Bug 1537120
Summary: | Invalid request Client state could not be verified | ||||||
---|---|---|---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Luiz Carvalho <lucarval> | ||||
Component: | Management Console | Assignee: | Jordan Liggitt <jliggitt> | ||||
Status: | CLOSED ERRATA | QA Contact: | Yadan Pei <yapei> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 3.6.0 | CC: | aos-bugs, jdee, jliggitt, jokerman, jrosenta, kborup, mmccomas, spadgett, xxia, yapei | ||||
Target Milestone: | --- | ||||||
Target Release: | 3.6.z | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 1579746 (view as bug list) | Environment: | |||||
Last Closed: | 2018-04-12 06:01:18 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1579746 | ||||||
Attachments: |
|
Description
Luiz Carvalho
2018-01-22 13:21:07 UTC
The way to consistently reproduce this is: 1) Open tab A to the console, let it redirect you to the login page, DO NOT LOG IN 2) Open tab B to the console, let it redirect you to the login page 3) Complete the log in from tab B, it will succeed 4) Complete the log in from tab A, it will fail wth "Client state could not be verified" This is because every time the console initiates the log in workflow it creates a nonce that it sends to the oauth server, and it stomps the existing one. So only the last console page that redirected to the oauth server can successfully log in. So the worst part of this is actually this reproducer: 1) Open tab A to the console, let it redirect you to the login page, DO NOT LOG IN 2) Open tab B to the console, let it redirect you to the login page, DO NOT LOG IN 3) Complete the log in from tab A, it will fail with "Client state could not be verified" We've started fixing this here https://github.com/openshift/origin-web-common/pull/282 So with the fix if you have 5 console tabs sitting on the login page, any of them will be able to successfully log you in, which is something you could easily hit on a system reboot or other scenario where you reload browser history but your token is no longer valid. Also occurs when you get logged out via the new inactivity timeout feature, or just generally if your token happens to expire while you have many tabs open. What this will not change - once you log in through any of the tabs, the nonce will be destroyed so that it can not be reused, this is an intentional security measure. This means any other tabs still sitting on the log in page, you will not be able to just log in on those tabs, you will need to hit the back button to go back to the console. Tried on v3.7.26 with steps per comment 2, the issue has been fixed Checked on v3.9.0-0.24.0 also, the issue has been fixed, will continue to check on 3.6 & 3.8 Issue also fixed on v3.8.32. Waiting for a new OCP 3.6 puddle includes the fix. Issue also fixed on v3.6.173.0.101 Move to VERIFIED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1106 |