Mismatching state error

[Flowake]

Thanks for the awesome work with QWC and this implementation of the OIDC authentication protocol.

I'm trying to use this authentication method with an AzureAD OIDC application. It seems to work except that it always raises an error on the first authentication.

Steps to reproduce

• Start from the qwc-docker repository
• Replace the image for qwc-auth-service from "sourcepole/qwc-db-auth:v2023.0-lts" to "sourcepole/qwc-oidc-auth:v2023.04.03"
• Create the oidcAuthConfig.json file with the issuer_url, client_id and client_secret
• Run docker compose up to start all the services
• Try to log in from the map viewer or from the admin panel

Bug

It raises the following error:

qwc-docker-qwc-auth-service-1 | File "/srv/qwc_service/./server.py", line 113, in callback qwc-docker-qwc-auth-service-1 | token = oidc.authorize_access_token() qwc-docker-qwc-auth-service-1 | File "/usr/lib/python3.9/site-packages/authlib/integrations/flask_client/apps.py", line 102, in authorize_access_token qwc-docker-qwc-auth-service-1 | params = self._format_state_params(state_data, params) qwc-docker-qwc-auth-service-1 | File "/usr/lib/python3.9/site-packages/authlib/integrations/base_client/sync_app.py", line 234, in _format_state_params qwc-docker-qwc-auth-service-1 | raise MismatchingStateError() qwc-docker-qwc-auth-service-1 | authlib.integrations.base_client.errors.MismatchingStateError: mismatching_state: CSRF Warning! State not equal in request and response.

Investigation so far

I cloned the repository and changed the docker compose to build the image from the cloned repository. Then I added new logging statements in the callback function, and I digged into authlib to understand what happens.

The issue seems to be that all the data set in the session ("target_url" and "_state_default_XXXXXXXXX") in the login function has disappeared in the callback function that is called after logging in.

In the map viewer, after failing to login the first time, if I go back to the map viewer and try login again, it will succeed, and the session will have two different "_state_default_XXXXXXXXX" keys (the one from the first failed attemps and the one from the succesful second attempt).

For the qwc_admin panel, after failing the first time, if I go back to the /qwc_admin/ endpoint it will produce an error "Too many redirects".

If you have any ideas on how to solve this I would happily try them and submit a PR if I get it to work.

[rsrg-zwiama]

Hi @Flowake Is this still an issue for you? I had similar state error and easily fixed it by using environment variables: JWT_COOKIE_SAMESITE: 'Lax' (in the docker compose example it is set to 'Strict') or just don't set the env, the services usese 'Lax' by default.

[pka]

I've completely missed that issue, sorry! I'm currently on holiday and can't investigate your findings, but maybe @rsrg-zwiama tip already helps you? What I can say so far is that we are using qwc-oidc-auth with Azure AD and we didn't observe this problem.