oidc_restore_proto_state: no "mod_auth_openidc_state_LfHbf5_IATq17BZnhQO_ylbDdwo" state cookie found, referer: https://identityprovider.com:8016/login

[Abhikr1994]

My auth_openidc.conf configuration:-

OIDCProviderMetadataURL https://sp1.com:8014 OIDCClientID 12345 OIDCClientSecret 6789 OIDCCryptoPassphrase bel@123 OIDCStateTimeout 60 OIDCResponseType code OIDCScope "profile openid offline_access" OIDCProviderTokenEndpointAuth client_secret_basic OIDCSessionMaxDuration 86400 OIDCSSLValidateServer Off OIDCCookiePath / OIDCCookieDomain sp1.com OIDCCookie mod_auth_openidc_session OIDCDefaultURL https://identityprovider.com:8016/login OIDCCacheEncrypt On #OIDCProviderAuthRequestMethod GET OIDCRemoteUserClaim preferred_username #OIDCProviderJwksUri https://identityprovider.com:8016 OIDCCacheType file OIDCCacheDir /var/cache/apache2/mod_auth_openidc/cache OIDCCacheFileCleanInterval 60 OIDCSessionInactivityTimeout 5000 OIDCRemoteUserClaim upn
I am sending authorization code and state from my node application to apache(service provider).
https://sp1.com:8006/getbookingdata/secure?code=f2c25d22e3b140288f4011a742fbc931&state=LfHbf5_IATq17BZnhQO_ylbDdwo
Once it goes to apache it doesn't get redirected to my token endpoint.
[Fri Feb 05 12:01:07.171528 2021] [auth_openidc:debug] [pid 533] src/proto.c(782): [client 192.168.20.122:37166] oidc_proto_authorization_request: return: 302 [Fri Feb 05 12:01:11.773473 2021] [authz_core:debug] [pid 529] mod_authz_core.c(809): [client 192.168.20.122:37212] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://identityprovider.com:8016/login [Fri Feb 05 12:01:11.773559 2021] [authz_core:debug] [pid 529] mod_authz_core.c(809): [client 192.168.20.122:37212] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://identityprovider.com:8016/login [Fri Feb 05 12:01:11.773595 2021] [auth_openidc:debug] [pid 529] src/mod_auth_openidc.c(4005): [client 192.168.20.122:37212] oidc_check_user_id: incoming request: "/getbookingdata/secure?code=f2c25d22e3b140288f4011a742fbc931&state=LfHbf5_IATq17BZnhQO_ylbDdwo", ap_is_initial_req(r)=1, referer: https://identityprovider.com:8016/login [Fri Feb 05 12:01:11.773620 2021] [auth_openidc:debug] [pid 529] src/util.c(1062): [client 192.168.20.122:37212] oidc_util_get_cookie: returning "mod_auth_openidc_session" = <null>, referer: https://identityprovider.com:8016/login [Fri Feb 05 12:01:11.773633 2021] [auth_openidc:debug] [pid 529] src/util.c(1224): [client 192.168.20.122:37212] oidc_util_request_matches_url: comparing "/getbookingdata/secure"=="/getbookingdata/secure", referer: https://identityprovider.com:8016/login [Fri Feb 05 12:01:11.773649 2021] [auth_openidc:debug] [pid 529] src/mod_auth_openidc.c(2225): [client 192.168.20.122:37212] oidc_handle_redirect_authorization_response: enter, referer: https://identityprovider.com:8016/login [Fri Feb 05 12:01:11.773724 2021] [auth_openidc:debug] [pid 529] src/util.c(1548): [client 192.168.20.122:37212] oidc_util_read_form_encoded_params: read: code=f2c25d22e3b140288f4011a742fbc931, referer: https://identityprovider.com:8016/login [Fri Feb 05 12:01:11.773749 2021] [auth_openidc:debug] [pid 529] src/util.c(1548): [client 192.168.20.122:37212] oidc_util_read_form_encoded_params: read: state=LfHbf5_IATq17BZnhQO_ylbDdwo, referer: https://identityprovider.com:8016/login [Fri Feb 05 12:01:11.773760 2021] [auth_openidc:debug] [pid 529] src/util.c(1553): [client 192.168.20.122:37212] oidc_util_read_form_encoded_params: parsed: 71 bytes into 2 elements, referer: https://identityprovider.com:8016/login [Fri Feb 05 12:01:11.773769 2021] [auth_openidc:debug] [pid 529] src/mod_auth_openidc.c(2049): [client 192.168.20.122:37212] oidc_handle_authorization_response: enter, response_mode=query, referer: https://identityprovider.com:8016/login [Fri Feb 05 12:01:11.773779 2021] [auth_openidc:debug] [pid 529] src/mod_auth_openidc.c(1680): [client 192.168.20.122:37212] oidc_authorization_response_match_state: enter (state=LfHbf5_IATq17BZnhQO_ylbDdwo), referer: https://identityprovider.com:8016/login [Fri Feb 05 12:01:11.773811 2021] [auth_openidc:debug] [pid 529] src/mod_auth_openidc.c(817): [client 192.168.20.122:37212] oidc_restore_proto_state: enter, referer: https://identityprovider.com:8016/login [Fri Feb 05 12:01:11.773822 2021] [auth_openidc:debug] [pid 529] src/util.c(1062): [client 192.168.20.122:37212] oidc_util_get_cookie: returning "mod_auth_openidc_state_LfHbf5_IATq17BZnhQO_ylbDdwo" = <null>, referer: https://identityprovider.com:8016/login [Fri Feb 05 12:01:11.773831 2021] [auth_openidc:error] [pid 529] [client 192.168.20.122:37212] oidc_restore_proto_state: no "mod_auth_openidc_state_LfHbf5_IATq17BZnhQO_ylbDdwo" state cookie found, referer: https://identityprovider.com:8016/login [Fri Feb 05 12:01:11.773841 2021] [auth_openidc:warn] [pid 529] [client 192.168.20.122:37212] oidc_proto_peek_jwt_header: could not parse first element separated by "." from input, referer: https://identityprovider.com:8016/login [Fri Feb 05 12:01:11.773850 2021] [auth_openidc:debug] [pid 529] src/mod_auth_openidc.c(544): [client 192.168.20.122:37212] oidc_unsolicited_proto_state: enter: state header=(null), referer: https://identityprovider.com:8016/login [Fri Feb 05 12:01:11.773895 2021] [auth_openidc:debug] [pid 529] src/util.c(2120): [client 192.168.20.122:37212] oidc_util_create_symmetric_key: key_len=32, referer: https://identityprovider.com:8016/login [Fri Feb 05 12:01:11.773955 2021] [auth_openidc:error] [pid 529] [client 192.168.20.122:37212] oidc_unsolicited_proto_state: could not parse JWT from state: invalid unsolicited response: [src/jose.c:809: oidc_jwt_parse]: cjose_jws_import failed: invalid argument [file: jws.c, function: cjose_jws_import, line: 781], referer: https://identityprovider.com:8016/login [Fri Feb 05 12:01:11.773966 2021] [auth_openidc:error] [pid 529] [client 192.168.20.122:37212] oidc_authorization_response_match_state: unable to restore state, referer: https://identityprovider.com:8016/login [Fri Feb 05 12:01:11.773975 2021] [auth_openidc:warn] [pid 529] [client 192.168.20.122:37212] oidc_handle_authorization_response: invalid authorization response state; a default SSO URL is set, sending the user there: https://identityprovider.com:8016/login, referer: https://identityprovider.com:8016/login [Fri Feb 05 12:01:11.773984 2021] [auth_openidc:debug] [pid 529] src/util.c(2391): [client 192.168.20.122:37212] oidc_util_hdr_table_set: Location: https://identityprovider.com:8016/login, referer: https://identityprovider.com:8016/login
Above is my logs from apache.
Can someone tell what might be an issue?

