You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug [2/15/21 2:32:56:282 CST] 00000072 OIDCClientAut E CWWKS1745E: The WASOidcCode cookie [ITSASTRING_1xtpZwgG8vF7d0XMeAEvBmeGzPAegfSptO4GP72tObA=] in the request to the OpenID Connect client [xxx] is not valid. Its value might have been modified.
Steps to Reproduce
Configure OIDC with the socialLogin-1.0 feature (oidcLogin) in a collective w/o session affinity
Initial request goes to JVM1
Callback from OP goes to JVM2
JVM2 fails to validate the state cookie and the login fails
Expected behavior
JVM2 can read and process the state cookie
Additional information:
This issue was reported with OIDC configured via social login (oidcLogin). This does not happen with the OIDC RP configured via the openidConnectClient-1.0 feature (openidConnectClient).
Trace snip:
[2/15/21 2:32:56:282 CST] 00000072 OIDCClientAut > validateReqParameters Entry
com.ibm.ws.security.social.internal.OidcLoginConfigImpl@1b36348e
{}
ITSASTRING_1xtpZwgG8vF7d0XMeAEvBmeGzPAegfSptO4GP72tObA=
[2/15/21 2:32:56:282 CST] 00000072 OidcClientUti > calculateOidcCodeCookieValue Entry
ITSASTRING
com.ibm.ws.security.social.internal.OidcLoginConfigImpl@1b36348e
[2/15/21 2:32:56:282 CST] 00000072 Oauth2LoginCo > getClientSecret Entry
[2/15/21 2:32:56:282 CST] 00000072 Oauth2LoginCo < getClientSecret Exit
<sensitive java.lang.String@b184e960>
[2/15/21 2:32:56:282 CST] 00000072 Oauth2LoginCo > getClientSecret Entry
[2/15/21 2:32:56:282 CST] 00000072 Oauth2LoginCo < getClientSecret Exit
<sensitive java.lang.String@b184e960>
[2/15/21 2:32:56:282 CST] 00000072 OidcClientUti < calculateOidcCodeCookieValue Exit
ITSASTRING_aTT7rHRKFKpjpcYIuXS9bk+9AvDUbdWBZxwgfICnDVo=
[2/15/21 2:32:56:282 CST] 00000072 OIDCClientAut 3 The value for the OIDC state cookie [WASOidcCode] failed validation.
[2/15/21 2:32:56:282 CST] 00000072 OIDCClientAut < validateReqParameters Exit
false
[2/15/21 2:32:56:282 CST] 00000072 ProviderAuthe > Entry
SEND_401
401
[2/15/21 2:32:56:282 CST] 00000072 ProviderAuthe < Exit
com.ibm.ws.webcontainer.security.ProviderAuthenticationResult@f775020f
[2/15/21 2:32:56:282 CST] 00000072 Oauth2LoginCo > getClientId Entry
[2/15/21 2:32:56:282 CST] 00000072 Oauth2LoginCo < getClientId Exit
YmFiYWZhMzQtNzJkMC00
[2/15/21 2:32:56:282 CST] 00000072 OIDCClientAut E CWWKS1745E: The WASOidcCode cookie [ITSASTRING_1xtpZwgG8vF7d0XMeAEvBmeGzPAegfSptO4GP72tObA=] in the request to the OpenID Connect client [xxx] is not valid. Its value might have been modified.
The text was updated successfully, but these errors were encountered:
Describe the bug
[2/15/21 2:32:56:282 CST] 00000072 OIDCClientAut E CWWKS1745E: The WASOidcCode cookie [ITSASTRING_1xtpZwgG8vF7d0XMeAEvBmeGzPAegfSptO4GP72tObA=] in the request to the OpenID Connect client [xxx] is not valid. Its value might have been modified.
Steps to Reproduce
Expected behavior
JVM2 can read and process the state cookie
Diagnostic information:
<oidcLogin id="w3id_oidc_auth" displayName="w3_OIDC_Login" clientId="xxx" clientSecret="xxx" authorizationEndpoint="https://login.com/oidc/endpoint/default/authorize" tokenEndpoint="https://login.com/oidc/endpoint/default/token" jwksUri="https://login.com/oidc/endpoint/default/jwks" issuer="https://login.com/oidc/endpoint/default" scope="openid profile email" userNameAttribute="email" authFilterRef="w3_oidcAuthFilter"/>
Additional information:
This issue was reported with OIDC configured via social login (oidcLogin). This does not happen with the OIDC RP configured via the openidConnectClient-1.0 feature (openidConnectClient).
Trace snip:
[2/15/21 2:32:56:282 CST] 00000072 OIDCClientAut > validateReqParameters Entry
com.ibm.ws.security.social.internal.OidcLoginConfigImpl@1b36348e
{}
ITSASTRING_1xtpZwgG8vF7d0XMeAEvBmeGzPAegfSptO4GP72tObA=
[2/15/21 2:32:56:282 CST] 00000072 OidcClientUti > calculateOidcCodeCookieValue Entry
ITSASTRING
com.ibm.ws.security.social.internal.OidcLoginConfigImpl@1b36348e
[2/15/21 2:32:56:282 CST] 00000072 Oauth2LoginCo > getClientSecret Entry
[2/15/21 2:32:56:282 CST] 00000072 Oauth2LoginCo < getClientSecret Exit
<sensitive java.lang.String@b184e960>
[2/15/21 2:32:56:282 CST] 00000072 Oauth2LoginCo > getClientSecret Entry
[2/15/21 2:32:56:282 CST] 00000072 Oauth2LoginCo < getClientSecret Exit
<sensitive java.lang.String@b184e960>
[2/15/21 2:32:56:282 CST] 00000072 OidcClientUti < calculateOidcCodeCookieValue Exit
ITSASTRING_aTT7rHRKFKpjpcYIuXS9bk+9AvDUbdWBZxwgfICnDVo=
[2/15/21 2:32:56:282 CST] 00000072 OIDCClientAut 3 The value for the OIDC state cookie [WASOidcCode] failed validation.
[2/15/21 2:32:56:282 CST] 00000072 OIDCClientAut < validateReqParameters Exit
false
[2/15/21 2:32:56:282 CST] 00000072 ProviderAuthe > Entry
SEND_401
401
[2/15/21 2:32:56:282 CST] 00000072 ProviderAuthe < Exit
com.ibm.ws.webcontainer.security.ProviderAuthenticationResult@f775020f
[2/15/21 2:32:56:282 CST] 00000072 Oauth2LoginCo > getClientId Entry
[2/15/21 2:32:56:282 CST] 00000072 Oauth2LoginCo < getClientId Exit
YmFiYWZhMzQtNzJkMC00
[2/15/21 2:32:56:282 CST] 00000072 OIDCClientAut E CWWKS1745E: The WASOidcCode cookie [ITSASTRING_1xtpZwgG8vF7d0XMeAEvBmeGzPAegfSptO4GP72tObA=] in the request to the OpenID Connect client [xxx] is not valid. Its value might have been modified.
The text was updated successfully, but these errors were encountered: