Open WesselAtWork opened 1 year ago
Just hit the same problem using dex with github as the provider. Got HTTP 400 bad request with http: named cookie not present
as body during the oidc flow at callback.
I'm on Firefox v110, I also tried out Chromium where there login flow works as intended.
Running into this with Firefox 120.0 (64-bit), the workaround/fix works for me as well. ArgoCD version v2.8.4+c279299
Describe the bug
I set up a ODIC dex cognito.
I tried to login with the
login via cognito
button. I put my credentials in and clicked login.I was then met with a black html page with the only words
http: named cookie not present
I first tried to run it on chrome and that worked flawlessly so it might be FireFox related (running v109.0)
After some digging online: this seems to happen when golang tries to access a cookie that has the wrong path set.
Looking at my browser debug tools I saw the path defined on the cookie to be
/auth
Looking back at my current url I noticed it ending with
https://argo.url/auth/callback?code=xxxxxxxx&state=xxxxxxxxxx
To me this should be fine?
On a whim I removed everything after the
/auth
(https://argo.url/auth
) in the browser and I got logged in! Everything works fine!I logged out (with argo's application loggout and the cognito logout url) and tried logging back in.
THIS time I got hit with a
data length is less than nonce size
error.I tried removing everything after
/auth
(https://argo.url/auth
) again, this time I got booted to the app login scream, but I just clicked onlogin via cognito
again, and it worked! I got logged in.I logged out again (with argo's application loggout and the cognito logout url) and tried logging in for a third time.
This time it just worked™ without fuss.
It now works no matter what I try to do to break it.
After some time it reapears but from the
data length is less than nonce size
error. I can't seem to make thehttp: named cookie not present
reappearFix
Remove everything after the
/auth
in the URL and it should go through.Also try to access from chrome.
Suspicion
I found these lines in the code:
https://github.com/argoproj/argo-cd/blob/4610bc831c4fd8e7fdb5903860ff5ef2148fcee7/util/oidc/oidc.go#L181-L185
Which leads directly to
https://github.com/argoproj/argo-cd/blob/4610bc831c4fd8e7fdb5903860ff5ef2148fcee7/util/oidc/oidc.go#L340-L344
So I think the bad path described in the SO is correct because I see we are not setting a path on the cookies:
https://github.com/argoproj/argo-cd/blob/4610bc831c4fd8e7fdb5903860ff5ef2148fcee7/util/oidc/oidc.go#L170-L179
And here:
https://github.com/argoproj/argo-cd/blob/4610bc831c4fd8e7fdb5903860ff5ef2148fcee7/util/oidc/oidc.go#L212-L220
The nounce error is problably some kind of state logic that isn't handled correctly or that CAN'T BE handdled correctly becuase the code can't "find" the
argocd.oauthstate
cookieTo Reproduce
Expected behavior
Normal Auth to the argo app.
Version
Logs Application didn't produce any logs. Appeared as a html page