Bad request: Cookies missing on callback to redirect URI in Firefox (and sometimes in Chrome) #1033

lycheese · 2023-03-10T18:34:33Z

lycheese
Mar 10, 2023

I recently set up a second vhost for a different subdomain with the same settings as the working main configuration. When I try to complete the auth flow I get redirected to Keycloak for login and then back to the redirect URI. However, it always fails with a bad request at this point in Firefox (it inconsistently happens in Chrome; Firefox private windows have so far been unaffected). It is however possible to just navigate to the base-url of the app in the same window manually and it succeeds.

When comparing the attempts where it succeeds in Firefox private windows/Chrome with the ones that fail in normal Firefox the main difference is that no cookies are sent in the request to the redirect URI.
However, the same browser where the staging. flow is met with a bad request response, works fine for the main non-staging . Which makes no sense to me since the config is identical save for the ServerName and the ports on the ProxyPass...
I've tried deleting cache and cookies and disabling every extension but no luck so far.

Excerpt from httpd.conf

<VirtualHost *:443>
    ServerName staging.<app-domain>

    SSLEngine on
    SSLProxyEngine on
    SSLCertificateFile <fullchain.pem>
    SSLCertificateKeyFile <privkey.pem>

    ProxyPreserveHost on
    ProxyPass "/" "http://localhost:4000/"
    ProxyPassReverse "/" "http://localhost:4000/"

    # Handling websockets
    RewriteEngine on
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteRule ^/?(.*) "ws://localhost:4000/$1" [P,L]

    # Keycloak
    OIDCProviderMetadataURL https://<keycloak-domain>/realms/<realm>/.well-known/openid-configuration
    OIDCRedirectURI /auth/callback
    OIDCCryptoPassphrase <passphrase>
    OIDCClientID <client>
    OIDCClientSecret <secret>

    OIDCOutgoingProxy <proxy>

    OIDCRemoteUserClaim preferred_username
    OIDCScope "openid email"

    <Location ~ "^/api/(kc|swagger|logout)">
        AuthType none
    </Location>

    <Location ~ "^/(?!api/kc|api/swagger|api/logout)">
        AuthType openid-connect
        Require valid-user
    </Location>
</VirtualHost>

<VirtualHost *:443>
    ServerName <app-domain>

    SSLEngine on
    SSLProxyEngine on
    SSLCertificateFile <fullchain.pem>
    SSLCertificateKeyFile <privkey.pem>

    ProxyPreserveHost on
    ProxyPass "/" "http://localhost:3000/"
    ProxyPassReverse "/" "http://localhost:3000/"

    # Handling websockets
    RewriteEngine on
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteRule ^/?(.*) "ws://localhost:3000/$1" [P,L]

    # Keycloak
    OIDCProviderMetadataURL https://<keycloak-domain>/realms/<realm>/.well-known/openid-configuration
    OIDCRedirectURI /auth/callback
    OIDCCryptoPassphrase <passphrase>
    OIDCClientID <client>
    OIDCClientSecret <secret>

    OIDCOutgoingProxy <proxy>

    OIDCRemoteUserClaim preferred_username
    OIDCScope "openid email"

    <Location ~ "^/api/(kc|swagger|logout)">
        AuthType none
    </Location>

    <Location ~ "^/(?!api/kc|api/swagger|api/logout)">
        AuthType openid-connect
        Require valid-user
    </Location>
</VirtualHost>