[demiGod095]

I have the same problem

Using google oidc client with apache server with barebones HTML public and private directories.

Funny thing is, it works perfectly fine on Firefox..
edge, and google chrome throw the below error.

apache error log as follows-

[Thu Apr 01 00:48:57.043081 2021] [auth_openidc:error] [pid 104825:tid 139818734401280] [client 14.200.249.126:41808] oidc_unsolicited_proto_state: could not parse JWT from state: invalid unsolicited response: [src/jose.c:754: oidc_jwt_parse]: cjose_jws_import failed: invalid argument [file: jws.c, function: cjose_jws_import, line: 781]
[Thu Apr 01 00:48:57.043088 2021] [auth_openidc:error] [pid 104825:tid 139818734401280] [client 14.200.249.126:41808] oidc_authorization_response_match_state: unable to restore state
[Thu Apr 01 00:48:57.043094 2021] [auth_openidc:error] [pid 104825:tid 139818734401280] [client 14.200.249.126:41808] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error...```

[zandbelt]

most probably an issue with samesite cookies, make sure you use the latest version of the module and - if your browser is old and does not support samesite=none - see: https://github.com/zmartzone/mod_auth_openidc/blob/v2.4.6/auth_openidc.conf#L497-L500

[demiGod095]

thanks!
adding OIDCCookieSameSite On to apache conf made it work!

also, I am using the mod version from the apt repository. its reported as 2.4.1-1.