Bad request when handling openid connect return url error, possible misconfiguration? #1146
Unanswered
plateforme-medialab-responsables
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello,
I have noticed this problem a while ago but only understood more recently that it was possibly a misconfiguration on my part as the handling of error was part of open id connect core specification.
I'm using multiple IDP and everything else seem to work fine.
The scenario I have.
https://myplatform/protected/redirect_uri?error=access_denied&error_description=error_description&state=somestate
But instead of seing the message, I get a 400 page: "Bad Request | Your browser sent a request that this server could not understand."
Other context:
OIDCMetadataDir /opt/OIDCMetadataDir/metadata
OIDCRedirectURI https://OBFUSCATED_DOMAIN/protected/redirect_uri
OIDCCryptoPassphrase OBFUSCATED_PASS
OIDCDiscoverURL https://OBFUSCATED_DOMAIN/idp-selector/index.html
OIDCSessionInactivityTimeout 600
[Thu Dec 07 16:00:39.961190 2023] [auth_openidc:debug] [pid 1100288:tid 140150260614912] src/util.c(1435): [client IP_OBFUSCTATED:57646] oidc_util_get_cookie: returning "mod_auth_openidc_state_OBFUSCATED_STATE_ID" =
[Thu Dec 07 16:00:39.961199 2023] [auth_openidc:error] [pid 1100288:tid 140150260614912] [client IP_OBFUSCTATED:57646] oidc_restore_proto_state: no "mod_auth_openidc_state_OBFUSCATED_STATE_ID" state cookie found: check domain and samesite cookie settings
[Thu Dec 07 16:00:39.961206 2023] [auth_openidc:error] [pid 1100288:tid 140150260614912] [client IP_OBFUSCTATED:57646] oidc_authorization_response_match_state: unable to restore state
[Thu Dec 07 16:00:39.961212 2023] [auth_openidc:error] [pid 1100288:tid 140150260614912] [client IP_OBFUSCTATED:57646] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error...
[Thu Dec 07 16:00:39.961219 2023] [auth_openidc:debug] [pid 1100288:tid 140150260614912] src/util.c(1904): [client IP_OBFUSCTATED:57646] oidc_util_html_send_error: setting OIDC_ERROR environment variable to: Invalid Authorization Response
[Thu Dec 07 16:00:39.961225 2023] [auth_openidc:debug] [pid 1100288:tid 140150260614912] src/util.c(1909): [client IP_OBFUSCTATED:57646] oidc_util_html_send_error: setting OIDC_ERROR_DESC environment variable to: Could not match the authorization response to an earlier request via the state parameter and corresponding state cookie
[Thu Dec 07 16:00:39.961232 2023] [core:trace3] [pid 1100288:tid 140150260614912] request.c(119): [client IP_OBFUSCTATED:57646] auth phase 'check user' gave status 400: /protected/redirect_uri
[Thu Dec 07 16:00:39.961247 2023] [headers:debug] [pid 1100288:tid 140150260614912] mod_headers.c(900): AH01503: headers: ap_headers_error_filter()
[Thu Dec 07 16:00:39.961258 2023] [headers:trace4] [pid 1100288:tid 140150260614912] util_expr_eval.c(860): [client IP_OBFUSCTATED:57646] Evaluation of expression from /etc/httpd/conf.d/pistard.conf:113 gave: 0
I can see that the parameters (error, message, state) are parsed correctly. The cookie that is sent when calling that url have the same id as the state. The failure of matching a cookie seem ok to me considering we have not completed a login.
I will go through the settings and make sure I have not forgotten something obvious and see if I can figure it out but would be happy to get some help or ideas of what I could double-check.
Thanks,
Eric
Beta Was this translation helpful? Give feedback.
All reactions