anitya icon indicating copy to clipboard operation
anitya copied to clipboard
verified publisher icon fedora-infra

Impossible to connect with my Fedora Account - release-monitoring.org

Open Neustradamus opened this issue 1 year ago • 28 comments

Dear @fedora-infra team, @Zlopez,

When I try to connect on https://release-monitoring.org/ ("login" button): https://release-monitoring.org/login, I select "Fedora", I have a bad dialog browser box to enter my username and password (not secure) but it does not work. If I do "Cancel", I have now the good page: https://id.fedoraproject.org/login/gssapi/negotiate?ipsilon_transaction_id=XXXXXXXXXXXXXX But if I enter "Username" and "Password" and "Log in", it does not work too.

I can specify that I am already connected in separate window with https://accounts.fedoraproject.org/.

Can you solve this blocker problem? Remove the dialog browser box and to use directly website form?

Thanks in advance.

Neustradamus avatar Dec 31 '24 22:12 Neustradamus

Do you still see that? As I can't replicate that.

Anyway I want to realease a new major version of Anitya soon. It will completely change the authentication backend. If you want you can try it here and see if it works for you. You will need account on https://accounts.stg.fedoraproject.org/ for this one.

Zlopez avatar Jan 07 '25 12:01 Zlopez

@Zlopez: Following your comment, I have done again. It is same with current website. I use "Brave Browser", based on "Chromium". I have now tested with Mozilla Firefox, no problem.

With stage website, same problem with "Brave Browser". I select "Fedora", I have a bad dialog browser box to enter my username and password (not secure). With Firefox, I obtain now "Authentication failure".

Neustradamus avatar Jan 07 '25 13:01 Neustradamus

@Zlopez: I recall, it is this identical Cockpit problem:

  • https://github.com/cockpit-project/cockpit/issues/2164
  • https://github.com/cockpit-project/cockpit/issues/13036
  • https://github.com/cockpit-project/cockpit/issues/13202
  • https://github.com/cockpit-project/cockpit/pull/13982

Neustradamus avatar Jan 07 '25 14:01 Neustradamus

I'm using the Brave Browser as well and I don't see the issue in staging or production. I don't see any dialog browser box at all. I hit different issue on production, but that was probably caused by expired auth session. It worked on second time.

Could you try it in private mode without plugins? So we can't be sure that this isn't caused by some plugin enabled in browser.

Zlopez avatar Jan 08 '25 12:01 Zlopez

@Zlopez: From https://stg.release-monitoring.org/login -> Fedora -> There is the bad dialog window and the link is like https://id.stg.fedoraproject.org/login/gssapi/negotiate?ipsilon_transaction_id=XXXXXXXXXXXX

The bad dialog window is like specified in linked tickets:

  • https://cloud.githubusercontent.com/assets/9095120/7208638/34e57c4a-e53a-11e4-88ce-63502410f9a0.jpg
  • https://user-images.githubusercontent.com/19667013/69763037-afa06d00-114a-11ea-8abd-9d318ecc84a5.png

Neustradamus avatar Jan 08 '25 18:01 Neustradamus

I never saw that on Brave, I'm being directly redirected to https://id.stg.fedoraproject.org/.

I'm wondering why it is showing for you.

Zlopez avatar Jan 09 '25 10:01 Zlopez

@Zlopez: Can you solve like Cockpit?

Neustradamus avatar Jan 09 '25 10:01 Neustradamus

Looking at the fix, I don't really understand what they did. It seems like changing something on the system configuration for the cockpit. I don't think that is applicable for Anitya.

Zlopez avatar Jan 09 '25 12:01 Zlopez

I will try to look into it more closely, but right now I'm busy with something else.

Zlopez avatar Jan 09 '25 12:01 Zlopez

For what it's worth, I successfully logged into the page using my FAS credentials several minutes ago.

mcrha avatar Mar 11 '25 08:03 mcrha

@Zlopez, @mcrha: I have verified, I have always same problem that I have initially reported :/

I have the second image here:

  • https://github.com/cockpit-project/cockpit/issues/2164#issuecomment-94050244
  • https://cloud.githubusercontent.com/assets/9095120/7208638/34e57c4a-e53a-11e4-88ce-63502410f9a0.jpg

I have the first image here:

  • https://github.com/cockpit-project/cockpit/issues/13202#issue-529597192
  • https://user-images.githubusercontent.com/19667013/69763037-afa06d00-114a-11ea-8abd-9d318ecc84a5.png

Linked to my links here:

  • https://github.com/fedora-infra/anitya/issues/1874#issuecomment-2575444208

It has been solve into cockpit project here:

  • https://github.com/cockpit-project/cockpit/commit/197079165e651d6ca36bb2c1c2de5bca02451101
  • https://github.com/cockpit-project/cockpit/pull/13982

It is linked to GSSAPI and Kerberos:

  • https://github.com/cockpit-project/cockpit/issues/2164#issuecomment-94129163
  • https://github.com/cockpit-project/cockpit/issues/2164#issuecomment-155976506

Can you see with @cockpit-project team to solve it in Anitya? Dear @martinpitt, @mvollmer, @stefwalter, @marusak: Can you look it?

Thanks in advance.

