OIDC State cookie not found

[jamesacris]

Hi. I'm attempting to use mod_auth_openidc but I'm seeing 'no state cookie found' errors. After login, the state cookie goes missing, and mod_auth_openidc redirects me back to the homepage, which redirects me back to the OIDC provider and a loop ensues, broken by a 'too many redirects' error in the browser.

Snapshot of apache debug logs, just before the error (client IP & hostname redacted):

...
[auth_openidc:debug] [pid 409:tid 140427999024896] src/authz.c(199): [client <ip>] oidc_authz_match_claim: evaluating key "groups"
[auth_openidc:debug] [pid 409:tid 140427999024896] src/authz.c(451): [client <ip>] oidc_authz_worker24: require claim/expr 'groups~misp*' matched
[authz_core:debug] [pid 409:tid 140427999024896] mod_authz_core.c(820): [client <ip>] AH01626: authorization result of Require claim "groups~misp*": granted
[authz_core:debug] [pid 409:tid 140427999024896] mod_authz_core.c(820): [client <ip>] AH01626: authorization result of <RequireAny>: granted
...
[auth_openidc:debug] [pid 409:tid 140427378292480] src/mod_auth_openidc.c(4045): [client <ip>] oidc_authz_checker: enter: require_args=""groups~misp*""
[authz_core:debug] [pid 409:tid 140427378292480] mod_authz_core.c(820): [client <ip>] AH01626: authorization result of Require claim "groups~misp*": denied (no authenticated user yet)
[authz_core:debug] [pid 409:tid 140427378292480] mod_authz_core.c(820): [client <ip>] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[auth_openidc:debug] [pid 409:tid 140427378292480] src/mod_auth_openidc.c(3928): [client <ip>] oidc_check_user_id: incoming request: "/oauth2callback?code=HZBOnil3vLUjUuGHu0qbPN&state=YizH13F9Vi_SFL98d7mq_w", ap_is_initial_req(r)=1
[auth_openidc:debug] [pid 409:tid 140427378292480] src/util.c(2521): [client <ip>] oidc_util_hdr_in_get: Cookie=mod_auth_openidc_session=8c67c0f5-0377-420c-a86f-a95de936e718
[auth_openidc:debug] [pid 409:tid 140427378292480] src/util.c(1226): [client <ip>] oidc_util_get_cookie: returning "mod_auth_openidc_session" = "8c67c0f5-0377-420c-a86f-a95de936e718"
[auth_openidc:debug] [pid 409:tid 140427378292480] src/cache/common.c(318): [client <ip>] oidc_cache_get: enter: 8c67c0f5-0377-420c-a86f-a95de936e718 (section=s, decrypt=0, type=shm)
[auth_openidc:debug] [pid 409:tid 140427378292480] src/cache/common.c(350): [client <ip>] oidc_cache_get: cache hit: return 4203 bytes from shm cache backend for key 8c67c0f5-0377-420c-a86f-a95de936e718
[auth_openidc:debug] [pid 409:tid 140427378292480] src/util.c(1388): [client <ip>] oidc_util_request_matches_url: comparing "/oauth2callback"=="/oauth2callback"
[auth_openidc:debug] [pid 409:tid 140427378292480] src/mod_auth_openidc.c(2104): [client <ip>] oidc_handle_redirect_authorization_response: enter
[auth_openidc:debug] [pid 409:tid 140427378292480] src/util.c(1712): [client <ip>] oidc_util_read_form_encoded_params: read: code=HZBOnil3vLUjUuGHu0qbPN
[auth_openidc:debug] [pid 409:tid 140427378292480] src/util.c(1712): [client <ip>] oidc_util_read_form_encoded_params: read: state=YizH13F9Vi_SFL98d7mq_w
[auth_openidc:debug] [pid 409:tid 140427378292480] src/util.c(1717): [client <ip>] oidc_util_read_form_encoded_params: parsed: 56 bytes into 2 elements
[auth_openidc:debug] [pid 409:tid 140427378292480] src/mod_auth_openidc.c(1922): [client <ip>] oidc_handle_authorization_response: enter, response_mode=query
[auth_openidc:debug] [pid 409:tid 140427378292480] src/mod_auth_openidc.c(1547): [client <ip>] oidc_authorization_response_match_state: enter (state=YizH13F9Vi_SFL98d7mq_w)
[auth_openidc:debug] [pid 409:tid 140427378292480] src/mod_auth_openidc.c(649): [client <ip>] oidc_restore_proto_state: enter
[auth_openidc:debug] [pid 409:tid 140427378292480] src/util.c(2521): [client <ip>] oidc_util_hdr_in_get: Cookie=mod_auth_openidc_session=8c67c0f5-0377-420c-a86f-a95de936e718
[auth_openidc:debug] [pid 409:tid 140427378292480] src/util.c(2521): [client <ip>] oidc_util_hdr_in_get: Cookie=mod_auth_openidc_session=8c67c0f5-0377-420c-a86f-a95de936e718
[auth_openidc:debug] [pid 409:tid 140427378292480] src/util.c(1226): [client <ip>] oidc_util_get_cookie: returning "mod_auth_openidc_state_YizH13F9Vi_SFL98d7mq_w" = <null>
[auth_openidc:error] [pid 409:tid 140427378292480] [client <ip>] oidc_restore_proto_state: no "mod_auth_openidc_state_YizH13F9Vi_SFL98d7mq_w" state cookie found: check domain and samesite cookie settings
[auth_openidc:error] [pid 409:tid 140427378292480] [client <ip>] oidc_authorization_response_match_state: unable to restore state
[auth_openidc:warn] [pid 409:tid 140427378292480] [client <ip>] oidc_handle_authorization_response: invalid authorization response state; a default SSO URL is set, sending the user there: http://<server_hostname>:8080
[auth_openidc:debug] [pid 409:tid 140427378292480] src/util.c(2577): [client <ip>] oidc_util_hdr_table_set: Location: http://<server_hostname>:8080

Relevant config file (hostname replaced with {server_hostname}, OIDC provider replaced with {provider}):

ServerTokens Prod

ServerName {server_hostname}:8080

# Include request ID header in accesss log
LogFormat "%h %{X-Request-Id}i %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogLevel debug

<VirtualHost *:80>
    DocumentRoot /var/www/MISP/app/webroot

    ErrorDocument 401 /401.html
    ErrorDocument 403 /401.html
    ErrorDocument 500 /500.html
    ErrorDocument 503 /503.html
    ErrorDocument 504 /504.html
    Alias /401.html /var/www/html/401.shtml
    Alias /500.html /var/www/html/500.shtml
    Alias /503.html /var/www/html/503.shtml
    Alias /504.html /var/www/html/504.shtml

    <Directory /var/www/html/>
      Options +Includes
    </Directory>

    # Allow access to error page without authentication
    <LocationMatch "/(401|500).html">
        Satisfy any
    </LocationMatch>

    # Allow to access fpm-status just from localhost
    <LocationMatch "/fpm-status">
        Require local
        ProxyPass "unix:/run/php-fpm/www.sock|fcgi://127.0.0.1:9000"
    </LocationMatch>

    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
    DirectoryIndex /index.php index.php
    <FilesMatch \.php$>
        SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://127.0.0.1:9000"
    </FilesMatch>

    RewriteEngine On
    # Check if authkey is valid before we let apache to touch PHP
    RewriteMap authkeys "prg:/var/www/MISP/app/Console/cake user authkey_valid" apache:apache

    <Directory /var/www/MISP/app/webroot>
        Options -Indexes
        Require all granted

        # If request contains Authorization header and it is not request for fpm-status, check if authorizatzion key is valid.
        # This adds another level of protection.
        RewriteCond %{HTTP:Authorization} "^[a-zA-Z0-9]{40}$"
        RewriteCond %{REQUEST_URI} !^/fpm-status
        RewriteCond ${authkeys:%{HTTP:Authorization}|0} "!=1"
        # If authkey is not valid, return forbidden error
        RewriteRule .* - [F,L]

        # Standard MISP rules that will allow processing requests by PHP if it is not directory or file
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteRule ^(.*)$ index.php?/$1 [QSA,L]
    </Directory>

    OIDCProviderMetadataURL https://{provider}/.well-known/openid-configuration
    OIDCRedirectURI http://{server_hostname}:8080/oauth2callback
    OIDCCryptoPassphrase {secret}
    OIDCClientID {secret}
    OIDCClientSecret {secret}
    OIDCDefaultURL http://{server_hostname}:8080
    OIDCCookieSameSite On
    OIDCProviderTokenEndpointAuth client_secret_jwt
    OIDCPKCEMethod S256
    OIDCScope "openid email profile"

    OIDCHTMLErrorTemplate /var/www/html/oidc.html

    # Allow access if header contains Authorization header and value in MISP format
    <If "-T req('Authorization') && req('Authorization') =~ /^[a-zA-Z0-9]{40}$/">
        Require all granted
        AuthType None
    </If>
    <Else>
        AuthType openid-connect
        Require claim "groups~misp*"
    </Else>

