state from argument does not match state restored from session

[LuanP]

Hi,

I'm facing an issue when I follow the steps:

1. Access a protected route
2. I'm redirected to the login page
3. Open new tab
4. Access a protected route
5. I'm redirected to the login page
6. Go to the first opened tab
7. Type user credentials and perform the login
8. I'm redirected to the callback URL with the message "state from argument: xxx does not match state restored from session: xxx"

Although, the user is logged in (if I try accessing a protected route again, it works normally).

2019/03/14 23:39:44 [error] 120#0: *15122 [lua] openidc.lua:1042: authenticate(): state from argument: e308653d5e92e20a9b93d884c0578cf0 does not match state restored from session: d24508a745b72ca268f972c18989845d, client: 172.18.0.1, server: kong, request: "GET /backend/callback?code=eb17492643e14a1d9e3625a602fbd5d5&state=e308653d5e92e20a9b93d884c0578cf0&session_state=36fe60501ebbb9a1cd2749e335121a979318447160b4929fe91aa3ee152cb0bd.c9e1dfcb9a191e79d9967ff806a4c674 HTTP/1.1", host: "localhost:8000", referrer: "http://localhost:8000/login/?next=/openid/authorize%3Fresponse_type%3Dcode%26client_id%3D227868%26state%3De308653d5e92e20a9b93d884c0578cf0%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A8000%252Fbackend%252Fcallback%26nonce%3Dc89e407690370d562576559007a5eb18%26scope%3Dopenid"

Is there someone with the same issue?

Can you help me with that?

Extra info:

• I'm using a django app as the provider with the django-oidc-provider library
• I have fixed the session_secret after reading some other issues here (login/logout works normally, it's just this unusual scenario for what I could notice)

Thanks a lot,

Kind regards.

[zandbelt]

This is caused by the behavior of lua-resty-openidc and a consequence of a design decision made there, i.e. to start a (single) session to track the user even before authentication actually occurred. So the secondly started request eclipses/overwrites the first request. @bodewig I don't think we will change that, thus we will not support this scenario, agreed? (e.g. mod_auth_openidc handles this scenario with per-request state cookies which end up creating their own difficulties)

[LuanP]

Hi @zandbelt,

Thanks a lot for the fast reply.

I know it's a specific scenario with a weird but possible user behavior.

In case you know some workaround for that issue without having to implement a different RP, that'd be great.

Thanks again for taking the time to explain that.

[LuanP]

A workaround for that was to set the recovery_page_path to the homepage.