Issue 1454: Disable (or manage) openid4java's discovery result cache
Status:  Released
Owner: ----
Closed:  Mar 2013
Reported by foxyblo...@hotmail.com, Jun 22, 2012
Affected Version: 2.3

What steps will reproduce the problem?

0. Do not restart Gerrit during the whole procedure.
1. Setup an OpenID identity through delegation to a provider
    For example, add these two lines to an HTML webpage's <head>:

        <link rel="openid2.provider" href="http://www.myopenid.com/server"/>
        <link rel="openid.server" href="http://www.myopenid.com/server" />
        <link rel="openid2.local_id" href="http://youraccount.myopenid.com/"/>
        <link rel="openid.delegate" href="http://youraccount.myopenid.com/" />

2. For the sake of the example, assume the above setup identity (URL of the webpage) is http://example.org/doe
3. Login at an OpenID-enabled Gerrit installation with identity http://example.org/doe
4. logout from Gerrit
5. Change the delegation to another provider
    E.g. replace the above lines by:

        <link rel="openid2.provider" href="http://www.livejournal.com/openid/server.bml" />
        <link rel="openid.server" href="http://www.livejournal.com/openid/server.bml" />
        <link rel="openid2.local_id" href="http://yourotheraccount.livejournal.com/"/>
        <link rel="openid.delegate" href="http://yourotheraccount.livejournal.com/" />

6. Wait for 5 minutes (or, if configured differently, the value of cache.openid.maxAge).
7. Login at the same gerrit with identity http://example.org/doe

What is the expected output?

Gerrit redirects to the second provider (livejournal in the example) for authentication.

What do you see instead?

Gerrit redirects to the first provider (MyOpenID in the example) for authentication.


Please provide any additional information below.

openid4java caches the answers to OpenID discovery (GET and HEAD) indefinitely in memory (no cache TTL/timeout!), unless this is disabled (or a TTL explicitly configured). As gerrit does its own caching, please disable the openid4java cache, or alternatively manage it in sync with the Gerrit cache (same TTL, and "gerrit flush-caches --cache openid" should purge the openid4java cache, too).

See class HttpCache in openid4java source code.
Mar 28, 2013
#1 sop@google.com
Gerrit no longer caches OpenID data itself.

If openid4java is caching... they need to fix the @!*(@(! APIs because its non-obvious how Gerrit should configure openid4java's caching code to not cache. Looks like I need to replace the ConsumerManager. Applications shouldn't need to rewrite openid4java's configuration wiring in order to make a simple change like fixing their default caching bugs.
Status: Released
Labels: FixedIn-2.1.4
Mar 28, 2013
#2 sop@google.com
Gerrit no longer caches OpenID data itself.

If openid4java is caching... they need to fix the @!*(@(! APIs because its non-obvious how Gerrit should configure openid4java's caching code to not cache. Looks like I need to replace the ConsumerManager. Applications shouldn't need to rewrite openid4java's configuration wiring in order to make a simple change like fixing their default caching bugs.
Status: Released
Labels: FixedIn-2.1.4