    TimeOut 310
    ServerSignature Off

    # Set request ID if not set from reverse proxy
    RequestHeader setifempty X-Request-Id %{UNIQUE_ID}e

    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options SAMEORIGIN
    Header always set Referrer-Policy same-origin

    <Location "/webfonts/">
        # Cache for one year
        Header always set Cache-Control "max-age=31536000; immutable"
    </Location>

    # Enable brotli ouput compression
    AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript application/json application/x-font-ttf image/svg+xml
</VirtualHost>

Some things that seem weird to me:

1. There is a rule in the config to check that the groups claim of the JWT contains the string misp. It looks like it validates it, but then further down it denies, citing 'no authenticated user'
2. oidc_util_get_cookie returns null right before the error message that the cookie cannot be found. Why would the cookie be missing?

From the wiki on state cookies:

[The state cookie] is deleted when the user returns to the Apache server with an authentication response (indicating either success or failure).

Two possibilities in my mind:

1. The multiple checks against the groups claim is meaning the cookie was deleted but is then needed again for some reason
2. Redirects are not working properly (though I have checked that all the redirect urls match in the OIDC provider) and the page that is being landed on does not have the cookie that's being looked for.

I'm struggling to identify the cause of the error, any help would be greatly appreciated 🙂

[zandbelt]

Firstly, you should not run over plain HTTP...
Then there seems to be a mix of running on port 8080 (ServerName, OIDCRedirectURI) and port 80 (VirtualHost), which one should it be?
Finally, what version of the module are you on and what are you trying to achieve with OIDCCookieSameSite On?

[jamesacris]

Hi @zandbelt, thanks for the prompt response. I probably should have been clearer in my initial message, here are some more details about the deployment:

I'm using the NUKIB MISP docker image so the config is similar to what is used there. Their out-of-the-box Apache config can be found in misp.conf. Since this is a containerised deployment the server is run on port 80 in the container which maps to port 8080 on the host (see the docker compose file as an example). Regarding HTTP the intention is to deploy reverse proxy in front of MISP to handle HTTPS connections for production.

mod_auth_openidc version 2.4.9.4

The OIDCCookieSameSite On setting is one that was set in the upstream config - I believe it's to ensure the original login request originated from the same site, but I'm not exactly sure. I have tried turning it off to see if that helps, unfortunately it doesn't.

[zandbelt]

it looks like a mismatch in hostname used for accessing the application and the redirect URI; there should also be a warning about that in the logs; what is the URL that you're using in the browser to access the protected application?

[jamesacris]

Ok, I'll check to see if I can find any warnings about that in the logs.

The url I'm going to in the browser is http://host-172-16-100-82.nubes.stfc.ac.uk:8080/
It matches the first part of the redirect uri in the config which is:
OIDCRedirectURI http://host-172-16-100-82.nubes.stfc.ac.uk:8080/oauth2callback
As well as the redirect uri in the OIDC provider:
"redirectUris": [ "http://host-172-16-100-82.nubes.stfc.ac.uk:8080/oauth2callback" ],

[zandbelt]

ok, that looks good to me

[zandbelt]

upon hitting the protected website there's a redirect with an authentication request returned, including a Set-Cookie header; can you paste that header here?

[jamesacris]

Ah, I see - in which case looking at the browser trace - in the first request to the application url (before redirecting to SSO) I can see the state cookie:

Then, in the first request to the /oauth2callback url after login, there is the same state cookie, which then appears to be deleted in the response.

I checked subsequent requests made by the browser to the same endpoint, after being redirected back to the homepage, OIDC provider, etc. and there was no state cookie, only a session cookie.

[zandbelt]

is is not supposed to be calling that endpoint again once it has established a session

[jamesacris]

Yes, it only does that after the state cookie can't be found, and therefore redirects me back to the homepage. That then redirects to the OIDC provider, which thinks I'm already authenticated, and so sends me back to that endpoint again.
I still think the problem has something to do with why the oidc_util_get_cookie function is returning <null>. Is there a way to look more in depth at this that you know of?

[zandbelt]

you'll have to look into what happens after the session has been established, why is the web server not returning application content? my best guess is that the application somehow crashes/aborts on the provided authentication state which makes the browser issue another request with the same state that is invalid by then

[jamesacris]

Ok, the problem is quite possibly out of the mod_auth_openidc remit then. Thanks for your patience with this, I'll look into what could be going wrong with the application further.

[Abhikr1994]

Hey James,

I am also facing same issue.Can you tell whether you have got solution or not?

[jamesacris]

Sorry - I didn't figure it out. My approach is now to use a plugin for the underlying application itself to do OIDC rather than using Apache.