Janrain Engage Social Login Issue Preventing Login to Drupal 6 Website

We are trying to set up social log in to a Drupal site using the Janrain module with a Janrain Engage Pro account.

The Janrain Application Domain is: https://secure.addmysupport.com
It should be noted that Drupal has been configured as a multi-site installation.

The main domain is www.addmysupport.com
One example subdomain is: animalrescue.addmysupport.com

Further details:

1. Drupal 6.26
2. Drupal Janrain Engage module version: 6.x-2.2
3. We do have Token installed and enabled.
4. We have whitelisted the main site domain in the Janrain panel, plus wildcard subdomains
5. The Engage Login feature has never worked since deployment.

The problem is that when attempting to login via Facebook, we land on the following: http://animalrescue.addmysupport.com/user/login?destination=/rpx/token_h...

This page states:-
"You need a token to be here!-
Access denied. You must login to view this page."

The login process, up to the above point, seems to work correctly i.e. it asks for provider permissions if necessary etc. The page gets directed to the Janrain Application Domain: https://secure.addmysupport.com?loc=xxxWhere loc=xxx appears to be a token.

This then redirects to the login failed page detailed above.

Facebook logins are working in the Test Sign-In Widget at https://rpxnow.com/relying_parties/secure.addmysupport.com/test, which rules out a configuration issue with the identity provider

We would appreciate it if you could provide some assistance with this.

Comments

geokat’s picture

Unfortunately, this module has never been tested with multi-site
Drupal and it may or may not work with such.

I ran a trace against your site and it looks like Drupal multi-site
redirects POST requests to the token URL by returning 302, which
results in the browser issuing a GET request to the same URL with the
parameters (including the token) stripped (hence the "You need a token
to be here" error message).

I suspect there could be a setting in the Drupal multi-site configuration
which would disable those redirects. Can you try? If there isn't one, we can
turn this report into a feature request.

Thanks,
George

addmysupport’s picture

"I ran a trace against your site and it looks like Drupal multi-site
redirects POST requests to the token URL by returning 302, which
results in the browser issuing a GET request to the same URL with the
parameters (including the token) stripped (hence the "You need a token
to be here" error message)."

If this is the cause would this also be the reason Janrain Engage does not work on the core site - www.addmysupport.com ?

Thanks
Chris

addmysupport’s picture

I have tested our Janrain account against a clone of our original site before we created the multisite configuration.

Exactly the same error messages and responses were received on this single test site.

This test was running on http://95.138.185.35 (since taken offline)

I have also tested with configuration setting from Basic and Pro accounts - both generate the same response.

I don't believe the cause of this issue is related to the multisite configuration - i think this test proves that.

However, could the same issue about

[Our sites] redirect POST requests to the token URL by returning 302, resulting in the browser issuing a GET request to the same URL with the parameters (including the token) stripped (hence the "You need a token to be here" error message).

still be the cause... but not be related to multisite?

Thanks
Chris

geokat’s picture

However, could the same issue about

[Our sites] redirect POST requests to the token URL by returning 302, resulting in the browser issuing a GET request to the same URL with the parameters (including the token) stripped (hence the "You need a token to be here" error message).

still be the cause... but not be related to multisite?

OK, I see the same issue with your core site. There's something weird with your Drupal installation - any GETs or POSTs to the rpx token handler URL (created by this module) are redirected. You can see it for yourself by visiting www.addmysupport.com/rpx/token_handler. You can also compare the behaviour with the demo site by visiting http://drupal7.janraindemo.com/rpx/token_handler (notice that there's no redirect).

