We need to change some config entries in mozillians-dev.allizom.org to point to the correct auth0 account. OIDC_OP_AUTHORIZATION_ENDPOINT = 'https://auth.mozilla.auth0.com/authorize' OIDC_OP_TOKEN_ENDPOINT = 'https://auth.mozilla.auth0.com/oauth/token' OIDC_OP_USER_ENDPOINT = 'https://auth.mozilla.auth0.com/userinfo' OIDC_OP_DOMAIN = 'auth.mozilla.auth0.com' OIDC_RP_CLIENT_ID = '<client_id>' OIDC_RP_CLIENT_SECRET = '<client_secret>' Client ID and secret are going to be sent GPG encrypted. Please let me know when you work on that so I can send you the credentials.
Hey John, I have taken ownership of this bug. When you're ready, go ahead and email me the GPG encrypted credentials. Once I get them, I'll make the changes for you. Thanks!
John, I have updated the following file with the information you provided: >/data/python-dev/src/mozillians-dev.allizom.org/mozillians/mozillians/settings/local.py After that, I ran our deploy script to propagate out the changes. Can you confirm that everything is working for you?
I am still redirected to https://auth-dev.mozilla.auth0.com instead of 'https://auth.mozilla.auth0.com'. Can you send me a diff of the changes?
Hey John, My changes to local.py were not checked into version control so I don't have a diff. I commented out the original settings and added the following (excluding the client ID and secret): ># Bug 1339820 >OIDC_OP_AUTHORIZATION_ENDPOINT = 'https://auth.mozilla.auth0.com/authorize' >OIDC_OP_TOKEN_ENDPOINT = 'https://auth.mozilla.auth0.com/oauth/token' >OIDC_OP_USER_ENDPOINT = 'https://auth.mozilla.auth0.com/userinfo' >OIDC_OP_DOMAIN = 'auth.mozilla.auth0.com' I noticed the following: https://github.com/mozilla/mozillians/blob/master/mozillians/settings/base.py#L571-L573 On our servers, I changed line 572 to from "auth-dev.mozilla.auth0.com" to "auth.mozilla.auth0.com". I wanted to do this to test but in the long run, I'd be happy to file a pull request if you want. After making that change, I tested with and without "OIDC_OP_DOMAIN" in local.py. This was not in the list of OIDC_OP* variables in the old configuration (I assume because of the logic in base.py mentioned above). At this point, it's still taking the user to "auth-dev.mozilla.auth0.com" and it's unclear why. I've grepped through the website source and I have found no references to auth-dev in my current configuration (other than the original config, which I commented out). I'll continue to look at this but I'm open to any ideas you might have.
John, It looks like I needed to perform a graceful restart of Apache. It should work for you now. If you want me to submit that PR to update the code block in base.py, let me know.
Looks OK now. I will change base.py since it something that we track in our version control. Thanks for the help.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
For some reason I am getting JWS verification errors. Can you encrypt/send the OIDC related config entries that you changed? For some reason although it points to the right auth0 instance it doesn't verify correctly that the tokens we receive on authentication.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Hey John, I just emailed you an excerpt from local.py showing the changes to OIDC related config entries. The old settings were retained and commented out. If there's anything in the new block of OIDC settings that should be changed, let me know.
Flags: needinfo?(dhartnell) → needinfo?(jgiannelos)
John, I just sent you an update via email. It looks like things are working now (hopefully!).
Looks like its working fine. Thanks for the help!
Status: REOPENED → RESOLVED
Last Resolved: a year ago → a year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.