Debug log

[Fri Mar 10 19:22:55.027775 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/mod_auth_openidc.c(4048): [client 193.174.53.85:24341] oidc_check_user_id: incoming request: "/?(null)", ap_is_initial_req(r)=1
[Fri Mar 10 19:22:55.027842 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2565): [client 193.174.53.85:24341] oidc_util_hdr_in_get: Host=staging.<domain>
[Fri Mar 10 19:22:55.027847 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2565): [client 193.174.53.85:24341] oidc_util_hdr_in_get: Host=staging.<domain>
[Fri Mar 10 19:22:55.027851 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(704): [client 193.174.53.85:24341] oidc_get_redirect_uri: determined absolute redirect uri: https://staging.<domain>/auth/callback
[Fri Mar 10 19:22:55.027864 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2565): [client 193.174.53.85:24341] oidc_util_hdr_in_get: Cookie=mod_auth_openidc_state_nczCuh-skMbGqx37zgB3TcpLjgQ=eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..jehh_lAlcq8Nm7ts.6J1sPK27DANn4nEtmMCVfBFD3MG9FpP8Zpjn_14M4zIRf9KYdwyR8gLrsh4kR2PTxNrj4i-uymGTLfREpkYoTwZpZvEF2WEshPvNWAU8UAos7AUtwYBaQ88dJhCX2DJ_nym6rG8DkZ2E2a4q41_MVrDGzw9hAa6NZzenJL-lcg-Dk27_dceQ35Jk0DkTVA98wHmvUZTV49G5bgP0s1puiyJ6bkyRAyA-lFbp0wtZhqCa967Di7ER3yaR-SK0EAkV0GWVWYxZuB-BEU3pcBYHLEtp-zwkqBGm1OulBNFv57brcELfeDcfuCRnP5A53fOAHuoW_M56bo7l6WLl7obE-c12Xh020ZQNeaztXN-UfYRc9-Gy_XLx8WzEwv4cVNcdvFz1cMoVAb68lCLMrG8A5I2scha80GoBSClSB5bZN1ifTg5qm51lMCKvlE-oCoI75kTYrSdj.CDjF2ReGcPwX5wbSL4OAWg; mod_auth_openidc_state_fDt-oV-5CTJhaOpLKQvQkU9UBCs=eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..194uFwfwDHwOb2aI.zoI_hRuV9esShbxBn_xBm2c7UYXF8qHoqPTm_2Aeqm2uf93-GfwyyN2KEbKJKrbP9PS6maZNNsULle73e4DiMjxcpM-bktipt7B2dNNW53_SHSTZ4hvpAt_F20wEYH4jzVWbAPT3r3vC9SDo-UPxskTx1dmIYrxrZ-OyqHotmWmYHTBWPrh0_CP8QIw6Aoaa7PtxYVIFo-cG_EhfK8Cqx__FjzBShOiP1kvi_PlFlgEGosngV3QnyfjPkkJfmtp5zeDr_Ix2Uhb-ucB3Y4nCENME6Z4f12zW01Z2B_GVnfT33yPx0Vk26O9YQjkCcCjQQPxiHQqVEJhDJ94S6zKE1lAl7Yy01QhqyjtLcg_orV074qshITR68JyphySRmam_1nMig4FR3QASRLeoqJacUZQ9pFaQ8wJbdsSD78LhLa3xBmC6kqc0vTOehwpvYPaws5f0EUzN.FCNG_24x2rQmbpBdhK0ZDw
[Fri Mar 10 19:22:55.027878 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(1281): [client 193.174.53.85:24341] oidc_util_get_cookie: returning "mod_auth_openidc_session" = <null>
[Fri Mar 10 19:22:55.027882 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2565): [client 193.174.53.85:24341] oidc_util_hdr_in_get: Host=staging.<domain>
[Fri Mar 10 19:22:55.027885 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2565): [client 193.174.53.85:24341] oidc_util_hdr_in_get: Host=staging.<domain>
[Fri Mar 10 19:22:55.027888 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(704): [client 193.174.53.85:24341] oidc_get_redirect_uri: determined absolute redirect uri: https://staging.<domain>/auth/callback
[Fri Mar 10 19:22:55.027893 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(1443): [client 193.174.53.85:24341] oidc_util_request_matches_url: comparing "/"=="/auth/callback"
[Fri Mar 10 19:22:55.027904 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2565): [client 193.174.53.85:24341] oidc_util_hdr_in_get: Sec-Fetch-Mode=navigate
[Fri Mar 10 19:22:55.027907 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2565): [client 193.174.53.85:24341] oidc_util_hdr_in_get: Sec-Fetch-Mode=navigate
[Fri Mar 10 19:22:55.027910 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2565): [client 193.174.53.85:24341] oidc_util_hdr_in_get: Sec-Fetch-Dest=document
[Fri Mar 10 19:22:55.027913 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2565): [client 193.174.53.85:24341] oidc_util_hdr_in_get: Sec-Fetch-Dest=document
[Fri Mar 10 19:22:55.027916 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2565): [client 193.174.53.85:24341] oidc_util_hdr_in_get: Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
[Fri Mar 10 19:22:55.027921 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2565): [client 193.174.53.85:24341] oidc_util_hdr_in_get: Host=staging.<domain>
[Fri Mar 10 19:22:55.027927 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2565): [client 193.174.53.85:24341] oidc_util_hdr_in_get: Host=staging.<domain>
