OpenID failed

I also get "OpenID authentication failed: Nonce already used or out of range"

If I then go to https://one.ubuntu.com/files/ I have really been logged in and I can see my files.

Hi James, can you help figure this out? People started running into this in the dev environment yesterday, and then we just started getting reports after the web rollout today. Any chance this is triggered by the updated code in django-openid-auth?

This particular error message is only generated in one instance by the python-openid library: when the OpenID authentication process is being completed and the provider passes control back to us, it includes an "openid.response_nonce" parameter. If our code thinks it has seen that nonce from the provider, then it treat the message as a replay attack and give that error.

The nonce is generated by the OpenID Provider as the current time in UTC (down to second accuracy) with 6 characters of random data.

On our end, we accept the nonce if the timestamp is within 5 hours of the current time and we haven't seen the (timestamp, random data) pair before. The code in django-openid-auth used to store nonces in the DB has not changed since 2008, so I don't think it would be the problem.

I asked one of our sysadmins if there had been any obvious clock skew problems. He said there wasn't any evidence of anything that scale, so I'm now getting some log excerpts that might help shed some light on the issue.

I've been checking through the excerpts from the Apache logs, and there are a fair number of cases where the /auth/complete URL is hit multiple times with the same OpenID response.

In these cases, the first request gets answered by a 302 response (a redirect back to whatever other page needed authentication), and the subsequent ones in a 403 respone (forbidden, presumably with the "Nonce already used or out of range" message).

So that leaves the question of why the user's machine is making multiple requests here.

To Mariano and Joe: when you were trying to log in, did anything weird happen during the process? Did any page take an unusually long time to load? Did you hit the reload button at any point?

Strangely enough, both teknico and beuno got this error in the dev environment.

--
Elliot Murphy | https://launchpad.net/~statik/

If it helps in any way, I can reproduce this locally 100% of the times.

--
Martin

Reproduced 100%:
OS:
Windows XP
Windows Mobile 6.1

Browser:
Opera 10

Same here. Though even the error exists, I was logged in to Launchpad. Even the password reset(ter) wouldn't go through though I don't know if it did changed my password.

Guys, there is 302 response after the original POST that redirects to itself:

POST https://login.launchpad.net/+login-register
  302 Moved Temporarily

GET https://one.ubuntu.com/auth/complete/?janrain_nonce=***&openid.assoc_handle=***&\
  [...]&openid.return_to=https%3A%2F%2Fone.ubuntu.com%2Fauth%2Fcomplete%2F%3F
  302 Found
  The Location header then says:
    Location: https://one.ubuntu.com/auth/complete/...

GET https://one.ubuntu.com/auth/complete/?janrain_nonce=2010-01-22T11%3A16%3A00...
  403 Forbidden

So that's why browser loads the page for the second time.

I can reproduce this error using trunk django-openid-auth on an entirely different web app, authenticating against a launchpad edge. Therefore I would suggest that the bug is not related to ubuntuone directly.

Using django-openid-auth, revision pre r45 the following error is encountered:
 frames = self.get_traceback_frames()
File "python2.6/site-packages/django/views/debug.py", line 205, in get_traceback_frames
pre_context_lineno, pre_context, context_line, post_context = self._get_lines_from_file(filename, lineno, 7, loader, module_name)
File "python2.6/site-packages/django/views/debug.py", line 186, in _get_lines_from_file
  context_line = source[lineno].strip('\\n')
IndexError: list index out of range

Between revision 45 (which adds sane handling of errros) to trunk it raises the "OpenID authentication failed: Nonce already used or out of range"

I've attached a webapp apache logs with semi-sensitive information redacted.

About an hour ago this happened multiple times for me as well. I was able to get through after about 6-10 times of clicking forward/back, and reposting cache data.

The workaround for this is as follows:
Upon receiving OpenID failed error with 'nonce' info, go to https://one.ubuntu.com/
The login attempt _was_ successful, the problem is that the page is not redirected properly.

