Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Operate SaaS authentication failure: The received state doesn't match the expected one. #18280

Open
5 tasks
ralfpuchert opened this issue May 6, 2024 · 0 comments
Open
5 tasks

Operate SaaS authentication failure: The received state doesn't match the expected one. #18280

ralfpuchert opened this issue May 6, 2024 · 0 comments
Labels
component/operate Related to the Operate component/team kind/bug Categorizes an issue or PR as a bug support Marks an issue as related to a customer support request

Comments

@ralfpuchert
Copy link
Contributor

ralfpuchert commented May 6, 2024
edited

Describe the bug

Related support case: SUPPORT-17722

During authentication flow for SaaS it can happen that the login procedure fails.
User opens any Operate page and waits for the session to expire.
Then the user re-authenticates and get one of the error pages:

No permission for Operate - Please check ... or

image

In this case the following exception will be thrown:

Exception:
com.auth0.InvalidRequestException: The received state doesn't match the expected one.
	at com.auth0.RequestProcessor.checkSessionState(RequestProcessor.java:321) ~[operate-mvc-auth-commons-8.4.5.jar!/:1.10.0]
	at com.auth0.RequestProcessor.assertValidState(RequestProcessor.java:309) ~[operate-mvc-auth-commons-8.4.5.jar!/:1.10.0]
	at com.auth0.RequestProcessor.process(RequestProcessor.java:169) ~[operate-mvc-auth-commons-8.4.5.jar!/:1.10.0]
	at com.auth0.AuthenticationController.handle(AuthenticationController.java:306) ~[operate-mvc-auth-commons-8.4.5.jar!/:1.10.0]
	at io.camunda.operate.webapp.security.sso.Auth0Service.lambda$retrieveTokens$0(Auth0Service.java:138) ~[classes!/:8.4.5]
	at io.camunda.operate.util.RetryOperation.retry(RetryOperation.java:118) ~[operate-common-8.4.5.jar!/:8.4.5]
	at io.camunda.operate.webapp.security.sso.Auth0Service.retrieveTokens(Auth0Service.java:141) ~[classes!/:8.4.5]
	at io.camunda.operate.webapp.security.sso.Auth0Service.authenticate(Auth0Service.java:79) ~[classes!/:8.4.5]
	at io.camunda.operate.webapp.security.sso.SSOController.loggedInCallback(SSOController.java:63) ~[classes!/:8.4.5]
	at jdk.internal.reflect.GeneratedMethodAccessor436.invoke(Unknown Source) ~[?:?]
	at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
	at java.lang.reflect.Method.invoke(Method.java:568) ~[?:?]

To Reproduce

We couldn't reproduce this for now.

One way to provoke the same error is by debugging the application.

  1. Set a breakpoint in Auth0Service::authenticate method.
  2. Start Operate with sso-auth profile and try to access main page
  3. If breakpoint is reached start another access to main page
  4. Continue the application flow
  5. Should see the mentioned error message above

Current behavior

Occasionally authentication failures

Expected behavior

Authentication behaves the same way and doesn't fail like described

Environment

  • OS: [e.g. MacOS]
  • Browser: [e.g. chrome, safari]
  • Operate Version: 8.3.5+
  • SaaS (sso-auth profile)

Additional context

  • Before redirecting a user to authentication provider login page, Operate generates a random state value and stores it in a session.
  • After successful login, authentication provider redirects the user back to Operate, including the original state in the response.
  • Operate compares the state it received from authentication provider with the one it initially stored.
  • The error occurs when these values don’t match.
  • The error could be reproduced by stopping the login process and start a new one. Then resume both login processes and one of it fails then (not always).
  • It can also happen if multiple login attempts happen very quick.
  • Current hypothesis is a session storage issue.

Acceptance Criteria

Definition of Ready - Checklist

  • The bug has been reproduced by the assignee in the environment compatible with the provided one; otherwise, the issue is closed with a comment
  • The issue has a meaningful title, description, and testable acceptance criteria
  • The issue has been labeled with an appropriate Bug-area label
  • Necessary screenshots, screen recordings, or files are attached to the bug report

For UI changes required to solve the bug:

  • Design input has been collected by the assignee

Implementation

🔍 Root Cause Analysis

💭 Proposed Solution

👉 Handover Dev to QA

  • Changed components:
  • Side effects on other components:
  • Handy resources:
    BPMN/DMN models, plugins, scripts, REST API endpoints + example payload, etc :
  • Example projects:
  • Commands/Steps needed to test; Versions to validate:
  • Docker file / HELM chart : in case that it needed to be tested via docker share the version contain the fixed along with version of other services .
  • Release version ( in which version this fixed/feature will be released):

📗 Link to the test case
@ralfpuchert ralfpuchert added kind/bug Categorizes an issue or PR as a bug support Marks an issue as related to a customer support request component/operate Related to the Operate component/team labels May 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component/operate Related to the Operate component/team kind/bug Categorizes an issue or PR as a bug support Marks an issue as related to a customer support request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ralfpuchert