Dex SSO flow fails in FireFox with `http: named cookie not present` and `data length is less than nonce size`

[WesselAtWork]

Describe the bug

I set up a ODIC dex cognito.

I tried to login with the login via cognito button. I put my credentials in and clicked login.

---

I was then met with a black html page with the only words http: named cookie not present

I first tried to run it on chrome and that worked flawlessly so it might be FireFox related (running v109.0)

After some digging online: this seems to happen when golang tries to access a cookie that has the wrong path set.

---

Looking at my browser debug tools I saw the path defined on the cookie to be /auth

The error status code was also 400 IIRC The cookie name was NOT the token one it was the argocd.oauthstate

Looking back at my current url I noticed it ending with https://argo.url/auth/callback?code=xxxxxxxx&state=xxxxxxxxxx

To me this should be fine?

On a whim I removed everything after the /auth (https://argo.url/auth) in the browser and I got logged in! Everything works fine!

what

I logged out (with argo's application loggout and the cognito logout url) and tried logging back in.

THIS time I got hit with a data length is less than nonce size error.

I noticed that this time I had 2 cookies argocd.oauthstate and argocd.token, both empty argocd.token had a / path argocd.oauthstate had a /auth path

I tried removing everything after /auth (https://argo.url/auth) again, this time I got booted to the app login scream, but I just clicked on login via cognito again, and it worked! I got logged in.

I logged out again (with argo's application loggout and the cognito logout url) and tried logging in for a third time.

---

This time it just worked™ without fuss.

It now works no matter what I try to do to break it.

---

After some time it reapears but from the data length is less than nonce size error. I can't seem to make the http: named cookie not present reappear

Fix

The main reason why I am making this issue thread is because I found the weird fix by accident!

Remove everything after the /auth in the URL and it should go through.

Also try to access from chrome.

Suspicion

I found these lines in the code:

https://github.com/argoproj/argo-cd/blob/4610bc831c4fd8e7fdb5903860ff5ef2148fcee7/util/oidc/oidc.go#L181-L185

Which leads directly to

https://github.com/argoproj/argo-cd/blob/4610bc831c4fd8e7fdb5903860ff5ef2148fcee7/util/oidc/oidc.go#L340-L344

Note the 400 StatusBadRequest

So I think the bad path described in the SO is correct because I see we are not setting a path on the cookies:

https://github.com/argoproj/argo-cd/blob/4610bc831c4fd8e7fdb5903860ff5ef2148fcee7/util/oidc/oidc.go#L170-L179

And here:

https://github.com/argoproj/argo-cd/blob/4610bc831c4fd8e7fdb5903860ff5ef2148fcee7/util/oidc/oidc.go#L212-L220

---

The nounce error is problably some kind of state logic that isn't handled correctly or that CAN'T BE handdled correctly becuase the code can't "find" the argocd.oauthstate cookie

---

To Reproduce

• Setup Cognito OIDC with Dex
• In Firefox v109.0
• Try to login using the cognito SSO option on the argo login page.
• Enter your user credentials
• See either of the errors

Expected behavior

Normal Auth to the argo app.

Version

argocd: v2.5.8+bbe870f
  BuildDate: 2023-01-25T16:17:49Z
  GitCommit: bbe870ff5904dd1cebeba6c5dcb7129ce7c2b5e2
  GitTreeState: clean
  GoVersion: go1.18.10
  Compiler: gc
  Platform: linux/amd64
FATA[0000] Argo CD server address unspecified

The fatal error is weird...

Logs Application didn't produce any logs. Appeared as a html page

http: named cookie not present

data length is less than nonce size

[frealmyr]

Just hit the same problem using dex with github as the provider. Got HTTP 400 bad request with http: named cookie not present as body during the oidc flow at callback.

I'm on Firefox v110, I also tried out Chromium where there login flow works as intended.

[KellenRenshaw]

Running into this with Firefox 120.0 (64-bit), the workaround/fix works for me as well. ArgoCD version v2.8.4+c279299