Perhaps some 3rd party module you have installed causes those redirects for requests to non-core drupal endpoints?

geokat’s picture

I also noticed that all redirects are to http://www.addmysupport.com/user/login. That would suggest that some setting (or module) within drupal requires the user to be logged in before letting them access the /rpx/token_handler endpoint.

geokat’s picture

I checked again, looks like the redirect happens because the module issues "access denied" if there's no token.
Anyway, can you try turning off any 3rd party modules that change the login/permissions subsystems of Drupal? Does this fix the problem?

geokat’s picture

Also, can you check the drupal error log right after a failure to sign in, to see if there are any error messages from 'rpx' or 'rpx_core'?

addmysupport’s picture

Hi,

I have disabled module "Redirect 403 to User Login" on the animalrescue.addmysupport.com site.

http://animalrescue.addmysupport.com/rpx/token_handler now behaves like the demo site.

But login with Janrain fails. (see attachment)

No new error log from rpx or rpx_core - only the attached (as previously reported)

I have only changed it (and tested it) on this site not the core site yet.

Please note - through the janrain official ticket i provided admin access to this (animalrescue) site. Please take a look at the setting yourself if useful.

I will investigate further but please can you let me know your thoughts.

Is it possibly worth testing on core site or do i need to clear any additional caches or reset APIs
(i don't recognise the referrer loc=XXX in the error message)

Thanks
Chris

geokat’s picture

Chris, I just sent you a private message.

addmysupport’s picture

This appears to be caused by our sites use of the "Content Profile" module. (found by disabling modules in turn.)

Disabling "Content Profile User Registration" removed the "You need a token to be here!" message and signed the user in successfully (creating a new user account)

However no profile is created for the newly signed in user (as this has been disabled)

I now need to find a way to resolve this.

I have seen a few patches and other user suggestions - but would appreciate some help from the Janrain team on this issue.

Thanks
Chris

geokat’s picture

Category: bug » feature
Priority: Major » Normal
Status: Active » Closed (duplicate)

Chris,

When it comes to other modules modifying the standard Drupal login flow, the Janrain Engage module usually needs to have built-in support for them. Unfortunately, it hasn't been updated to support the Content Profile module and is incompatible with it at this moment.

I'm marking this as a clone of the Content Profile feature request ticket:
http://drupal.org/node/1197012

George

mgriego’s picture

I don't think this issue is actually a clone of the Content Profile issue. We've run into this issue on our site.

I was able to track down the issue to the rpx_token_handler() function *blindly* setting the destination= query string when it redirects to the user/register page. Here's the scenario:

* User navigates to /user/login page.
* NEW user logs in via WordPress.com credentials
* WordPress.com does NOT provide email address (like some other providers), so the user is redirected to the user/register page to complete the registration process.
* Once the user fills in the email address and submits the form, user is redirected to the rpx/token_handler page with the "You need a token to be here!" message, BUT the user IS successfully logged in, they've just been incorrectly redirected back to rpx/token_handler.

The culprit is this code here near the end of the rpx_token_handler() function:

        $dest = drupal_get_destination();
        unset($_REQUEST['destination']);
        drupal_goto('user/register', $dest);

This code ASSUMES that the destination= query string will always be set when the login form is used. This is not a valid assumption. In fact, only the login *block* forces the setting of the destination query string. If a site doesn't use the login block, then the destination query string is likely to not be set. If the destination query string is NOT set, then drupal_get_destination() will *rightfully* return the CURRENT page(ie $_GET['q']), which, when this code is being executed, is the rpx/token_handler page. So, the destination string is being set to rpx/token_handler in this case. Once the registration has completed, the user is sent back to the token_handler, this time WITHOUT a token. They're logged in, but the redirect has kicked in.

The destination query string should never be set to rpx/token_handler. The proper way to handle this is to check to see if $_REQUEST['destination'] has a value BEFORE blindly setting it to something incorrect. Indeed, we worked around this issue by patching this section of code to look like this:

        if (!empty($_REQUEST['destination'])) {
          $dest = drupal_get_destination();
          unset($_REQUEST['destination']);
          drupal_goto('user/register', $dest);
        } else {
          drupal_goto('user/register');
        }

The above should allow the rpx module to play more nicely with other modules that may also alter the login flow... It definitely fixed our issues.