Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

state from argument does not match state restored from session #112

Closed
LuanP opened this issue Mar 14, 2019 · 3 comments
Closed

state from argument does not match state restored from session #112

LuanP opened this issue Mar 14, 2019 · 3 comments

Comments

@LuanP
Copy link

LuanP commented Mar 14, 2019

Hi,

I'm facing an issue when I follow the steps:

  1. Access a protected route
  2. I'm redirected to the login page
  3. Open new tab
  4. Access a protected route
  5. I'm redirected to the login page
  6. Go to the first opened tab
  7. Type user credentials and perform the login
  8. I'm redirected to the callback URL with the message "state from argument: xxx does not match state restored from session: xxx"

Although, the user is logged in (if I try accessing a protected route again, it works normally).

2019/03/14 23:39:44 [error] 120#0: *15122 [lua] openidc.lua:1042: authenticate(): state from argument: e308653d5e92e20a9b93d884c0578cf0 does not match state restored from session: d24508a745b72ca268f972c18989845d, client: 172.18.0.1, server: kong, request: "GET /backend/callback?code=eb17492643e14a1d9e3625a602fbd5d5&state=e308653d5e92e20a9b93d884c0578cf0&session_state=36fe60501ebbb9a1cd2749e335121a979318447160b4929fe91aa3ee152cb0bd.c9e1dfcb9a191e79d9967ff806a4c674 HTTP/1.1", host: "localhost:8000", referrer: "http://localhost:8000/login/?next=/openid/authorize%3Fresponse_type%3Dcode%26client_id%3D227868%26state%3De308653d5e92e20a9b93d884c0578cf0%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A8000%252Fbackend%252Fcallback%26nonce%3Dc89e407690370d562576559007a5eb18%26scope%3Dopenid"

Is there someone with the same issue?

Can you help me with that?

Extra info:

  • I'm using a django app as the provider with the django-oidc-provider library
  • I have fixed the session_secret after reading some other issues here (login/logout works normally, it's just this unusual scenario for what I could notice)

Thanks a lot,

Kind regards.
@zandbelt
Copy link

This is caused by the behavior of lua-resty-openidc and a consequence of a design decision made there, i.e. to start a (single) session to track the user even before authentication actually occurred. So the secondly started request eclipses/overwrites the first request. @bodewig I don't think we will change that, thus we will not support this scenario, agreed? (e.g. mod_auth_openidc handles this scenario with per-request state cookies which end up creating their own difficulties)

@LuanP
Copy link
Author

LuanP commented Mar 15, 2019

Hi @zandbelt,

Thanks a lot for the fast reply.

I know it's a specific scenario with a weird but possible user behavior.

In case you know some workaround for that issue without having to implement a different RP, that'd be great.

Thanks again for taking the time to explain that.

@LuanP
Copy link
Author

LuanP commented Mar 29, 2019

A workaround for that was to set the recovery_page_path to the homepage.

@LuanP LuanP closed this as completed Mar 29, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zandbelt @LuanP