[Fri Mar 10 19:22:55.027931 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(685): [client 193.174.53.85:24341] oidc_get_current_url: current URL 'https://staging.<domain>/'
[Fri Mar 10 19:22:55.027934 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/mod_auth_openidc.c(2258): [client 193.174.53.85:24341] oidc_authenticate_user: enter
[Fri Mar 10 19:22:55.027939 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/cache/common.c(272): [client 193.174.53.85:24341] oidc_cache_get: enter: https://<keycloak-domain>/realms/<realm>/.well-known/openid-configuration (section=p, decrypt=0, type=shm)
[Fri Mar 10 19:22:55.028355 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/cache/common.c(306): [client 193.174.53.85:24341] oidc_cache_get: cache miss from shm cache backend for key https://<keycloak-domain>/realms/<realm>/.well-known/openid-configuration
[Fri Mar 10 19:22:55.028362 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(816): [client 193.174.53.85:24341] oidc_util_http_query_encoded_url: url=https://<keycloak-domain>/realms/<realm>/.well-known/openid-configuration
[Fri Mar 10 19:22:55.028368 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(859): [client 193.174.53.85:24341] oidc_util_http_call: url=https://<keycloak-domain>/realms/<realm>/.well-known/openid-configuration, data=(null), content_type=(null), basic_auth=null, bearer_token=(null), ssl_validate_server=1, timeout=5, outgoing_proxy=http://<proxy>:80, pass_cookies=0, ssl_cert=(null), ssl_key=(null), ssl_key_pwd=(null)
[Fri Mar 10 19:22:55.052007 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(1052): [client 193.174.53.85:24341] oidc_util_http_call: HTTP response code=200
[Fri Mar 10 19:22:55.052055 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(1057): [client 193.174.53.85:24341] oidc_util_http_call: response={"issuer":"https://<keycloak-domain>/realms/<realm>","authorization_endpoint":"https://<keycloak-domain>/realms/<realm>/protocol/openid-connect/auth","token_endpoint":"https://<keycloak-domain>/realms/<realm>/protocol/openid-connect/token","introspection_endpoint":"https://<keycloak-domain>/realms/<realm>/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://<keycloak-domain>/realms/<realm>/protocol/openid-connect/userinfo","end_session_endpoint":"https://<keycloak-domain>/realms/<realm>/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"https://<keycloak-domain>/realms/<realm>/protocol/openid-connect/certs","check_session_iframe":"https://<keycloak-domain>/realms/<realm>/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"https://<keycloak-domain>/realms/<realm>/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","email","profile","acr","Realm_Roles","roles","web-origins","address","phone","microprofile-jwt","offline_access"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true,"revocation_endpoint":"https://<keycloak-domain>/realms/<realm>/protocol/openid-connect/revoke","revocation_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"revocation_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"backchannel_logout_supported":true,"backchannel_logout_session_supported":true,"device_authorization_endpoint":"https://<keycloak-domain>/realms/<realm>/protocol/openid-connect/auth/device","backchannel_token_delivery_modes_supported":["poll","ping"],"backchannel_authentication_endpoint":"https://<keycloak-domain>/realms/<realm>/protocol/openid-connect/ext/ciba/auth","backchannel_authentication_request_signing_alg_values_supported":["PS384","ES384","RS384","ES256","RS256","ES512","PS256","PS512","RS512"],"require_pushed_authorization_requests":false,"pushed_authorization_request_endpoint":"https://<keycloak-domain>/realms/<realm>/protocol/openid-connect/ext/par/request","mtls_endpoint_aliases":{"token_endpoint":"https://<keycloak-domain>/realms/<realm>/protocol/openid-connect/token","revocation_endpoint":"https://<keycloak-domain>/realms/<realm>/protocol/openid-connect/revoke","introspection_endpoint":"https://<keycloak-domain>/realms/<realm>/protocol/openid-connect/token/introspect","device_authorization_endpoint":"https://<keycloak-domain>/realms/<realm>/protocol/openid-connect/auth/device","registration_endpoint":"https://<keycloak-domain>/realms/<realm>/clients-registrations/openid-connect","userinfo_endpoint":"https://<keycloak-domain>/realms/<realm>/protocol/openid-connect/userinfo","pushed_authorization_request_endpoint":"https://<keycloak-domain>/realms/<realm>/protocol/openid-connect/ext/par/request","backchannel_authentication_endpoint":"https://<keycloak-domain>/realms/<realm>/protocol/openid-connect/ext/ciba/auth"}}
[Fri Mar 10 19:22:55.053309 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/cache/common.c(329): [client 193.174.53.85:24341] oidc_cache_set: enter: https://<keycloak-domain>/realms/<realm>/.well-known/openid-configuration (section=p, len=6383, encrypt=0, ttl(s)=86399, type=shm)
[Fri Mar 10 19:22:55.053400 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/cache/common.c(355): [client 193.174.53.85:24341] oidc_cache_set: successfully stored 6383 bytes in shm cache backend for key https://<keycloak-domain>/realms/<realm>/.well-known/openid-configuration
[Fri Mar 10 19:22:55.053437 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/proto.c(69): [client 193.174.53.85:24341] oidc_proto_generate_random_bytes: apr_generate_random_bytes call for 32 bytes
[Fri Mar 10 19:22:55.053451 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/proto.c(71): [client 193.174.53.85:24341] oidc_proto_generate_random_bytes: apr_generate_random_bytes returned
[Fri Mar 10 19:22:55.053462 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2565): [client 193.174.53.85:24341] oidc_util_hdr_in_get: Host=staging.<domain>
[Fri Mar 10 19:22:55.053465 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2565): [client 193.174.53.85:24341] oidc_util_hdr_in_get: Host=staging.<domain>
[Fri Mar 10 19:22:55.053469 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(704): [client 193.174.53.85:24341] oidc_get_redirect_uri: determined absolute redirect uri: https://staging.<domain>/auth/callback
[Fri Mar 10 19:22:55.053473 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(1443): [client 193.174.53.85:24341] oidc_util_request_matches_url: comparing "/"=="/auth/callback"
[Fri Mar 10 19:22:55.053479 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/mod_auth_openidc.c(209): [client 193.174.53.85:24341] oidc_get_browser_state_hash: enter
[Fri Mar 10 19:22:55.053487 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2565): [client 193.174.53.85:24341] oidc_util_hdr_in_get: User-Agent=Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/110.0
[Fri Mar 10 19:22:55.053502 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2380): [client 193.174.53.85:24341] oidc_util_create_symmetric_key: key_len=32
[Fri Mar 10 19:22:55.053603 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2565): [client 193.174.53.85:24341] oidc_util_hdr_in_get: Cookie=mod_auth_openidc_state_nczCuh-skMbGqx37zgB3TcpLjgQ=eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..jehh_lAlcq8Nm7ts.6J1sPK27DANn4nEtmMCVfBFD3MG9FpP8Zpjn_14M4zIRf9KYdwyR8gLrsh4kR2PTxNrj4i-uymGTLfREpkYoTwZpZvEF2WEshPvNWAU8UAos7AUtwYBaQ88dJhCX2DJ_nym6rG8DkZ2E2a4q41_MVrDGzw9hAa6NZzenJL-lcg-Dk27_dceQ35Jk0DkTVA98wHmvUZTV49G5bgP0s1puiyJ6bkyRAyA-lFbp0wtZhqCa967Di7ER3yaR-SK0EAkV0GWVWYxZuB-BEU3pcBYHLEtp-zwkqBGm1OulBNFv57brcELfeDcfuCRnP5A53fOAHuoW_M56bo7l6WLl7obE-c12Xh020ZQNeaztXN-UfYRc9-Gy_XLx8WzEwv4cVNcdvFz1cMoVAb68lCLMrG8A5I2scha80GoBSClSB5bZN1ifTg5qm51lMCKvlE-oCoI75kTYrSdj.CDjF2ReGcPwX5wbSL4OAWg; mod_auth_openidc_state_fDt-oV-5CTJhaOpLKQvQkU9UBCs=eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..194uFwfwDHwOb2aI.zoI_hRuV9esShbxBn_xBm2c7UYXF8qHoqPTm_2Aeqm2uf93-GfwyyN2KEbKJKrbP9PS6maZNNsULle73e4DiMjxcpM-bktipt7B2dNNW53_SHSTZ4hvpAt_F20wEYH4jzVWbAPT3r3vC9SDo-UPxskTx1dmIYrxrZ-OyqHotmWmYHTBWPrh0_CP8QIw6Aoaa7PtxYVIFo-cG_EhfK8Cqx__FjzBShOiP1kvi_PlFlgEGosngV3QnyfjPkkJfmtp5zeDr_Ix2Uhb-ucB3Y4nCENME6Z4f12zW01Z2B_GVnfT33yPx0Vk26O9YQjkCcCjQQPxiHQqVEJhDJ94S6zKE1lAl7Yy01QhqyjtLcg_orV074qshITR68JyphySRmam_1nMig4FR3QASRLeoqJacUZQ9pFaQ8wJbdsSD78LhLa3xBmC6kqc0vTOehwpvYPaws5f0EUzN.FCNG_24x2rQmbpBdhK0ZDw
[Fri Mar 10 19:22:55.053625 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(199): [client 193.174.53.85:24341] oidc_util_jwt_verify: enter: JWT header={"alg": "dir", "enc": "A256GCM"}
[Fri Mar 10 19:22:55.053630 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2380): [client 193.174.53.85:24341] oidc_util_create_symmetric_key: key_len=32
[Fri Mar 10 19:22:55.053663 2023] [auth_openidc:warn] [pid 605356:tid 140251791177472] [client 193.174.53.85:24341] oidc_clean_expired_state_cookies: state (mod_auth_openidc_state_nczCuh-skMbGqx37zgB3TcpLjgQ) has expired (original_url=https://staging.<domain>/)
[Fri Mar 10 19:22:55.053672 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(1171): [client 193.174.53.85:24341] oidc_util_set_cookie_append_value: no cookie append environment variable OIDC_SET_COOKIE_APPEND found
[Fri Mar 10 19:22:55.053676 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2643): [client 193.174.53.85:24341] oidc_util_hdr_err_out_add: Set-Cookie: mod_auth_openidc_state_nczCuh-skMbGqx37zgB3TcpLjgQ=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Domain=staging.<domain>; Secure; HttpOnly; SameSite=None
[Fri Mar 10 19:22:55.053686 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(199): [client 193.174.53.85:24341] oidc_util_jwt_verify: enter: JWT header={"alg": "dir", "enc": "A256GCM"}
[Fri Mar 10 19:22:55.053690 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2380): [client 193.174.53.85:24341] oidc_util_create_symmetric_key: key_len=32
[Fri Mar 10 19:22:55.053736 2023] [auth_openidc:warn] [pid 605356:tid 140251791177472] [client 193.174.53.85:24341] oidc_clean_expired_state_cookies: state (mod_auth_openidc_state_fDt-oV-5CTJhaOpLKQvQkU9UBCs) has expired (original_url=https://staging.<domain>/)
[Fri Mar 10 19:22:55.053743 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(1171): [client 193.174.53.85:24341] oidc_util_set_cookie_append_value: no cookie append environment variable OIDC_SET_COOKIE_APPEND found
[Fri Mar 10 19:22:55.053747 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2643): [client 193.174.53.85:24341] oidc_util_hdr_err_out_add: Set-Cookie: mod_auth_openidc_state_fDt-oV-5CTJhaOpLKQvQkU9UBCs=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Domain=staging.<domain>; Secure; HttpOnly; SameSite=None
[Fri Mar 10 19:22:55.053759 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(1171): [client 193.174.53.85:24341] oidc_util_set_cookie_append_value: no cookie append environment variable OIDC_SET_COOKIE_APPEND found
[Fri Mar 10 19:22:55.053765 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2643): [client 193.174.53.85:24341] oidc_util_hdr_err_out_add: Set-Cookie: mod_auth_openidc_state_3bmgerau94wbXuVa3J-k70pYpbI=eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..yi_TEDQLNyfOmT7X.9ZRHOs9ZwutL-yuLiFx17S4kY4d6HKGAezTAu5T79C6L5ZvUb7ZO7BeyQTRu5SOXGXEP4_0jL_07JHPfgeXpwUkf96X1uTh5OJY2UCOoQyf-5ynSQTiLCZCbEu1ysSalojZEJ1br6Y-Co34pzQ_kynvBIpUreLBEv3UpHWVDLxVFZcXU_2HeVX8CBsSP_76uTTkt0dUUJv8P3xnfT7xK6QaHGO4pwfVnHDxoJ7HLYccO7yXmW1zp_A5c8cLRjURm8JpfagUf18ocmduR0y75pfKOcK8tpsXR2PO20FFfhVj3yn6Kivz0aX9wt-i1HM18qdY1OEKXNiT1usygTzelkMPhRt7KOJpqDCdpmY8RCZBix7q7FWpAafnks9_qDcHAtotdRouAmE9q_E0oYSXznfYMjHzMvmB8MbqLonJA9Rd5Jj57T6q7IHCtK2RTML74cbZ4lSnI._bIwHDHgTheLC4-rilUuyA; Path=/; Domain=staging.<domain>; Secure; HttpOnly; SameSite=None
[Fri Mar 10 19:22:55.053771 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2565): [client 193.174.53.85:24341] oidc_util_hdr_in_get: Host=staging.<domain>
[Fri Mar 10 19:22:55.053774 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2565): [client 193.174.53.85:24341] oidc_util_hdr_in_get: Host=staging.<domain>
[Fri Mar 10 19:22:55.053782 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(704): [client 193.174.53.85:24341] oidc_get_redirect_uri: determined absolute redirect uri: https://staging.<domain>/auth/callback
[Fri Mar 10 19:22:55.053786 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2565): [client 193.174.53.85:24341] oidc_util_hdr_in_get: Host=staging.<domain>
[Fri Mar 10 19:22:55.053789 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2565): [client 193.174.53.85:24341] oidc_util_hdr_in_get: Host=staging.<domain>
[Fri Mar 10 19:22:55.053792 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(704): [client 193.174.53.85:24341] oidc_get_redirect_uri: determined absolute redirect uri: https://staging.<domain>/auth/callback
[Fri Mar 10 19:22:55.053812 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/proto.c(647): [client 193.174.53.85:24341] oidc_proto_authorization_request: enter, issuer=https://<keycloak-domain>/realms/<realm>, redirect_uri=https://staging.<domain>/auth/callback, state=3bmgerau94wbXuVa3J-k70pYpbI, proto_state={"ou":"https://staging.<domain>/","om":"get","i":"https://<keycloak-domain>/realms/<realm>","rt":"code","n":"hQcD6mAvYpNwGzIaEAuSRmRqx96IBL_-v-Yurelu5qI","t":1678472575}, code_challenge=(null), auth_request_params=(null), path_scope=(null)
[Fri Mar 10 19:22:55.053819 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(787): [client 193.174.53.85:24341] oidc_util_http_add_form_url_encoded_param: processing: response_type=code
[Fri Mar 10 19:22:55.053847 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(787): [client 193.174.53.85:24341] oidc_util_http_add_form_url_encoded_param: processing: scope=openid email
[Fri Mar 10 19:22:55.053864 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(787): [client 193.174.53.85:24341] oidc_util_http_add_form_url_encoded_param: processing: client_id=<client-id>
[Fri Mar 10 19:22:55.053878 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(787): [client 193.174.53.85:24341] oidc_util_http_add_form_url_encoded_param: processing: state=3bmgerau94wbXuVa3J-k70pYpbI
[Fri Mar 10 19:22:55.053893 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(787): [client 193.174.53.85:24341] oidc_util_http_add_form_url_encoded_param: processing: redirect_uri=https://staging.<domain>/auth/callback
[Fri Mar 10 19:22:55.053908 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(787): [client 193.174.53.85:24341] oidc_util_http_add_form_url_encoded_param: processing: nonce=hQcD6mAvYpNwGzIaEAuSRmRqx96IBL_-v-Yurelu5qI
[Fri Mar 10 19:22:55.053924 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(816): [client 193.174.53.85:24341] oidc_util_http_query_encoded_url: url=https://<keycloak-domain>/realms/<realm>/protocol/openid-connect/auth?response_type=code&scope=openid%20email&client_id=<client-id>&state=3bmgerau94wbXuVa3J-k70pYpbI&redirect_uri=https%3A%2F%2Fstaging.<domain>%2Fauth%2Fcallback&nonce=hQcD6mAvYpNwGzIaEAuSRmRqx96IBL_-v-Yurelu5qI
[Fri Mar 10 19:22:55.053929 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2621): [client 193.174.53.85:24341] oidc_util_hdr_table_set: Location: https://<keycloak-domain>/realms/<realm>/protocol/openid-connect/auth?response_type=code&scope=openid%20email&client_id=<client-id>&state=3bmgerau94wbXuVa3J-k70pYpbI&redirect_uri=https%3A%2F%2Fstaging.<domain>%2Fauth%2Fcallback&nonce=hQcD6mAvYpNwGzIaEAuSRmRqx96IBL_-v-Yurelu5qI
[Fri Mar 10 19:22:55.053934 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/util.c(2643): [client 193.174.53.85:24341] oidc_util_hdr_err_out_add: Cache-Control: no-cache, no-store, max-age=0
[Fri Mar 10 19:22:55.053940 2023] [auth_openidc:debug] [pid 605356:tid 140251791177472] src/proto.c(785): [client 193.174.53.85:24341] oidc_proto_authorization_request: return: 302
[Fri Mar 10 19:22:55.747398 2023] [auth_openidc:debug] [pid 605355:tid 140251782784768] src/mod_auth_openidc.c(4048): [client 193.174.53.85:24397] oidc_check_user_id: incoming request: "/auth/callback?state=3bmgerau94wbXuVa3J-k70pYpbI&session_state=c8a67377-065a-46af-bedd-3285148a7390&code=233ef1a4-1c40-4ff2-968d-9ea08166b3f0.c8a67377-065a-46af-bedd-3285148a7390.d03f1303-a2ce-4c46-92c7-0ffbfa9ad9f7", ap_is_initial_req(r)=1
[Fri Mar 10 19:22:55.747443 2023] [auth_openidc:debug] [pid 605355:tid 140251782784768] src/util.c(2565): [client 193.174.53.85:24397] oidc_util_hdr_in_get: Host=staging.<domain>
[Fri Mar 10 19:22:55.747448 2023] [auth_openidc:debug] [pid 605355:tid 140251782784768] src/util.c(2565): [client 193.174.53.85:24397] oidc_util_hdr_in_get: Host=staging.<domain>
[Fri Mar 10 19:22:55.747452 2023] [auth_openidc:debug] [pid 605355:tid 140251782784768] src/util.c(704): [client 193.174.53.85:24397] oidc_get_redirect_uri: determined absolute redirect uri: https://staging.<domain>/auth/callback
[Fri Mar 10 19:22:55.747457 2023] [auth_openidc:debug] [pid 605355:tid 140251782784768] src/util.c(2565): [client 193.174.53.85:24397] oidc_util_hdr_in_get: Cookie=ring-session=6ed58d42-6767-4b82-b0ae-33f38ff07092
[Fri Mar 10 19:22:55.747461 2023] [auth_openidc:debug] [pid 605355:tid 140251782784768] src/util.c(1281): [client 193.174.53.85:24397] oidc_util_get_cookie: returning "mod_auth_openidc_session" = <null>
[Fri Mar 10 19:22:55.747465 2023] [auth_openidc:debug] [pid 605355:tid 140251782784768] src/util.c(2565): [client 193.174.53.85:24397] oidc_util_hdr_in_get: Host=staging.<domain>
[Fri Mar 10 19:22:55.747468 2023] [auth_openidc:debug] [pid 605355:tid 140251782784768] src/util.c(2565): [client 193.174.53.85:24397] oidc_util_hdr_in_get: Host=staging.<domain>
[Fri Mar 10 19:22:55.747471 2023] [auth_openidc:debug] [pid 605355:tid 140251782784768] src/util.c(704): [client 193.174.53.85:24397] oidc_get_redirect_uri: determined absolute redirect uri: https://staging.<domain>/auth/callback
[Fri Mar 10 19:22:55.747476 2023] [auth_openidc:debug] [pid 605355:tid 140251782784768] src/util.c(1443): [client 193.174.53.85:24397] oidc_util_request_matches_url: comparing "/auth/callback"=="/auth/callback"
[Fri Mar 10 19:22:55.747493 2023] [auth_openidc:debug] [pid 605355:tid 140251782784768] src/mod_auth_openidc.c(2083): [client 193.174.53.85:24397] oidc_handle_redirect_authorization_response: enter
[Fri Mar 10 19:22:55.747624 2023] [auth_openidc:debug] [pid 605355:tid 140251782784768] src/util.c(1767): [client 193.174.53.85:24397] oidc_util_read_form_encoded_params: read: state=3bmgerau94wbXuVa3J-k70pYpbI
[Fri Mar 10 19:22:55.747647 2023] [auth_openidc:debug] [pid 605355:tid 140251782784768] src/util.c(1767): [client 193.174.53.85:24397] oidc_util_read_form_encoded_params: read: session_state=c8a67377-065a-46af-bedd-3285148a7390
[Fri Mar 10 19:22:55.747668 2023] [auth_openidc:debug] [pid 605355:tid 140251782784768] src/util.c(1767): [client 193.174.53.85:24397] oidc_util_read_form_encoded_params: read: code=233ef1a4-1c40-4ff2-968d-9ea08166b3f0.c8a67377-065a-46af-bedd-3285148a7390.d03f1303-a2ce-4c46-92c7-0ffbfa9ad9f7
[Fri Mar 10 19:22:55.747672 2023] [auth_openidc:debug] [pid 605355:tid 140251782784768] src/util.c(1772): [client 193.174.53.85:24397] oidc_util_read_form_encoded_params: parsed: 200 bytes into 3 elements
[Fri Mar 10 19:22:55.747680 2023] [auth_openidc:debug] [pid 605355:tid 140251782784768] src/mod_auth_openidc.c(1899): [client 193.174.53.85:24397] oidc_handle_authorization_response: enter, response_mode=query
[Fri Mar 10 19:22:55.747684 2023] [auth_openidc:debug] [pid 605355:tid 140251782784768] src/mod_auth_openidc.c(1523): [client 193.174.53.85:24397] oidc_authorization_response_match_state: enter (state=3bmgerau94wbXuVa3J-k70pYpbI)
[Fri Mar 10 19:22:55.747692 2023] [auth_openidc:debug] [pid 605355:tid 140251782784768] src/mod_auth_openidc.c(616): [client 193.174.53.85:24397] oidc_restore_proto_state: enter
[Fri Mar 10 19:22:55.747696 2023] [auth_openidc:debug] [pid 605355:tid 140251782784768] src/util.c(2565): [client 193.174.53.85:24397] oidc_util_hdr_in_get: Cookie=ring-session=6ed58d42-6767-4b82-b0ae-33f38ff07092
[Fri Mar 10 19:22:55.747700 2023] [auth_openidc:debug] [pid 605355:tid 140251782784768] src/util.c(2565): [client 193.174.53.85:24397] oidc_util_hdr_in_get: Cookie=ring-session=6ed58d42-6767-4b82-b0ae-33f38ff07092
[Fri Mar 10 19:22:55.747703 2023] [auth_openidc:debug] [pid 605355:tid 140251782784768] src/util.c(1281): [client 193.174.53.85:24397] oidc_util_get_cookie: returning "mod_auth_openidc_state_3bmgerau94wbXuVa3J-k70pYpbI" = <null>
[Fri Mar 10 19:22:55.747707 2023] [auth_openidc:error] [pid 605355:tid 140251782784768] [client 193.174.53.85:24397] oidc_restore_proto_state: no "mod_auth_openidc_state_3bmgerau94wbXuVa3J-k70pYpbI" state cookie found: check domain and samesite cookie settings
[Fri Mar 10 19:22:55.747710 2023] [auth_openidc:error] [pid 605355:tid 140251782784768] [client 193.174.53.85:24397] oidc_authorization_response_match_state: unable to restore state
[Fri Mar 10 19:22:55.747713 2023] [auth_openidc:error] [pid 605355:tid 140251782784768] [client 193.174.53.85:24397] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error...

Any help greatly appreciated! I've been pulling out my hair over this...

zandbelt · 2023-03-10T18:51:07Z

zandbelt
Mar 10, 2023
Maintainer

which version of mod_auth_openidc are you using?

1 reply

lycheese Mar 10, 2023
Author

2.4.12.3-1

zandbelt · 2023-03-10T18:59:48Z

zandbelt
Mar 10, 2023
Maintainer

in the logs it shows that the Domain attribute is set on the state cookie but that only happens when OIDCCookieDomain is set, which I don't see in the config that you've provided; so it seems there's more config settings that interfere

2 replies

lycheese Mar 10, 2023
Author

Oh, sorry, I set that briefly but it did not change anything. Do you need a new log?

lycheese Mar 10, 2023
Author

I also tried setting OIDCStateMaxNumberOfCookies but no dice.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bad request: Cookies missing on callback to redirect URI in Firefox (and sometimes in Chrome) #1033

{{title}}

Replies: 2 comments 3 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Bad request: Cookies missing on callback to redirect URI in Firefox (and sometimes in Chrome) #1033

lycheese Mar 10, 2023

Replies: 2 comments · 3 replies

zandbelt Mar 10, 2023 Maintainer

lycheese Mar 10, 2023 Author

zandbelt Mar 10, 2023 Maintainer

lycheese Mar 10, 2023 Author

lycheese Mar 10, 2023 Author

lycheese
Mar 10, 2023

Replies: 2 comments 3 replies

zandbelt
Mar 10, 2023
Maintainer

lycheese Mar 10, 2023
Author

zandbelt
Mar 10, 2023
Maintainer

lycheese Mar 10, 2023
Author

lycheese Mar 10, 2023
Author