I have the same problem. I use Ubuntu 9.04

Hi, could you FIX the bug, thanks. Subscriber: Will

On Sun, Jan 24, 2010 at 12:20 PM, Jaka Škodnik <email address hidden> wrote:

> I have the same problem. I use Ubuntu 9.04
>
> --
> OpenID failed
> https://bugs.launchpad.net/bugs/510866
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in Ubuntu One Client: Triaged
> Status in Ubuntu One Servers: Confirmed
>
> Bug description:
> When i sign in, this appears:
>
> OpenID failed
>
> OpenID authentication failed: Nonce already used or out of range
>
> ProblemType: Bug
> .home.mariano..cache.ubuntuone.log.syncdaemon.exceptions.log:
>
> .home.mariano..config.ubuntuone.syncdaemon.conf:
> [bandwidth_throttling]
> read_limit = 0
> write_limit = 0
> on = False
> .home.mariano..config.ubuntuone.ubuntuone.client.conf:
> [ubuntuone]
> connected = True
> connect = 0
> show_applet = 1
> bookmarked = True
> Architecture: i386
> CrashDB: ubuntuone
> Date: Thu Jan 21 17:38:21 2010
> DistroRelease: Ubuntu 9.10
> InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release i386 (20091028.5)
> Package: ubuntuone-client 1.1.1+r321-0ubuntu1~ppa1~karmic
> PackageArchitecture: all
> ProcEnviron:
> LANG=es_AR.UTF-8
> SHELL=/bin/bash
> ProcVersionSignature: Ubuntu 2.6.31-17.54-generic
> SourcePackage: ubuntuone-client
> ThirdParty: True
> Uname: Linux 2.6.31-17-generic i686
>
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/ubuntuone-client/+bug/510866/+subscribe
>

Thank you for the additional information. I now realise what I was doing wrong in trying to reproduce the bug (I was doing something that required authorisation rather than just going directly to the login view).

I've put together a fix (see the branch attached to the bug) that should fix the problem for any app using django-openid-auth. I'll update the bug when the fix has been rolled out to the U1 servers.

I still experience this 100% of the time on either Chromium or Firefox, using Ubuntu 9.10.

For me this just disappeared... (all OK for now).

Ofer Fridman
http://ofer.fridmanfamily.org/

> OpenID failed
> OpenID authentication failed: Nonce already used or out of range

Not for me (recurrent message). Last checked on Wednesday, January 27 2010 at 16:14 JST, on Firefox (Karmic) ver. 3.5.7

"I still experience this 100% of the time on either Chromium or Firefox, using Ubuntu 9.10."

Same problem here under Opera too, and as Joe posted on 2010-01-21, I can see the page but no files, under epiphany the files can be at least seen.

Me too.

I still have this problem in both firefox and chrome.

I am really being logged in and if I go to one.ubuntu.com after the "fail" message I get to see my files in the web interface.

My ubuntu one client will not log in though.

Ditto, My Ubuntu One client will not log in.

My Ubuntu One client could not log-in this morning (I had not asked it to log out and it was logged in ysterday, so something must have disconnected it).

When presented with the Ubuntu One page, I was asked to add my PC again. I did this and checked my account information, nothing seemed different.

The Ubuntu One client could still not log-in.

I stopped the Ubuntu One client and started it again, and this time it did manage to log-in. When I checked my account information I had a new entry for the same PC, but the "id" (or "serial number") was different.

Is this related to this bug or should I lodge a new one?

roadSurfer schrieb:
> My Ubuntu One client could not log-in this morning (I had not asked it
> to log out and it was logged in ysterday, so something must have
> disconnected it).
>
> When presented with the Ubuntu One page, I was asked to add my PC again.
> I did this and checked my account information, nothing seemed different.
>
> The Ubuntu One client could still not log-in.
>
> I stopped the Ubuntu One client and started it again, and this time it
> did manage to log-in. When I checked my account information I had a new
> entry for the same PC, but the "id" (or "serial number") was different.
>
> Is this related to this bug or should I lodge a new one?
>
Had the same problem yesterday...

Feedback to comment #19. The message below has gone for me since 2 days ago.

> OpenID failed
> OpenID authentication failed: Nonce already used or out of range

However, I experience the same problems as comment #24: One machine with several "id", this is confusing. Shall we open a new bug?

> I stopped the Ubuntu One client and started it again, and this time it
> did manage to log-in. When I checked my account information I had a new
> entry for the same PC, but the "id" (or "serial number") was different.

Hi everyone. If you are still seeing this problem in production, please comment on the bug.

Both https://one.ubuntu.com and https://edge.one.ubuntu.com are rolled out with versions of django-openid-auth that we believe are free of the bug. If you can still trigger the problem, please provide details on what steps led to the bug.

@gunney, Please can you comment on the status change. AIUI this has been fixed, so we really need to know if there is a regression.

It happened to me too.

I get an OpenID error when trying to access Ubuntu One on my HTC Desire Z