search

JetBrains / teamcity-azure-active-directory

TeamCity plugin which supports authentication via Microsoft Azure Active Directory
Apache License 2.0
26 stars 19 forks source link

400 Marked request as unauthenticated since retrieved JWT 'nonce' claim doesn't correspond to current TeamCity session. #49

Closed vladimirglazkov closed 4 years ago

vladimirglazkov commented 4 years ago

TeamCity Enterprise 2020.1.1 (build 78657)

I've tried to use both URLs: https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize https://login.microsoftonline.com/{tenant_id}/oauth2/authorize

TC is located behind Nginx. Configured this way: https://www.jetbrains.com/help/teamcity/how-to.html#HowTo...-Commonmisconfigurations

It works fine with previous release - TeamCity Enterprise 2020.1 (build 78475)

SithVicious commented 4 years ago

Unfortunately having this issue too. Hosted behind IIS proxy

Jevonius commented 4 years ago

We're also seeing this, with an IIS proxy. Reverting to 2020.1 fixed it. Have tried the updated snapshot version release on 5th June with no joy.

IlyaFomenko commented 4 years ago

I've created the bug in our YouTrack. Please, watch it to get all future updates.

DerDreschner commented 4 years ago

I have a little workaround for the issue as long as there is no updated version of the plugin. Change the sameSiteCookies="lax" attribute to sameSiteCookies="none" inside the TeamCity/webapps/ROOT/META-INF/context.xml file and restart the server. Works fine for me and my team. All possible values for the sameSiteCookie attribute are documented here: https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html

SithVicious commented 4 years ago

I have a little workaround for the issue as long as there is no updated version of the plugin. Change the sameSiteCookies="lax" attribute to sameSiteCookies="none" inside the TeamCity/webapps/ROOT/META-INF/context.xml file and restart the server. Works fine for me and my team. All possible values for the sameSiteCookie attribute are documented here: https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html

Brilliant! thank you David for this workaround, i can confirm it worked for me.

musmuris commented 4 years ago

UPDATE: Ignore this

~We upgraded last night and have the same issue. Tried the same as above but now it gives 403 Forbidden: Responding with 403 status code due to failed CSRF check: authenticated POST request is made, but neither tc-csrf-token parameter nor X-TC-CSRF-Token header are provided.. For a temporary workaround, you can set internal property teamcity.csrf.paranoid=false and provide valid Origin=https://teamcity.morar.co header with your request~

musmuris commented 4 years ago

The new plugin mentioned in https://youtrack.jetbrains.com/issue/TW-66625 works for us. Just installed latest and it's back.