Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mismatching state error #1

Open
Flowake opened this issue Apr 25, 2023 · 2 comments
Open

Mismatching state error #1

Flowake opened this issue Apr 25, 2023 · 2 comments

Comments

@Flowake
Copy link

Flowake commented Apr 25, 2023
edited
Loading

Thanks for the awesome work with QWC and this implementation of the OIDC authentication protocol.

I'm trying to use this authentication method with an AzureAD OIDC application.
It seems to work except that it always raises an error on the first authentication.

Steps to reproduce

  • Start from the qwc-docker repository
  • Replace the image for qwc-auth-service from "sourcepole/qwc-db-auth:v2023.0-lts" to "sourcepole/qwc-oidc-auth:v2023.04.03"
  • Create the oidcAuthConfig.json file with the issuer_url, client_id and client_secret
  • Run docker compose up to start all the services
  • Try to log in from the map viewer or from the admin panel

Bug

It raises the following error:

qwc-docker-qwc-auth-service-1 | File "/srv/qwc_service/./server.py", line 113, in callback
qwc-docker-qwc-auth-service-1 | token = oidc.authorize_access_token()
qwc-docker-qwc-auth-service-1 | File "/usr/lib/python3.9/site-packages/authlib/integrations/flask_client/apps.py", line 102, in authorize_access_token
qwc-docker-qwc-auth-service-1 | params = self._format_state_params(state_data, params)
qwc-docker-qwc-auth-service-1 | File "/usr/lib/python3.9/site-packages/authlib/integrations/base_client/sync_app.py", line 234, in _format_state_params
qwc-docker-qwc-auth-service-1 | raise MismatchingStateError()
qwc-docker-qwc-auth-service-1 | authlib.integrations.base_client.errors.MismatchingStateError: mismatching_state: CSRF Warning! State not equal in request and response.

Investigation so far

I cloned the repository and changed the docker compose to build the image from the cloned repository.
Then I added new logging statements in the callback function, and I digged into authlib to understand what happens.

The issue seems to be that all the data set in the session ("target_url" and "_state_default_XXXXXXXXX") in the login function has disappeared in the callback function that is called after logging in.

In the map viewer, after failing to login the first time, if I go back to the map viewer and try login again, it will succeed, and the session will have two different "_state_default_XXXXXXXXX" keys (the one from the first failed attemps and the one from the succesful second attempt).

For the qwc_admin panel, after failing the first time, if I go back to the /qwc_admin/ endpoint it will produce an error "Too many redirects".

If you have any ideas on how to solve this I would happily try them and submit a PR if I get it to work.
@rsrg-zwiama
Copy link

Hi @Flowake
Is this still an issue for you? I had similar state error and easily fixed it by using environment variables: JWT_COOKIE_SAMESITE: 'Lax' (in the docker compose example it is set to 'Strict') or just don't set the env, the services usese 'Lax' by default.

@pka
Copy link
Member

pka commented Oct 4, 2023
edited
Loading

I've completely missed that issue, sorry! I'm currently on holiday and can't investigate your findings, but maybe @rsrg-zwiama tip already helps you? What I can say so far is that we are using qwc-oidc-auth with Azure AD and we didn't observe this problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pka @Flowake @rsrg-zwiama