tickets #170044
openLogin to idm.o.o sometimes returns "InvalidState"
0%
Description
Sometimes after entering correct username and passphrase, it redirects to https://idm.infra.opensuse.org/ui/oauth2/resume which returns the following message:
Error
An unrecoverable error occured. Please contact your administrator with the details below.
Error Code: InvalidState
Operation ID: a1c7426b-49af-4e96-821b-abe12e7b6f00
Refreshing the page changes the ID.
In the kanidmd output I find some lines with
โโ ๐จ [error]: Failed to unmarshal JWT from headers: InvalidSignature
โโ ๐จ [error]: unable to resume session, no auth_req was found in the cookie
along with the request, not sure if they are related.
Removing the path from the URL (i.e. going directly to https://idm.o.o/) again, shows the logged in Apps page.
Other times it works just fine.
Files
Updated by crameleon 3 months ago
- File InvalidState.png InvalidState.png added
- Private changed from Yes to No
Updated by firstyear 3 months ago
I think this and the sudo ticket are actually linked - this error is because the challenge-response session setup is failing as the connection moved from one node to the other. This indicates that:
- The instances are restarting frequently which breaks the chal-rep session establishment
- That the load balancer is not correctly performing sticky sessions
- That something in the load balancer is altering the content of the cookie-jwt which triggers signature failure.
Have there been any changes to the load balancer configuration recently? That would be the first place to look here.
Updated by crameleon 3 months ago
Thanks for the input.
No, there weren't any changes on hel{1,2}, neither in configuration
nor in software since June
crameleon@hel1:/home/crameleon> sudo grep haproxy /var/log/zypp/history|tail -n1
2024-06-21 21:06:51|install|haproxy|2.8.6+git0.f6bd011dc-150600.1.5|x86_64||repo-oss|f6a41993804ab436ab0657eb636158b743d208b18ed8afa3d3e2ee92dea8bacffe3f678d7fd0a45d66200e82a8ea757cef15bd8f099afce8f03a734714d753f0|
balance is already configured correctly: https://progress.opensuse.org/projects/opensuse-admin/repository/salt/revisions/production/entry/pillar/cluster/hel/init.sls#L33.
We can add hash-type.
I think it would be preferable to keep/repair the active/active setup given it worked in the past as well?
Updated by crameleon 3 months ago
- Related to tickets #170020: sudo sometimes does not accept passphrase added
Updated by crameleon 3 months ago
Committed as
https://progress.opensuse.org/projects/opensuse-admin/repository/salt/revisions/fbdec41c2f77ef93a45d5aa7c4c3e294606d167a
plus minor correction in
https://progress.opensuse.org/projects/opensuse-admin/repository/salt/revisions/853e607039140c29ca78639d6d63be178c534728
Trying to log in the first time after applying the change, I get the same error.
Updated by firstyear 3 months ago ยท Edited
I'm going to need to add some more debugging here, because this still points to a load balancer issue - not a Kanidm issue. Do you have multiple ipv6 private ip's for example?
Can we configure haproxy with x-forward-for?
EDIT: I'm an idiot, it's not ip. It's oauth2. I'm going to follow that path now.
Updated by crameleon 3 months ago
For me it's working now, but also I did not encounter it so often before.
Do you still have it happening, @hennevogel ?