[k8s][gitlab] Invalid 'state' parameter provided: not found

[Chup4Chups]

Preflight Checklist

• [X] I agree to follow the Code of Conduct that this project adheres to.
• [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.

Version

2.30.0

Storage Type

Kubernetes

Installation Type

Official container image

Expected Behavior

Hi guys,

I am doing PoC with dex on kubernetes using the example-app and our self-managed gitlab instance. I followed below documentation:

• https://dexidp.io/docs/kubernetes/
• https://dexidp.io/docs/connectors/gitlab/

I replaced github connector by gitlab in the configmap and deployed Dex succesfully. Then I started the example app succesfully with flag below:

$ example-app --issuer https://dex.example.com:32000 --issuer-root-ca ../k8s/ssl/ca.pem --redirect-uri https://dex.example.com:32000/callback --client-id $GITLAB_APPLICATION_ID  --client-secret $GITLAB_CLIENT_SECRET --debug

Actual Behavior

So far, I can access Example-App, see Gitlab connector and the redirection goes well until I see a ​"Bad Request, Requested resource does not exist" (status code 400)

k8s side, I can see from dex pods logs that the conection is succesfull but there is a "state" issue:

time="2022-02-07T12:28:05Z" level=error msg="Invalid 'state' parameter provided: not found"

Any idea where this "Invalid 'state' parameter provided: not found" come from ? I found similar closed issue #1466 but no solution provided....

Configuration

 connectors:
    - type: gitlab
      id: gitlab
      name: GitLab
      config:
        baseURL: https://gitops
        clientID: $GITLAB_APPLICATION_ID
        clientSecret: $GITLAB_CLIENT_SECRET
        redirectURI: https://dex.example.com:32000/callback
        useLoginAsID: false

Logs

time="2022-02-07T12:27:23Z" level=info msg="config issuer: https://dex.example.com:32000"
time="2022-02-07T12:27:23Z" level=info msg="kubernetes client apiVersion = dex.coreos.com/v1"
time="2022-02-07T12:27:23Z" level=info msg="creating custom Kubernetes resources"
[...]
time="2022-02-07T12:27:23Z" level=info msg="config storage: kubernetes"
time="2022-02-07T12:27:23Z" level=info msg="config static client: Example App"
time="2022-02-07T12:27:23Z" level=info msg="config connector: gitlab"
time="2022-02-07T12:27:23Z" level=info msg="config connector: local passwords enabled"
time="2022-02-07T12:27:23Z" level=info msg="config skipping approval screen"
time="2022-02-07T12:27:23Z" level=info msg="config refresh tokens rotation enabled: true"
time="2022-02-07T12:27:23Z" level=info msg="listening (https) on 0.0.0.0:5556"
2022/02/07 12:28:01 http: TLS handshake error from 192.168.65.3:53792: remote error: tls: unknown certificate
time="2022-02-07T12:28:05Z" level=info msg="login successful: connector \"gitlab\", username=\"John Doe\", preferred_username=\"John.Doe\", email=\"john.doe@toto.com\", groups=[\"devops-team\"]"
time="2022-02-07T12:28:05Z" level=error msg="Invalid 'state' parameter provided: not found"
time="2022-02-07T12:32:23Z" level=info msg="garbage collection run, delete auth requests=0, auth codes=3, device requests=0, device tokens=0"

[sarahhenkens]

I'm having the same problem with setting up a connector for Okta

[nabokihms]

The problem is that there is no authentication request in the storage, so authentication cannot be finished after receiving a callback. Two things that can cause such a problem:

1. There is something with the storage. If it is Kubernetes, check the authentication request objects in your cluster by executing kubectl get authrequests -A after you were redirected to the GitLab / Okta login page.
2. GitLab / Okta returns an invalid state in a callback request. Check your browser history and search for corresponding objects in your storage.

[jamo4ever]

Having same issue when using Okta with SAML to ArgoCD-Dex, only when Authentication is initiated from Okta Portal side level=error msg="Invalid 'state' parameter provided: not found"

[easywang]

I have same issue， using Idaas with oauth2.0.

[michaelRanivoEpitech]

Someone have the solution ?