Intermittent 500 internal error with no mod_auth_openidc_state_ state cookie found in the logs.

Question

Intermittent 500 internal error with no mod_auth_openidc_state_ state cookie found in the logs.

mchopker opened this issue 2 years ago · comments

Chopker, Mahesh Kumar (Mahesh) commented 2 years ago

Environment:

Apache/2.4.37
mod_auth_openidc.so-2.3.7-8.module

Issue:

Getting 500 internal server error sometimes when the callback URL is called from OpenID Provider.

Logs:

[Thu Jan 20 12:23:44.014558 2022] [auth_openidc:debug] [pid 616755:tid 140687936833280] src/util.c(1493): [client 135.11.4.9:32130] oidc_util_read_form_encoded_params: read: nonce=HzYLvdWIVj6sIQ9p1iBquPVJC9C2Qg7P6gVLVWyNVvY
[Thu Jan 20 12:23:44.014608 2022] [auth_openidc:debug] [pid 616755:tid 140687936833280] src/util.c(1493): [client 135.11.4.9:32130] oidc_util_read_form_encoded_params: read: code=M2U2MTM0N2MtNWQ3ZC00ODMwLWFjMWEtYzJkYTE3N2I3MTA3LVNNaGYrQ1JrdW1Sa3lONlFjdFJmNGFCRklhQT0
[Thu Jan 20 12:23:44.014653 2022] [auth_openidc:debug] [pid 616755:tid 140687936833280] src/util.c(1493): [client 135.11.4.9:32130] oidc_util_read_form_encoded_params: read: state=UCPQSRZImWhUZMOPDOxvFtox8U8
[Thu Jan 20 12:23:44.014671 2022] [auth_openidc:debug] [pid 616755:tid 140687936833280] src/util.c(1498): [client 135.11.4.9:32130] oidc_util_read_form_encoded_params: parsed: 176 bytes into 3 elements
[Thu Jan 20 12:23:44.014688 2022] [auth_openidc:debug] [pid 616755:tid 140687936833280] src/mod_auth_openidc.c(1960): [client 135.11.4.9:32130] oidc_handle_authorization_response: enter, response_mode=query
[Thu Jan 20 12:23:44.014704 2022] [auth_openidc:debug] [pid 616755:tid 140687936833280] src/mod_auth_openidc.c(1600): [client 135.11.4.9:32130] oidc_authorization_response_match_state: enter (state=UCPQSRZImWhUZMOPDOxvFtox8U8)
[Thu Jan 20 12:23:44.014720 2022] [auth_openidc:debug] [pid 616755:tid 140687936833280] src/mod_auth_openidc.c(811): [client 135.11.4.9:32130] oidc_restore_proto_state: enter
[Thu Jan 20 12:23:44.014737 2022] [auth_openidc:debug] [pid 616755:tid 140687936833280] src/util.c(2243): [client 135.11.4.9:32130] oidc_util_hdr_in_get: Cookie=SMSESSION=No; PCISESSION=No; PF=8UMThfcnfb2nfVBNROGwc4OpUxf9gtzU3PDiqudIu4Fm; JSESSIONID=2GBbhpYQr90w2Dn6T6gWhnh3SbS9fGCLRhj1ZptK0xhD3p0xC4nf!1131440154!-1001222010
[Thu Jan 20 12:23:44.014863 2022] [auth_openidc:debug] [pid 616755:tid 140687936833280] src/util.c(2243): [client 135.11.4.9:32130] oidc_util_hdr_in_get: Cookie=SMSESSION=No; PCISESSION=No; PF=8UMThfcnfb2nfVBNROGwc4OpUxf9gtzU3PDiqudIu4Fm; JSESSIONID=2GBbhpYQr90w2Dn6T6gWhnh3SbS9fGCLRhj1ZptK0xhD3p0xC4nf!1131440154!-1001222010
[Thu Jan 20 12:23:44.014887 2022] [auth_openidc:debug] [pid 616755:tid 140687936833280] src/util.c(1038): [client 135.11.4.9:32130] oidc_util_get_cookie: returning "mod_auth_openidc_state_UCPQSRZImWhUZMOPDOxvFtox8U8" = <null>
[Thu Jan 20 12:23:44.014902 2022] [auth_openidc:error] [pid 616755:tid 140687936833280] [client 135.11.4.9:32130] oidc_restore_proto_state: no "mod_auth_openidc_state_UCPQSRZImWhUZMOPDOxvFtox8U8" state cookie found
[Thu Jan 20 12:23:44.014919 2022] [auth_openidc:warn] [pid 616755:tid 140687936833280] [client 135.11.4.9:32130] oidc_proto_peek_jwt_header: could not parse first element separated by "." from input
[Thu Jan 20 12:23:44.014934 2022] [auth_openidc:debug] [pid 616755:tid 140687936833280] src/mod_auth_openidc.c(541): [client 135.11.4.9:32130] oidc_unsolicited_proto_state: enter: state header=(null)
[Thu Jan 20 12:23:44.014969 2022] [auth_openidc:debug] [pid 616755:tid 140687936833280] src/util.c(2032): [client 135.11.4.9:32130] oidc_util_create_symmetric_key: key_len=32
[Thu Jan 20 12:23:44.015027 2022] [auth_openidc:error] [pid 616755:tid 140687936833280] [client 135.11.4.9:32130] oidc_unsolicited_proto_state: could not parse JWT from state: invalid unsolicited response: [src/jose.c:749: oidc_jwt_parse]: cjose_jws_import failed: invalid argument [file: jws.c, function: cjose_jws_import, line: 781]\n\n
[Thu Jan 20 12:23:44.015050 2022] [auth_openidc:error] [pid 616755:tid 140687936833280] [client 135.11.4.9:32130] oidc_authorization_response_match_state: unable to restore state
[Thu Jan 20 12:23:44.015064 2022] [auth_openidc:error] [pid 616755:tid 140687936833280] [client 135.11.4.9:32130] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error...

