Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

state timeout exceeded error screen problems on CentOS #467

Closed
zandbelt opened this issue Feb 19, 2020 · 0 comments
Closed

state timeout exceeded error screen problems on CentOS #467

zandbelt opened this issue Feb 19, 2020 · 0 comments
Assignees
@zandbelt
Labels
bug

Comments

@zandbelt
Copy link
Member

zandbelt commented Feb 19, 2020
edited
Loading

There are three problems on the error screen when OIDCStateTimeout is exceeded.
I think these are probably bugs, can you comment?

Problems:
The HTTP body part when the OIDCStateTimeout error occurs is duplicated(mod_auth_openidc error page + apache 500 error page), and the Content-length is only the size of the first half of the content.(See Network capture)
The HTTP header shows 200 status, but Apache's access_log shows 500 status, and the 500 error content is added to response.(See access_log and Network capture)
Since the Content-length does not match the actual body size, an error screen may not be displayed correctly when passing through some load balancers (ELB) using IE and Chrome.
My environments:
CentOS 7
Keycloak: 6.0.1
Apache: httpd-2.4.6-90.el7.centos.x86_64
mod_auth version: mod_auth_openidc-2.4.1-1.el7.x86_64
How to reproduce:
Access mod_auth_openidc
Wait at least 30 seconds without logging in to OP
Log in to OP
OIDCStateTimeout error screen appears
Configuration:
<VirtualHost *:80>

ErrorLog "/var/log/httpd/service.example.com/error_log"
TransferLog "/var/log/httpd/service.example.com/access_log"

DocumentRoot /var/www/html

ServerName service.example.com

OIDCResponseType code
OIDCCryptoPassphrase a-random-secret-used-by-apache-oidc-and-balancer
OIDCRemoteUserClaim preferred_username
OIDCProviderMetadataURL https://kc-server.example.com:443/auth/realms/demo/.well-known/openid-configuration

OIDCClientID service
OIDCClientSecret 08e95831-9807-40dd-9d3f-**********
OIDCRedirectURI http://service.example.com/callback

OIDCStateTimeout 30

<Location />
    AuthType openid-connect
    Require valid-user
</Location>

access_log(when OIDCStateTimeout is exceede):
192.178.185.196 - "" [19/Feb/2020:18:06:29 +0900] "GET /callback?state=VYOksbBpcqjPD9pgLUTEEfVWMMQ&session_state=a9522012-ea6b-4db3-b602-4cb89da78025&code=5d9c2f5f-1ba5-4407-8797-721985c7343d.a9522012-ea6b-4db3-b602-4cb89da78025.00b8e388-29bc-4f5e-a736-06b31584a73d HTTP/1.1" 500 1022

Network capture(when OIDCStateTimeout is exceede):
unnamed (1)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zandbelt zandbelt

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zandbelt