-
Notifications
You must be signed in to change notification settings - Fork 323
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error 500 after the successful authentication after waiting a couple of min on the login page. #226
Comments
As it says here:
the state that correlates requests and responses has expired. The default for the lifespan of that state (cookie) is 5 minutes; you can tweak the setting with |
I understand you, but … I also understand that probably it is not bug of mod_auth_openidc but probably the problem of the OIDC protocol. In the use case described above after the successful authentication users can do nothing:
Users only can close a browser and open a new browser session. |
Agreed and that is (almost) how it should work now: the state should have been deleted and the user should be able to go to the original URL and restart the process. It looks like the state cookies is correctly deleted so the user should just be able to restart the process. Doesn't that work for you? |
In my case it is not happens. Reload on the URL does not help – it remains on the same Error 500 page BTW, from my point of view it is OK if mod_auth_openidc will redirect to some specific HTTP error page (that possible to configure in the configuration). |
What you can do is set |
I continued to investigate the issue. The best if mod_auth_openidc_session will be cleared in case of this error ant the authentication process will be started once again. |
The session cookie doesn't need to be cleared, it is just invalid. OIDCDefaultURL doesn't need to be protected, but if it is it will restart authentication. |
No, the mod_auth_openidc_session cookie is valid. |
So if you have a valid session, why would you try to authenticate again? |
The use case is very problematic:
Should happens once of the following:
|
I cannot parse this: "it does not successful" vs. "it does not fails" and I believe setting OIDCDefaultURL would give you a way out of the current situation. Moreover, if you really think that waiting more than 5 minutes on a login page should be acceptable, then just increase OIDCStateTimeout. I see the following issue myself: upon encountering an expired state cookie, there should be more information presented to the user than there is right now. I won't go as far as automatic restart since |
Ok, I agree with you that the authentication process should not be started once again. RP should redirect to OIDCErrorHandlingURL in case of any authorization / state / other problems. |
My point is that OP initiated SSO is not standardized and literally not used/deployed anywhere. Hence your easy way out today is to use An error URL/template exists already, that can also be customized: And unless I still misunderstand you: the user is able to restart the authentication process today by clicking a bookmark or retyping the URL to the application; there's just not an easy way to do that from the error page which comes back to the error message displayed. |
To start the authentication process a user should logout first. It will solve the issue. |
No, if the use still has a valid session there's no need to logout. If the user doesn't have a valid session, the authentication flow will be restarted when the application is accessed. There's no need to remember a logout URL, there's only a need to remember/bookmark an application URL, which is how the user got to the application the first time as well. |
But it is very very very not clear why after the successful authentication a user need press on some bookmark, The following message is much much clearer: |
yes, that's what I proposed |
Hi,
I use mod_auth_openidc version "2.1.2" and Keycloak version “2.5.1”
When I open the protected application I redirected to IDP for the authentication:
https://server_ip/protected/redirect_uri?state=ZdTYbRr_NPCfn1_XfCk0kwM2K90&code=tnmBxsVj97hdhwAYdpKoNjmJGvRdi0DxeMc2lFwaQFw.dc51e496-fc56-4d21-aa84-2ee0fff35f15
I wait couple of minutes and provide correct user name and password.
After the successful authentication I get Error 500.
The errors from ssl_error_log below.
The full debug log and metatada are attached.
[Thu Feb 09 19:49:10 2017] [error] [client client_ip] oidc_restore_proto_state: state has expired, referer: https://server_ip/auth/realms/master/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=httpd_server_ip&state=ZdTYbRr_NPCfn1_XfCk0kwM2K90&redirect_uri=https%3A%2F%2Fserver_ip%2Fprotected%2Fredirect_uri&nonce=56Y-arBTQ1a-
WaitOnLogin.zip
matadata.zip
bw5VMDvALKIrsirDUEB7ElyAXRMyfUk
[Thu Feb 09 19:49:10 2017] [error] [client client_ip] oidc_authorization_response_match_state: unable to restore state, referer: https://server_ip/auth/realms/master/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=httpd_server_ip&state=ZdTYbRr_NPCfn1_XfCk0kwM2K90&redirect_uri=https%3A%2F%2Fserver_ip%2Fprotected%2Fredirect_uri&nonce=56Y-arBTQ1a-bw5VMDvALKIrsirDUEB7ElyAXRMyfUk
[Thu Feb 09 19:49:10 2017] [error] [client client_ip] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error..., referer: https://server_ip/auth/realms/master/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=httpd_server_ip&state=ZdTYbRr_NPCfn1_XfCk0kwM2K90&redirect_uri=https%3A%2F%2Fserver_ip%2Fprotected%2Fredirect_uri&nonce=56Y-arBTQ1a-bw5VMDvALKIrsirDUEB7ElyAXRMyfUk
The text was updated successfully, but these errors were encountered: