Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ERROR: CSRF check failed. This may happen if you opened the login form in more than 1 tabs. Please try to login again. #113

Open
kubeclever opened this issue Apr 27, 2023 · 6 comments
Labels
bug Something isn't working

Comments

@kubeclever
Copy link

Is this a bug report or feature request?

  • Bug Report

Describe the bug

I debug this issue a lot of days, but I still cannot fix it. Please help to check that, much appreciated!

The log from the pod oidc-authservice:

time="2023-04-27T07:28:32Z" level=error msg="Failed to verify state parameter: Missing cookie: 'oidc_state_csrf'" context=server ip=192.168.2.5 request="/authservice/oidc/callback?code=vwrb2ivcui775zlkyxx7rt773&state=MTY4MjU4MDQ5M3xOd3dBTkZaUFRVcFpTa0UyVDBzelEwVk5TMWhEVFVSU1NWVmFSMHRaVTBaTFVrTkpTelpZTkRaWU5qWklSRk5ZTWpkTFVGRkpVRUU9fDLENxGlWVyIw3-D963fhK05ekOT8OYqdNJZl43BdD5-"
time="2023-04-27T07:28:50Z" level=warning msg="Missing url parameter: code. Redirecting to homepage `https://authservice.xxx-dev.us.xxx.com/authservice/site/homepage'." context=server ip=192.168.2.5 request=/authservice/oidc/callback
time="2023-04-27T07:45:39Z" level=info msg="Authenticating request..." context=server ip=192.168.2.5 request=/
time="2023-04-27T07:45:39Z" level=info msg="Failed to retrieve a valid session" context="session authenticator" ip=192.168.2.5 request=/
time="2023-04-27T07:45:39Z" level=info msg="Failed to authenticate using authenticators. Initiating OIDC Authorization Code flow..." context=server ip=192.168.2.5 request=/

The log from the pod dex:

time="2023-04-27T07:28:26Z" level=info msg="performing ldap search ou=People,dc=example,dc=org sub (&(|(objectClass=person)(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(mail=kevin.zhang4@xxx.com))"
time="2023-04-27T07:28:26Z" level=info msg="username \"kevin.zhang4@xxx.com\" mapped to entry cn=kevin zhang,ou=People,dc=example,dc=org"
time="2023-04-27T07:28:26Z" level=info msg="performing ldap search ou=Groups,dc=example,dc=org sub (&(objectClass=groupOfNames)(member=cn=kevin zhang,ou=People,dc=example,dc=org))"
time="2023-04-27T07:28:26Z" level=error msg="ldap: groups search with filter \"(&(objectClass=groupOfNames)(member=cn=kevin zhang,ou=People,dc=example,dc=org))\" returned no groups"
time="2023-04-27T07:28:26Z" level=info msg="login successful: connector \"ldap\", username=\"kevin zhang\", preferred_username=\"\", email=\"kevin.zhang4@xxx.com\", groups=[]"
time="2023-04-27T07:49:49Z" level=info msg="performing ldap search ou=People,dc=example,dc=org sub (&(|(objectClass=person)(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(mail=kevin.zhang4@xxx.com))"
time="2023-04-27T07:49:49Z" level=info msg="username \"kevin.zhang4@xxx.com\" mapped to entry cn=kevin zhang,ou=People,dc=example,dc=org"
time="2023-04-27T07:49:49Z" level=info msg="performing ldap search ou=Groups,dc=example,dc=org sub (&(objectClass=groupOfNames)(member=cn=kevin zhang,ou=People,dc=example,dc=org))"
time="2023-04-27T07:49:49Z" level=error msg="ldap: groups search with filter \"(&(objectClass=groupOfNames)(member=cn=kevin zhang,ou=People,dc=example,dc=org))\" returned no groups"
time="2023-04-27T07:49:50Z" level=info msg="login successful: connector \"ldap\", username=\"kevin zhang\", preferred_username=\"\", email=\"kevin.zhang4@xxx.com\", groups=[]"

Configuration:

  • Dex: (image: gcr.io/arrikto/dex:v2.30.3-2.0-rc2-13-g3352239f8)
issuer: https://dex.xxx-dev.us.xxx.com/dex
    storage:
      type: kubernetes
      config:
        inCluster: true
    web:
      http: 0.0.0.0:5556

    connectors:
    - type: ldap
      name: OpenLDAP
      id: ldap
      config:
        # The following configurations seem to work with OpenLDAP:
        #
        # 1) Plain LDAP, without TLS:
        host: ldap.auth.svc.cluster.local:389
        insecureNoSSL: true
        #
        # 2) LDAPS without certificate validation:
        #host: localhost:636
        #insecureNoSSL: false
        #insecureSkipVerify: true
        #
        # 3) LDAPS with certificate validation:
        #host: YOUR-HOSTNAME:636
        #insecureNoSSL: false
        #insecureSkipVerify: false
        #rootCAData: 'CERT'
        # ...where CERT="$( base64 -w 0 your-cert.crt )"

        # This would normally be a read-only user.
        bindDN: cn=admin,dc=example,dc=org
        bindPW: Not@SecurePassw0rd

        usernamePrompt: Email Address

        userSearch:
          baseDN: ou=People,dc=example,dc=org
          filter: "(|(objectClass=person)(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))"
          username: mail
          # "DN" (case sensitive) is a special attribute name. It indicates that
          # this value should be taken from the entity's DN not an attribute on
          # the entity.
          idAttr: DN
          emailAttr: mail
          nameAttr: cn

        groupSearch:
          baseDN: ou=Groups,dc=example,dc=org
          filter: "(objectClass=groupOfNames)"

          userMatchers:
            # A user is a member of a group when their DN matches
            # the value of a "member" attribute on the group entity.
          - userAttr: DN
            groupAttr: member

          # The group name should be the "cn" value.
          nameAttr: cn

    staticClients:
    - id: ldapdexapp
      redirectURIs:
      - 'https://authservice.xxx-dev.us.xxx.com/authservice/oidc/callback'
      name: 'Dex Login Application'
      secret: pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok
  • Oidc-authservice: (image: gcr.io/arrikto/oidc-authservice:0c4ea9a)
  AUTHSERVICE_URL_PREFIX: https://authservice.xxx-dev.us.xxx.com/authservice/
  CA_BUNDLE: /home/authservice/cert/ca.pem
  GROUPS_ALLOWLIST: a,d,e,system:serviceaccounts
  OIDC_AUTH_URL: https://dex.xxx-dev.us.xxx.com/dex/auth
  OIDC_PROVIDER: https://dex.xxx-dev.us.xxx.com/dex
  OIDC_SCOPES: profile,email,groups
  SKIP_AUTH_URLS: /dex/
  STRICT_SESSION_VALIDATION: "true"

How to Reproduce

  1. I deployed istio envoyfilter and dex and oidc-authservice, they are running properly.
  2. I can get the below window to login in with my ldap credential when I try to access my domain.
    image
  3. I can get the below window after I input my username and password.
    image
  4. I got the issue shown below if I click the button "Grant Access" from the above window.
    image

Expected behavior
A clear and concise description of what you expected to happen.

Config Files
Please provide all the relevant configuration that you can publicly share. This
includes:

  • AuthService configuration.
  • OIDC Provider configuration.

If relevant, upload your configuration files here using GitHub, there is no need
to upload them to any 3rd party services

Logs
Please provide all relevant logs (e.g., AuthService logs , OIDC Provider logs,
etc.)

Environment:

  • AuthService version: (found in image tag)
  • Platform: (GKE, Azure, minikube, custom...)
  • Kubernetes version:

Additional context
Add any other context about the problem here.

@kubeclever kubeclever added the bug Something isn't working label Apr 27, 2023
@kubeclever kubeclever changed the title ERROR: Failed to retrieve a valid session context="session authenticator" ERROR: CSRF check failed. This may happen if you opened the login form in more than 1 tabs. Please try to login again. Apr 27, 2023
@nicolovergaro
Copy link

I have the same issue, were you able to solve it?

@zhangqiongjie
Copy link

@nicolovergaro
I used the service gatekeeper instead, and it worked for me.
Refer to: https://github.com/gogatekeeper/gatekeeper

@solomem
Copy link

solomem commented Aug 16, 2023

I have the same issue in cloud9 deployment

@ReggieCarey
Copy link

I'm experiencing the same issue. Is there any indication as to what's going on and how to resolve it? OIDC-AuthService appears to function for cases where the URLS are relative (like /authservice/ and /auth/) but broken if hostnames are specified - at least that's how it "looks" to me.

There was mention of needing to set cookie-domain but I do not know where this can be set (is it in the ConfigMap?)

@RakeshRaj97
Copy link

RakeshRaj97 commented Feb 19, 2024

Experiencing the same with OIDC-Authservice in Kubeflow. Any updates on this issue?

@dongsupkim-onepredict
Copy link

dongsupkim-onepredict commented Mar 6, 2024

csrf check failed.
oidc-authservice log output

image: docker.io/kubeflowmanifestswg/oidc-authservice:e236439

level=error msg="Failed to verify state parameter: Missing cookie: 'oidc_state_csrf'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

7 participants