1. PyPA
  2. Python Packaging Authority Projects
  3. pypi


Issue #66 wontfix

Error when trying to use OpenID.

Antoine Pitrou (Optiflows)
created an issue

When trying to use OpenID to log in on PyPI, I first get redirected to my OpenID provider, but when the provider subsequently redirects to PyPI, PyPI shows the following error:

Login failed:NotAuthenticated('Replay attack detected', 9)

Comments (12)

  1. Antoine Pitrou (Optiflows) reporter

    I've just looked at my SimpleID logs, the "response_nonce" is different at each request. However, it appears that SimpleID generates nonces of the form "2013-09-12T11:29:18Z3ca6a26e" where 3ca6a26e is some random hex string. Perhaps PyPI stops at the first colon or hyphen?

    Should I look at something else?

  2. Antoine Pitrou (Optiflows) reporter

    Ok, thanks. As far as I can tell, the nonce looks legit. I tried to reproduce manually the timestamp check at the beginning of duplicate_nonce() and it succeeded (but, of course, the server's time may be different).

  3. martinpaljak

    Given that it comes from nginx and the request is a 1323 byte GET request, I also had to change this in nginx configuration to make it work: large_client_header_buffers 4 8k;

    Maybe it is as simple as this.

  4. Log in to comment