Currently, the openid_complete() function works as a big black box, it gets in a $response array as the module got it from the OpenID provider and it returns data and a status one of 'success', 'failed' or 'cancel'.
Cancel can only happen one way (if the remote response explicitly tells us we need to cancel the process), but 'failed' and 'success' can happen different ways. Unfortunately the code outside here does not know what happened exactly. There are three ways the code can lead to success, but I suspect there is little interest in marking that trail. However, there are even more ways it could fail, and it is essential to know about that for modules using OpenID as an API (that is this function without the light wrapper page callback that would invoke this normally). Without this patch, it is impossible to know why did the OpenID login fail, and it is very hard to debug the process (you usually do not have access to arbitrary people's OpenID accounts, right?).
In the interest of making this work on multilingual sites, and since the messages are purely debugging targeted, I did not wrap them in t().
I also did not add any code to actually log these messages. We can do that in openid_authentication_page() if you think that would be a good idea. (In our case, we use it as an API, so we actually log the error with additional information in the wrapper we have for this).
Comments
Comment #1
Gábor HojtsyMore accurate title.
Comment #2
Gábor HojtsyUhm, typo in variable names. It should be response, not reponse (note missing s). Also adding a message for the cancel operation this time.
Comment #3
anavarreSubscribe
Comment #4
effulgentsia CreditAttribution: effulgentsia commentedThis is a good start, but additionally, in the case that openid_verify_assertion() returns FALSE, would be nice to know why. openid_verify_assertion_nonce() already watchdogs different failure conditions, but the rest of openid_verify_assertion() and the functions it calls do not.
Comment #5
jessebeach CreditAttribution: jessebeach commentedI rerolled Gábor's patch from #2 after the introduction of the /core directory.
I added extra watchdog logging to all of the various points in the openid_complete call where the
$response
can be returned as false.Comment #6
jessebeach CreditAttribution: jessebeach commentedSetting to needs review to kick off the testbot.
Comment #7
jessebeach CreditAttribution: jessebeach commentedThat patch file in #5 was empty. Attaching a patch file with actual code in it.
Comment #8
jessebeach CreditAttribution: jessebeach commentedAdded two more watchdogs to openid_association.
Comment #9
effulgentsia CreditAttribution: effulgentsia commentedThis looks great to me. Minor nits:
s/Openid/OpenID/
Why remove the blank line?
s/url/URL/
Comment #10
effulgentsia CreditAttribution: effulgentsia commentedHm, so now we have 3 situations:
How can we apply some consistency to where logging should happen? Should we redo all of this via throwing exceptions instead, allowing the caller to have full control of whether to log or not?
Comment #11
jessebeach CreditAttribution: jessebeach commentedI think we should replace the $messages with a general error message for the end user and replace them with watchdogs for developers. I'll propose this change in an updated patch.
Comment #12
jessebeach CreditAttribution: jessebeach commentedI removed the messages in openid_complete and replaced them with watchdog logs. Reporting a failure to the end user is accomplished in openid.pages.inc, openid_authentication_page.
Comment #13
jessebeach CreditAttribution: jessebeach commentedUpdated the watchdog messages in openid_verify_assertion_return_url to be more explicit about what caused the error.
Comment #14
jessebeach CreditAttribution: jessebeach commentedSmall text updates after a review from Gabor. One of the watchdog strings couldn't be properly translated because of the way the variables were manipulated.
Comment #15
effulgentsia CreditAttribution: effulgentsia commented$service is an array here, so can't be passed as a variable to watchdog().
I think in general in Drupal, we try to avoid truncated names like 'ret' instead of 'return'. Since this will appear in translation interfaces, I think @return_name, @return_value would be better. Also, looks like @return_name is the same as @name, so do we need them to use different tokens?
Comment #16
jessebeach CreditAttribution: jessebeach commentedFixed the first issue with $service by referencing $service['uri'].
For issue two, I renamed the replacement tokens to $return_value and $return_name. I assumed that the number of replacement tokens in the string needs to equal the number of replacement values in the proceeding arguments array. The docs for watchdog don't make this explicit, so I went with a cautious approach.
Comment #17
jessebeach CreditAttribution: jessebeach commentedComment #18
sun1. The log messages can be shortened.
2. Most of these should not be WATCHDOG_WARNINGs - only use a higher severity than the default (notice) if the logged message should matter for the site owner. I don't think that's the case in most or all of these cases.
Comment #19
jessebeach CreditAttribution: jessebeach commentedGood points Sun. I'll get this rerolled.
Comment #20
jessebeach CreditAttribution: jessebeach commentedRolled for D7 as well.
Comment #21
jessebeach CreditAttribution: jessebeach commentedGrrr, I removed a stray carriage return in the openid_verbose_logging-1078476-17.patch and added it as another attachment, deselecting the original to list, but it showed up anyway. In any case, the second openid_verbose_logging-1078476-17.patch is the right one. The two only differ by a carriage return in the commit message to the patch.
Comment #22
c960657 CreditAttribution: c960657 commentedSome messages mentions the @endpoint, and some don't. Of course we cannot provide a lot of context, but right now the level of context seems a little random. Would it make sense to include e.g. the Claimed ID in all messages?
We usually refer to service provides as OpenID providers.
Endpoint URIs are referred to as @provider, @service and @endpoint. I suggest we stick to the latter.
Instead of surroundings @foo with comma or quotes, I suggest you use %foo.
I suggest you remove the outer if wrapper and instead return FALSE after each watchdog call. No need to check for the same thing twice.
Likewise in openid_complete() when checking for $_SESSION['openid']['service']['uri'] and $_SESSION['openid']['service']['claimed_id']: If you want to check for the two values independently rather having one combined error message (something like “service and/or claimed_id missing”), I suggest you the two checks to the top and return early if they fail. This keeps the error message immediately below the detection of the error, and by returning early we can get rid of the very deep nesting of if clauses – both of these should make the code easier to read.
I.e. instead of doing this:
I suggest we do this:
This may sound like a big change, but it is basically just moving existing code around, combined with a lot of indentation changes. What do you think of this?
This error message is not quite accurate if the openid_discovery() call right above failed (e.g. if the remote server temporarily failed to respond). In fact, in that case $uri is undefined, so this is a bug in the current code. But it would be nice if you could make two separate error messages for this event. Also, I think this specific error messages should include both $service['uri'] and $claimed_id.
Comment #23
jessebeach CreditAttribution: jessebeach commented@c960657, you should definitely propose the changes in a patch rather than text descriptions. It'll get them closer to being committed faster!
Comment #24
star-szrIt looks like this bugfix is relevant for D7 so bumping back to there because of https://www.drupal.org/node/2116417. The D7 patch from #20 still applies.
Comment #25
mgifford