Arvados

Tom has a blog post about OpenID to OAuth 2.0 migration:

https://arvados.org/blogs/30

Piddling around I found it was pretty easy to get setup.

At commit:40a50a0

In lib/openid.php

It looks like a number of possible errors culminating in a "no idea which user" condition are handled with "log something and proceed". I think we need to abandon ship at this point, presumably redirecting with an auth_error session var like in the earlier $resp->error condition.

  if (!$id_payload->sub) {
      error_log(json_encode($id_payload));
  }

(After this the errors seem relatively benign: "don't know your full name" etc.)

I'm not sure what the best error message is here, but surely it shouldn't say OpenID:

  if (!$resp) {
      error_log(json_encode($http_response_header));
      $_SESSION["auth_error"] = "Error: not a valid OpenID.";

In public_html/openid_verify_oauth2.php I suspect this regexp was meant to have a ^ anchor:

if (ereg ("/[^:]*$", $_REQUEST["return_url"], $regs))

At commit:get-evidence|bbb1ed9

The regexp in openid_verify_oauth2.php still doesn't look right -- now the initial slash is a preg delimiter but the ending one is missing. How about

-if (preg_match('/^\/[^:]*$', $_REQUEST["return_url"], $regs))
+if (preg_match('/^\/[^:]*$/', $_REQUEST["return_url"], $regs))

The rest looks good, thanks.

ok, fixed