Config:

LoadModule auth_openidc_module modules/mod_auth_openidc.so

OIDCScope "openid profile"
OIDCProviderIssuer https://secureus1.aaaa.com
OIDCProviderAuthorizationEndpoint https://secureus1.aaaa.com/affwebservices/CASSO/oidc/AMSP-Portal/authorize
OIDCProviderUserInfoEndpoint https://secureus1.aaaa.com/affwebservices/CASSO/oidc/AMSP-Portal/userinfo
OIDCProviderTokenEndpoint https://secureus1.aaaa.com/affwebservices/CASSO/oidc/AMSP-Portal/token
OIDCProviderJwksUri https://secureus1.aaaa.com/affwebservices/CASSO/oidc/AMSP-Portal/jwks

OIDCSessionInactivityTimeout 3600

OIDCClientID 000a1bad-0f7a-1104-ttttt-848d870b0000
OIDCClientSecret hiXkQREFytttttttttttttttttJyWYtMKGTv3djY=

OIDCRedirectURI https://oneaaaa.aaaa.com:443/managed-services/redirect_uri
OIDCSSLValidateServer Off
OIDCCryptoPassphrase SomePassword
OIDCClaimPrefix OIDC-
OIDCCookieDomain aaaa.com
OIDCRemoteUserClaim email

<Location /redirect_uri>
    Require valid-user
    AuthType openid-connect
</Location>

<Location /managed-services >
.....

Chopker, Mahesh Kumar (Mahesh) · Answer 1 · Fri Jan 21 2022 18:48:48 GMT+0800 (China Standard Time)

I looked at other similar issues reported but not able to conclude on the solution. I do see mod_auth_openidc_state_ cookie not found issue in the logs. But wondering that cookie was present when sending request to OP so how come that cookie got removed in-between when redirecting to callback URL. please help.

Hans Zandbelt · Answer 2 · Sat Jan 22 2022 02:32:38 GMT+0800 (China Standard Time)

https://github.com/zmartzone/mod_auth_openidc/wiki#20-why-is-my-ticket-closed-as-invalid