Closed alexeisenhart closed 3 years ago
Logged in the client console:
Summary
GET https://sitename.azurewebsites.net/ep_openid_connect/callback?code={code}&state=&session_state={session state}#
[HTTP/1.1 500 Internal Server Error 331ms]
GET
https://sitename.azurewebsites.net/ep_openid_connect/callback?code={code}&state={state}&session_state={session state}
Status 500
Internal Server Error
Version HTTP/1.1
Transferred 512 B (75 B size)
Referrer Policy strict-origin-when-cross-origin
Response Headers
HTTP/1.1 500 Internal Server Error
Content-Length: 75
Content-Type: text/html
ETag: W/"2a-TMqDHQ8miTnhfLD0CaBhSfNzQC8"
Server: Microsoft-IIS/10.0
Set-Cookie: express_sid={value}; Path=/; HttpOnly; Secure; SameSite=Lax
X-Powered-By: Express
X-UA-Compatible: IE=Edge,chrome=1
Referrer-Policy: same-origin
X-Powered-By: ASP.NET
Date: Tue, 13 Apr 2021 16:03:15 GMT
Request Headers
GET /ep_openid_connect/callback?code={code}&state={state}&session_state={session state}# HTTP/1.1
Host: sitename.azurewebsites.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: token={token}; ARRAffinity={value}; ARRAffinitySameSite={value}
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
I'm debugging the plugin code. The login
request does not have the same session as the callback
request. So processing the callback fails because the authParams
are not available.
I tried a naive solution: login
caches the authParams in an array and callback
performs a lookup based on the state
then updates the session's authParams.... but that lead to a redirection issue.
After a lot of debugging and testing, I discovered the sameSite
property in settings.json
. The default is "sameSite": "Lax"
. Changing this to "sameSite": "None"
seems to have fixed my iframe embedding issue.
Closing this item. May it help someone in the future.
In case anyone got here for the same reason I did, you also get a similar behavior if you're running "sameSite": "None"
without https (like mentioned in the documentation, the cookie will not be properly set on Etherpad).
In this particular case leaving it on "Lax" solved the issue for me.
Hello! I'm using this plugin to authenticate with Azure Active Directory. It works perfectly if I navigate directly to my Etherpad public URL, but I get a 500 error if I try to load a page in another website that is embedding a pad. The other website is also authenticated to the same AAD.
Is there some sort of cross site issue happening perhaps?
Just in case this is not the best way to attack the problem, my goal is to secure the Etherpad site and only interact with the admin panel (for basic maintenance), embed a pad via an iframe in another site (and continue to track edits to a user), and to use the Web API to get and set a pad's HTML. If there was another secure strategy, I can move away from using AAD in Etherpad.
Here's how I'm embedding:
AAD is set up to redirect to
/ep_openid_connect/callback
.On the client side, loading the pad fails with a 500 error to
my-azure-site.com/ep_openid_connect/callback?code={code here}&state={state here}&session_state={session state here}
Here are the server side logs: