search

IBM-Security / mobile-access-sdk-ios

Support materials for the iOS version of the Mobile Access SDK.
Apache License 2.0
5 stars 4 forks source link

Invalid state ID error when authorizing transactions #1

Open corcoja opened 5 years ago

corcoja commented 5 years ago

Hello. Currently we're facing an issue in the latest version of the SDK when sending a request (via SDK) to authorize a transaction. We're testing this in a clustered environment which has two ISAM policy servers. To be noted that we did not encounter any related issues in a single ISAM policy server environment.

It looks like this state ID is passed to ISAM via a Set-Cookie header field in the request, and on Android it can easily be fixed by setting a default cookie manager: CookieHandler.setDefault(new CookieManager()); Unfortunately, I couldn't get this working on iOS by using shared Cookie Storage (since the SDK most probably doesn't use it).

In my understanding, we have to set PD_STATEFUL_***** value to the Set-Cookie key in order to have the load balancer working as intended.

I'm attaching the error logs:

2018-09-28 14:48:34.222961+0300 eToken[4544:674535]     Request URL: https://*************/mga/sps/apiauthsvc?StateId=665337c6-9ff7-4921-b866-b2f7bb7e34af
2018-09-28 14:48:34.223131+0300 eToken[4544:674535]     Authorization header: Bearer sfMYylzlun1z2KPmbqVd
2018-09-28 14:48:34.223280+0300 eToken[4544:674535]     Request method: PUT
2018-09-28 14:48:34.223449+0300 eToken[4544:674535]     Request body: {"state":"665337c6-9ff7-4921-b866-b2f7bb7e34af","signedChallenge":"eqlllnCs...output_omitted...GtUyoxUl5r+A=="}
2018-09-28 14:48:34.272872+0300 eToken[4544:674536]     Response code: 400
2018-09-28 14:48:34.273076+0300 eToken[4544:674536]     Response body: {"exceptionMsg":"FBTAUT017E Authentication service received an invalid state ID [665337c6-9ff7-4921-b866-b2f7bb7e34af].","state":"","message":""}

Do you any fixes or workaround for this issue?

corcoja commented 5 years ago

Any updates on this?

craigaps commented 5 years ago

ISAM needs to be configured with the distributed session cache (DSC) and enable "sticky sessions". Cookies are not supported in the SDK.

richard-lennert commented 5 years ago

"When using OAuth-Auth, it’s not currently possible to use the Distributed Session Cache. If your instance of WebSEAL DSC enabled the cookie returned in the request will override the Access token."

From this article by Philip Nye: https://philipnye.com/2014/07/29/isam-for-web-and-mobile-oauth-authentication-and-sessions/