tickets #170044
openLogin to idm.o.o sometimes returns "InvalidState"
0%
Description
Sometimes after entering correct username and passphrase, it redirects to https://idm.infra.opensuse.org/ui/oauth2/resume which returns the following message:
Error
An unrecoverable error occured. Please contact your administrator with the details below.
Error Code: InvalidState
Operation ID: a1c7426b-49af-4e96-821b-abe12e7b6f00
Refreshing the page changes the ID.
In the kanidmd output I find some lines with
โโ ๐จ [error]: Failed to unmarshal JWT from headers: InvalidSignature
โโ ๐จ [error]: unable to resume session, no auth_req was found in the cookie
along with the request, not sure if they are related.
Removing the path from the URL (i.e. going directly to https://idm.o.o/) again, shows the logged in Apps page.
Other times it works just fine.
Files
Updated by crameleon 15 days ago
- File InvalidState.png InvalidState.png added
- Private changed from Yes to No
Updated by firstyear 15 days ago
I think this and the sudo ticket are actually linked - this error is because the challenge-response session setup is failing as the connection moved from one node to the other. This indicates that:
- The instances are restarting frequently which breaks the chal-rep session establishment
- That the load balancer is not correctly performing sticky sessions
- That something in the load balancer is altering the content of the cookie-jwt which triggers signature failure.
Have there been any changes to the load balancer configuration recently? That would be the first place to look here.
Updated by crameleon 14 days ago
Thanks for the input.
No, there weren't any changes on hel{1,2}, neither in configuration
nor in software since June
crameleon@hel1:/home/crameleon> sudo grep haproxy /var/log/zypp/history|tail -n1
2024-06-21 21:06:51|install|haproxy|2.8.6+git0.f6bd011dc-150600.1.5|x86_64||repo-oss|f6a41993804ab436ab0657eb636158b743d208b18ed8afa3d3e2ee92dea8bacffe3f678d7fd0a45d66200e82a8ea757cef15bd8f099afce8f03a734714d753f0|
balance is already configured correctly: https://progress.opensuse.org/projects/opensuse-admin/repository/salt/revisions/production/entry/pillar/cluster/hel/init.sls#L33.
We can add hash-type.
I think it would be preferable to keep/repair the active/active setup given it worked in the past as well?
Updated by crameleon 14 days ago
- Related to tickets #170020: sudo sometimes does not accept passphrase added
Updated by crameleon 13 days ago
Committed as
https://progress.opensuse.org/projects/opensuse-admin/repository/salt/revisions/fbdec41c2f77ef93a45d5aa7c4c3e294606d167a
plus minor correction in
https://progress.opensuse.org/projects/opensuse-admin/repository/salt/revisions/853e607039140c29ca78639d6d63be178c534728
Trying to log in the first time after applying the change, I get the same error.
Updated by firstyear 13 days ago ยท Edited
I'm going to need to add some more debugging here, because this still points to a load balancer issue - not a Kanidm issue. Do you have multiple ipv6 private ip's for example?
Can we configure haproxy with x-forward-for?
EDIT: I'm an idiot, it's not ip. It's oauth2. I'm going to follow that path now.
Updated by crameleon 11 days ago
For me it's working now, but also I did not encounter it so often before.
Do you still have it happening, @hennevogel ?