A little more technical explanation of what we’re seeing.
The authentication flow uses OpenID Connect; when you click “Log On” in the forums, it redirects to the IdP (Identity Provider) at id.opensuse.org - part of what is included in the flow is that the software requesting authentication sends what’s called a “redirect URI” value so the IdP knows where to return to when the authentication has been completed.
The client provides this information to the IdP - the IdP compares it to a list of valid redirect URIs (which can actually include wildcards), but the IdP doesn’t actually know where to return any specific request to.
As part of the processing, there’s a transaction ID that’s used to track information related to the authentication transaction, and that redirect URI is stored in memory and/or in a temporary database table. After you’ve clicked the login button on the login form, the system retrieves the redirect URI from where it stored it, and uses that to tell the browser where to return to.
For some reason (which is what we’re trying to figure out), the value that’s being sent back post-authentication is pointing to src.opensuse.org - a gitea instance. When the browser is sent back to the redirect URI, it’s also provided with a code that the originating application (the “relying party” in OIDC terms) uses to authenticate to the software.
The 500 error is coming up at src.opensuse.org because it never requested an authorization code on behalf of the user. It’s the forums that did, and gitea has no idea what the authorization code that came back is for. (The OIDC flow is actually called an “authorization code” or “code” flow)
In looking at traces of the issue yesterday while I was able to reproduce it, the first time src.opensuse.org comes up in the trace is as part of the reply from the IdP after authentication takes place. The protocol spec says that the client (web browser, in this instance) provides that info, so that’s what’s leading us to think that it’s related to a lookup to retrieve the information that was previously stored from earlier in the transaction.
It seems that the issue is at the IdP; we’ve got a couple of possible ideas as to what it might be, but we need more data (ie, more failures) to see in the logs what’s happened.
The reason that opening another tab (or going back) works is that the IdP has already issued its authorization token, so when you click “Log On” a second time here in the forums, you don’t have to reauthenticate with the IdP, and it just bounces back with the existing token, straight to the redirect URI the browser provided. That second attempt should, therefore, always work (unless you clear cookies, close the browser with cookie clearing turned on in the browser settings, or wait long enough for the lifetime of the token to expire).
Probably more info than anyone wanted about the issue…but that’s what we’re looking into - and why it’s probably going to take some time to resolve. These types of intermittent issues are a real challenge to troubleshoot.