Closed cbeach47 closed 4 years ago
The flow in AbstractOAuthV1UserStateHook
helps to identify the issue:
getUserState() L69
- the oauthWebService
validates the request and creates a nonce.getUserState() L73
- getUserStateResult()
throws a WebException that the user does not exist.TleSessionFilter L108
and userService.logoutToGuest()
is called. This second logout/login in turn calls getUserState() L69
, and the previous nonce is cached, thus both exceptions in the logs.@edalex-ian - do you know if there was a decision to change this auth flow in recent years?
One thought is before the code logs out to guest, remove the cached/saved nonce value, but that may weaken the OAuth implementation.
Heya @cbeach47
Well more generally on OAuth changes were made (to classes in your above stack - especially OAuthWebServiceImpl
) as part of the work for Cloud Providers in 2019.1 and also some of the Bb work. Not to mention the mega merging of plugins.
See a list of changes just on OAuthWebServiceImpl
at https://github.com/openequella/openEQUELLA/commits/develop/Source/Plugins/Core/com.equella.core/src/com/tle/web/oauth/service/OAuthWebServiceImpl.java
Definitely a bit of work.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Describe the bug Launching an LTI session with an unknown user, and configuring oEQ to present an error message, result in a 500 error instead of the expected 401 error.
Occurs at least with internal and RDS users.
This works in 6.4-QA3.
To Reproduce
Expected behavior A 401 error should occur, which will be nicely presented to the user.
Stacktrace The error in 6.4-QA3:
In 2019.1 / develop: