."

Same problem here under Opera too, and as Joe posted on 2010-01-21, I can see the page but no files, under epiphany the files can be at least seen.

Me too.

I still have this problem in both firefox and chrome.

I am really being logged in and if I go to one.ubuntu.com after the "fail" message I get to see my files in the web interface.

My ubuntu one client will not log in though.

Jerome Krough (jk-chem) wrote :

Ditto, My Ubuntu One client will not log in.

My Ubuntu One client could not log-in this morning (I had not asked it to log out and it was logged in ysterday, so something must have disconnected it).

When presented with the Ubuntu One page, I was asked to add my PC again. I did this and checked my account information, nothing seemed different.

The Ubuntu One client could still not log-in.

I stopped the Ubuntu One client and started it again, and this time it did manage to log-in. When I checked my account information I had a new entry for the same PC, but the "id" (or "serial number") was different.

Is this related to this bug or should I lodge a new one?

Changed in ubuntuone-client:
status: Incomplete → Invalid
Changed in ubuntuone-servers:
status: Confirmed → Fix Committed
importance: Undecided → Critical
assignee: nobody → James Henstridge (jamesh)
Changed in ubuntuone-client:
assignee: James Henstridge (jamesh) → nobody
importance: Critical → Undecided
toaster (trtoaster) wrote :

roadSurfer schrieb:
> My Ubuntu One client could not log-in this morning (I had not asked it
> to log out and it was logged in ysterday, so something must have
> disconnected it).
>
> When presented with the Ubuntu One page, I was asked to add my PC again.
> I did this and checked my account information, nothing seemed different.
>
> The Ubuntu One client could still not log-in.
>
> I stopped the Ubuntu One client and started it again, and this time it
> did manage to log-in. When I checked my account information I had a new
> entry for the same PC, but the "id" (or "serial number") was different.
>
> Is this related to this bug or should I lodge a new one?
>
Had the same problem yesterday...

nomnex (nomnex) wrote :

Feedback to comment #19. The message below has gone for me since 2 days ago.

> OpenID failed
> OpenID authentication failed: Nonce already used or out of range

However, I experience the same problems as comment #24: One machine with several "id", this is confusing. Shall we open a new bug?

> I stopped the Ubuntu One client and started it again, and this time it
> did manage to log-in. When I checked my account information I had a new
> entry for the same PC, but the "id" (or "serial number") was different.

Changed in django-openid-auth:
status: Fix Committed → Fix Released
James Henstridge (jamesh) wrote :

Hi everyone. If you are still seeing this problem in production, please comment on the bug.

Both https://one.ubuntu.com and https://edge.one.ubuntu.com are rolled out with versions of django-openid-auth that we believe are free of the bug. If you can still trigger the problem, please provide details on what steps led to the bug.

Changed in ubuntuone-servers:
status: Fix Committed → Fix Released
gunney (gunney) on 2010-03-25
Changed in django-openid-auth:
status: Fix Released → In Progress
Dave Walker (davewalker) wrote :

@gunney, Please can you comment on the status change. AIUI this has been fixed, so we really need to know if there is a regression.

Changed in django-openid-auth:
status: In Progress → Fix Released
Changed in ubuntuone-client:
status: Invalid → Fix Released

It happened to me too.

Kreuger Burns (car-crazy33) wrote :

I get an OpenID error when trying to access Ubuntu One on my HTC Desire Z

dharani (dharani-sahu) on 2013-03-04
description: updated
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers