OIDC state cookie cannot be read by another JVM in collective w/socal login TS004966274

[barbj]

Describe the bug
[2/15/21 2:32:56:282 CST] 00000072 OIDCClientAut E CWWKS1745E: The WASOidcCode cookie [ITSASTRING_1xtpZwgG8vF7d0XMeAEvBmeGzPAegfSptO4GP72tObA=] in the request to the OpenID Connect client [xxx] is not valid. Its value might have been modified.

Steps to Reproduce

1. Configure OIDC with the socialLogin-1.0 feature (oidcLogin) in a collective w/o session affinity
2. Initial request goes to JVM1
3. Callback from OP goes to JVM2
4. JVM2 fails to validate the state cookie and the login fails

Expected behavior
JVM2 can read and process the state cookie

Diagnostic information:

• OpenLiberty Version: 21.0.0.1
• Java Version:
• server.xml configuration:
  <oidcLogin id="w3id_oidc_auth" displayName="w3_OIDC_Login" clientId="xxx" clientSecret="xxx" authorizationEndpoint="https://login.com/oidc/endpoint/default/authorize" tokenEndpoint="https://login.com/oidc/endpoint/default/token" jwksUri="https://login.com/oidc/endpoint/default/jwks" issuer="https://login.com/oidc/endpoint/default" scope="openid profile email" userNameAttribute="email" authFilterRef="w3_oidcAuthFilter"/>

Additional information:
This issue was reported with OIDC configured via social login (oidcLogin). This does not happen with the OIDC RP configured via the openidConnectClient-1.0 feature (openidConnectClient).

Trace snip:
[2/15/21 2:32:56:282 CST] 00000072 OIDCClientAut > validateReqParameters Entry
com.ibm.ws.security.social.internal.OidcLoginConfigImpl@1b36348e
{}
ITSASTRING_1xtpZwgG8vF7d0XMeAEvBmeGzPAegfSptO4GP72tObA=
[2/15/21 2:32:56:282 CST] 00000072 OidcClientUti > calculateOidcCodeCookieValue Entry
ITSASTRING
com.ibm.ws.security.social.internal.OidcLoginConfigImpl@1b36348e
[2/15/21 2:32:56:282 CST] 00000072 Oauth2LoginCo > getClientSecret Entry
[2/15/21 2:32:56:282 CST] 00000072 Oauth2LoginCo < getClientSecret Exit
<sensitive java.lang.String@b184e960>
[2/15/21 2:32:56:282 CST] 00000072 Oauth2LoginCo > getClientSecret Entry
[2/15/21 2:32:56:282 CST] 00000072 Oauth2LoginCo < getClientSecret Exit
<sensitive java.lang.String@b184e960>
[2/15/21 2:32:56:282 CST] 00000072 OidcClientUti < calculateOidcCodeCookieValue Exit
ITSASTRING_aTT7rHRKFKpjpcYIuXS9bk+9AvDUbdWBZxwgfICnDVo=
[2/15/21 2:32:56:282 CST] 00000072 OIDCClientAut 3 The value for the OIDC state cookie [WASOidcCode] failed validation.
[2/15/21 2:32:56:282 CST] 00000072 OIDCClientAut < validateReqParameters Exit
false
[2/15/21 2:32:56:282 CST] 00000072 ProviderAuthe > Entry
SEND_401
401
[2/15/21 2:32:56:282 CST] 00000072 ProviderAuthe < Exit
com.ibm.ws.webcontainer.security.ProviderAuthenticationResult@f775020f
[2/15/21 2:32:56:282 CST] 00000072 Oauth2LoginCo > getClientId Entry
[2/15/21 2:32:56:282 CST] 00000072 Oauth2LoginCo < getClientId Exit
YmFiYWZhMzQtNzJkMC00
[2/15/21 2:32:56:282 CST] 00000072 OIDCClientAut E CWWKS1745E: The WASOidcCode cookie [ITSASTRING_1xtpZwgG8vF7d0XMeAEvBmeGzPAegfSptO4GP72tObA=] in the request to the OpenID Connect client [xxx] is not valid. Its value might have been modified.

[barbj]

@ayoho The cookie fix worked, so this is ready to go.