ERROR: CSRF check failed. This may happen if you opened the login form in more than 1 tabs. Please try to login again.

[kubeclever]

Is this a bug report or feature request?

• Bug Report

Describe the bug

I debug this issue a lot of days, but I still cannot fix it. Please help to check that, much appreciated!

The log from the pod oidc-authservice:

time="2023-04-27T07:28:32Z" level=error msg="Failed to verify state parameter: Missing cookie: 'oidc_state_csrf'" context=server ip=192.168.2.5 request="/authservice/oidc/callback?code=vwrb2ivcui775zlkyxx7rt773&state=MTY4MjU4MDQ5M3xOd3dBTkZaUFRVcFpTa0UyVDBzelEwVk5TMWhEVFVSU1NWVmFSMHRaVTBaTFVrTkpTelpZTkRaWU5qWklSRk5ZTWpkTFVGRkpVRUU9fDLENxGlWVyIw3-D963fhK05ekOT8OYqdNJZl43BdD5-"
time="2023-04-27T07:28:50Z" level=warning msg="Missing url parameter: code. Redirecting to homepage `https://authservice.xxx-dev.us.xxx.com/authservice/site/homepage'." context=server ip=192.168.2.5 request=/authservice/oidc/callback
time="2023-04-27T07:45:39Z" level=info msg="Authenticating request..." context=server ip=192.168.2.5 request=/
time="2023-04-27T07:45:39Z" level=info msg="Failed to retrieve a valid session" context="session authenticator" ip=192.168.2.5 request=/
time="2023-04-27T07:45:39Z" level=info msg="Failed to authenticate using authenticators. Initiating OIDC Authorization Code flow..." context=server ip=192.168.2.5 request=/

The log from the pod dex:

time="2023-04-27T07:28:26Z" level=info msg="performing ldap search ou=People,dc=example,dc=org sub (&(|(objectClass=person)(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(mail=kevin.zhang4@xxx.com))"
time="2023-04-27T07:28:26Z" level=info msg="username \"kevin.zhang4@xxx.com\" mapped to entry cn=kevin zhang,ou=People,dc=example,dc=org"
time="2023-04-27T07:28:26Z" level=info msg="performing ldap search ou=Groups,dc=example,dc=org sub (&(objectClass=groupOfNames)(member=cn=kevin zhang,ou=People,dc=example,dc=org))"
time="2023-04-27T07:28:26Z" level=error msg="ldap: groups search with filter \"(&(objectClass=groupOfNames)(member=cn=kevin zhang,ou=People,dc=example,dc=org))\" returned no groups"
time="2023-04-27T07:28:26Z" level=info msg="login successful: connector \"ldap\", username=\"kevin zhang\", preferred_username=\"\", email=\"kevin.zhang4@xxx.com\", groups=[]"
time="2023-04-27T07:49:49Z" level=info msg="performing ldap search ou=People,dc=example,dc=org sub (&(|(objectClass=person)(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(mail=kevin.zhang4@xxx.com))"
time="2023-04-27T07:49:49Z" level=info msg="username \"kevin.zhang4@xxx.com\" mapped to entry cn=kevin zhang,ou=People,dc=example,dc=org"
time="2023-04-27T07:49:49Z" level=info msg="performing ldap search ou=Groups,dc=example,dc=org sub (&(objectClass=groupOfNames)(member=cn=kevin zhang,ou=People,dc=example,dc=org))"
time="2023-04-27T07:49:49Z" level=error msg="ldap: groups search with filter \"(&(objectClass=groupOfNames)(member=cn=kevin zhang,ou=People,dc=example,dc=org))\" returned no groups"
time="2023-04-27T07:49:50Z" level=info msg="login successful: connector \"ldap\", username=\"kevin zhang\", preferred_username=\"\", email=\"kevin.zhang4@xxx.com\", groups=[]"

Configuration:

• Dex: (image: gcr.io/arrikto/dex:v2.30.3-2.0-rc2-13-g3352239f8)

issuer: https://dex.xxx-dev.us.xxx.com/dex
    storage:
      type: kubernetes
      config:
        inCluster: true
    web:
      http: 0.0.0.0:5556

    connectors:
    - type: ldap
      name: OpenLDAP
      id: ldap
      config:
        # The following configurations seem to work with OpenLDAP:
        #
        # 1) Plain LDAP, without TLS:
        host: ldap.auth.svc.cluster.local:389
        insecureNoSSL: true
        #
        # 2) LDAPS without certificate validation:
        #host: localhost:636
        #insecureNoSSL: false
        #insecureSkipVerify: true
        #
        # 3) LDAPS with certificate validation:
        #host: YOUR-HOSTNAME:636
        #insecureNoSSL: false
        #insecureSkipVerify: false
        #rootCAData: 'CERT'
        # ...where CERT="$( base64 -w 0 your-cert.crt )"

        # This would normally be a read-only user.
        bindDN: cn=admin,dc=example,dc=org
        bindPW: Not@SecurePassw0rd

        usernamePrompt: Email Address

        userSearch:
          baseDN: ou=People,dc=example,dc=org
          filter: "(|(objectClass=person)(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))"
          username: mail
          # "DN" (case sensitive) is a special attribute name. It indicates that
          # this value should be taken from the entity's DN not an attribute on
          # the entity.
          idAttr: DN
          emailAttr: mail
          nameAttr: cn

        groupSearch:
          baseDN: ou=Groups,dc=example,dc=org
          filter: "(objectClass=groupOfNames)"

          userMatchers:
            # A user is a member of a group when their DN matches
            # the value of a "member" attribute on the group entity.
          - userAttr: DN
            groupAttr: member

          # The group name should be the "cn" value.
          nameAttr: cn

    staticClients:
    - id: ldapdexapp
      redirectURIs:
      - 'https://authservice.xxx-dev.us.xxx.com/authservice/oidc/callback'
      name: 'Dex Login Application'
      secret: pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok

• Oidc-authservice: (image: gcr.io/arrikto/oidc-authservice:0c4ea9a)

  AUTHSERVICE_URL_PREFIX: https://authservice.xxx-dev.us.xxx.com/authservice/
  CA_BUNDLE: /home/authservice/cert/ca.pem
  GROUPS_ALLOWLIST: a,d,e,system:serviceaccounts
  OIDC_AUTH_URL: https://dex.xxx-dev.us.xxx.com/dex/auth
  OIDC_PROVIDER: https://dex.xxx-dev.us.xxx.com/dex
  OIDC_SCOPES: profile,email,groups
  SKIP_AUTH_URLS: /dex/
  STRICT_SESSION_VALIDATION: "true"

How to Reproduce

1. I deployed istio envoyfilter and dex and oidc-authservice, they are running properly.
2. I can get the below window to login in with my ldap credential when I try to access my domain.
   
3. I can get the below window after I input my username and password.
   
4. I got the issue shown below if I click the button "Grant Access" from the above window.
   

Expected behavior
A clear and concise description of what you expected to happen.

Config Files
Please provide all the relevant configuration that you can publicly share. This
includes:

• AuthService configuration.
• OIDC Provider configuration.

If relevant, upload your configuration files here using GitHub, there is no need
to upload them to any 3rd party services

Logs
Please provide all relevant logs (e.g., AuthService logs , OIDC Provider logs,
etc.)

Environment:

• AuthService version: (found in image tag)
• Platform: (GKE, Azure, minikube, custom...)
• Kubernetes version:

Additional context
Add any other context about the problem here.

[nicolovergaro]

I have the same issue, were you able to solve it?

[zhangqiongjie]

@nicolovergaro
I used the service gatekeeper instead, and it worked for me.
Refer to: https://github.com/gogatekeeper/gatekeeper

[solomem]

I have the same issue in cloud9 deployment

[ReggieCarey]

I'm experiencing the same issue. Is there any indication as to what's going on and how to resolve it? OIDC-AuthService appears to function for cases where the URLS are relative (like /authservice/ and /auth/) but broken if hostnames are specified - at least that's how it "looks" to me.

There was mention of needing to set cookie-domain but I do not know where this can be set (is it in the ConfigMap?)

[RakeshRaj97]

Experiencing the same with OIDC-Authservice in Kubeflow. Any updates on this issue?

[dongsupkim-onepredict]

csrf check failed.
oidc-authservice log output

image: docker.io/kubeflowmanifestswg/oidc-authservice:e236439

level=error msg="Failed to verify state parameter: Missing cookie: 'oidc_state_csrf'