Hi list, tl;dr: Why is the Fedora ID server using HTTP communication by default?
Some context: I was debugging a login process for the www.softwarecollections.org website, which utilizes Fedora ID. After pulling my hair for a bit, it turned out that the somewhere along the network road, any un-encrypted HTTP requests were getting blocked, while HTTPS requests were allowed. This causes the login process to timeout in the middle, since it tried to do OpenID discovery using HTTP. Now, I really do not understand how the OpenID is *supposed* to work, but unless I missed something, the HTTP requests were issued in reaction to initial response from the Fedora ID service. To put it differently, my app was instructed to issue next request in the process on HTTP, even if the original one was over HTTPS. AFAIK that requests is immediately 302'd to HTTPS afterwards, but given the network settings, I have never get that far. That got me wandering – why is the HTTPS not used in the communication by default? In other words, why are the URLs returned in responses from Fedora ID using HTTP instead of HTTPS, when the redirect suggests that HTTPS is preferred? As stated above, I have no real idea about how OpenID actually works, so link to the docs and "That's why" is considered a perfectly valid answer :) Preliminary thanks to anyone who takes the time to educate me on this! -- Jan Staněk Software Engineer, Red Hat jsta...@redhat.com irc: jstanek
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