Neustradamus avatar Mar 11 '25 08:03 Neustradamus

The only thing I know is that it worked with no problem for me. I had offered the FAS web page on the first shot, with no browser's user-name/password dialog, when I opened the https://release-monitoring.org/ and asked the page to log in and chose there the Fedora account login (I'm currently logged it there, I cannot tell you exact names of the buttons I clicked, but they sound the same as you described in the description).

Can it be any browser setting/cookie? Did you try with a different browser, say like Epiphany (if using for example Firefox, or vice versa)? I'm only throwing ideas, which might be completely false.

mcrha avatar Mar 11 '25 09:03 mcrha

@mcrha: My tests, I have tried with Brave Browser (a Chromium based), Opera Browser (a Chromium based), Vivaldi Browser (a Chromium based), Comodo Dragon Browser (a Chromium based), Supermium (a Chromium based), etc.

Like I have said, no problem with Mozilla Firefox which does not support:

  • https://github.com/cockpit-project/cockpit/issues/2164#issuecomment-155976506

Neustradamus avatar Mar 11 '25 10:03 Neustradamus

Firefox supports GSSAPI, I use it every day, for several years, on a different page. Nonetheless, your environment is different from mine, which might be the reason. I'm sorry for the noise.

mcrha avatar Mar 11 '25 10:03 mcrha

There is no problem with Mozilla Firefox.

Have you installed Chromium Browsers?

  • Chromium: https://www.chromium.org/
  • Brave: https://brave.com/
  • Opera: https://www.opera.com/
  • Vivaldi: https://vivaldi.com/
  • Comodo Dragon: https://www.comodo.com/home/browsers-toolbars/browser.php
  • Supermium: https://github.com/win32ss/supermium

Neustradamus avatar Mar 11 '25 10:03 Neustradamus

I do not have any of the Chromium based installed, I have Epiphany, which is WebKitGTK based:

epiphany-47.2-1.fc41.x86_64
webkitgtk6.0-2.46.6-1.fc41.x86_64

and with that I log in without entering the password, it just picks the existing Kerberos FAS ticket.

mcrha avatar Mar 11 '25 10:03 mcrha

I'm using Brave daily and never saw any issue with FAS login. I just logged in using Kerberos ticket few minutes ago.

Zlopez avatar Mar 13 '25 11:03 Zlopez

Do you see the issue on any other service using Fedora Account system? Like pagure.io or bugzilla.redhat.com?

Zlopez avatar Mar 13 '25 11:03 Zlopez

@Zlopez: Do you have this window:

  • https://cloud.githubusercontent.com/assets/9095120/7208638/34e57c4a-e53a-11e4-88ce-63502410f9a0.jpg
  • https://user-images.githubusercontent.com/19667013/69763037-afa06d00-114a-11ea-8abd-9d318ecc84a5.png

I have same for:

  • https://bugzilla.redhat.com/saml2_login.cgi?idp=Fedora%20Account%20System&target=index.cgi
  • https://pagure.io/login/?next=https://pagure.io/

Neustradamus avatar Mar 13 '25 11:03 Neustradamus

No, never saw any pop-up window like that.

Does the authentication works fine for the other sites?

Zlopez avatar Mar 13 '25 12:03 Zlopez

Strange if you have not this box, which is the problem. Same problem in all specified places.

Can you check with cockpit team which has solved the problem?

Neustradamus avatar Mar 13 '25 13:03 Neustradamus

Maybe it would be best to report this on Fedora Infrastructure, as it seems to affect all the systems using FAS. The cockpit solution is not applicable as they are just not sending negotiate auth header when not needed. This is not even handled by release-monitoring.org, but by the authentication system. So it needs to be solved in FAS.

Zlopez avatar Mar 13 '25 14:03 Zlopez

@Zlopez: It is not possible to connect on https://pagure.io/fedora-infrastructure/issues -> Same problem.

Can you look with Fedora Infrastructure team?

Neustradamus avatar Apr 09 '25 00:04 Neustradamus

I can definitely open the ticket on your behalf. But just to make clear, can you login to any service using Fedora account at all?

You can't login to https://pagure.io or https://release-monitoring.org, both of them using FAS (Fedora Account System as authentication method), so it's not only release-monitoring.org problem.

Could you try for example https://koji.fedoraproject.org or https://bodhi.fedoraproject.org.

Zlopez avatar Apr 09 '25 09:04 Zlopez

Looking at the discussion, you are able to login to https://accounts.fedoraproject.org, but that doesn't redirect to https://id.fedoraproject.org. So that could be the difference.

Zlopez avatar Apr 09 '25 09:04 Zlopez

@Zlopez: Any progress on it?

Neustradamus avatar Jul 23 '25 23:07 Neustradamus

I didn't have time to work on this, too much on my plate right now. Could you sent e-mail with your issue to [email protected]? Or open ticket on https://pagure.io/fedora-infrastructure/issues.

Zlopez avatar Jul 24 '25 12:07 Zlopez

@Zlopez: Like I have said, the problem is identical here:

  • https://pagure.io/login/?next=https://pagure.io/fedora-infrastructure/issues

So, I have sent an e-mail with this ticket link.

Hope a fix on id.fedoraproject.org.

Thanks in advance.

Neustradamus avatar Jul 24 '25 18:07 Neustradamus