search

AzureAD / passport-azure-ad

The code for Passport Azure AD has been moved to the MSAL.js repo. Please open any issues or PRs at the link below.
https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/maintenance/passport-azure-ad
Other
422 stars 176 forks source link

Invalid state possibly due to malformed JSON in session store #510

Closed creising closed 3 years ago

creising commented 4 years ago

I think there are already a couple of issues that talk about instances where people are seeing random messages stating: In collectInfoFromReq: missing state in the request and In collectInfoFromReq: invalid state received in the request. The two I know about are 390 and 423. We also started running into the same issue where, at random, we would see this same message. We're using redis as our session store, and during one of these occurrences I took a look at the data for the corresponding session and noticed this entry in the array tied to the id:

\"OIDC: xxx-xxx-xxx-xxx-xxx\":{\"content\":[{\"state\":\"CUSTOMHaP_JCPKrce\":\"WkmVzrsPxzE5f5EjLYq8cjCrsdOA_tkt\",\"timeStamp\":1597691945829}

It looks like the first object in this array has a quoted : in its state value which I suspect is causing issues when someone attempts to parse this object (I assume this is happening when session reads this back out of the store and assigns the data to the corresponding request.session). My theory is the parsing is failing, the corresponding data is not getting populated making it look like, to the library, that this state does not exist at all.

I am not sure how this entry got there as this is extremely difficult to recreate, but maybe this additional information will inspire some an idea. I also noticed this mystery entry does not have a nonce assigned to it either which was also a little curious since the second object in this array does.

gritschf commented 4 years ago

having the same issue right now

SigurdMW commented 4 years ago

I'm seeing the same issue from time to time, but not able to reproduce consistently. We're also using redis as a session storage (in Azure), with the connect-redis package

jeffwilcox commented 4 years ago

Using Cosmos for my sessions, and hitting this sometimes, I think (?). I thought it was SameSite cookie problems for a bit. Tough to debug all this.

pkanher617 commented 3 years ago

Hi all, is this still an issue in the latest version of passport-azure-ad? We are currently in the design phase of a new version of this library, which can be tracked here. The timeline for the new library will be uploaded to our MSAL JS repo.

We will ensure to cover issues with state in the design phase here.

sameerag commented 3 years ago

As mentioned above, we plan to pick this up in the new version of middleware which will be picked up soon. Closing this. For any new issues, please raise them at MSAL JS Repo for us to track.