Bug 1455650 - If authentication receives an error it overwrites the message with simply "State is Invalid"
Summary: If authentication receives an error it overwrites the message with simply "St...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 3.4.1
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: 3.7.0
Assignee: Jordan Liggitt
QA Contact: Chuan Yu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-25 16:45 UTC by Eric Jones
Modified: 2020-09-10 10:37 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of:
Environment:
Last Closed: 2017-11-28 21:56:17 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Origin (Github) 14692 0 None None None 2017-06-21 13:53:47 UTC
Red Hat Product Errata RHSA-2017:3188 0 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-29 02:34:54 UTC

Description Eric Jones 2017-05-25 16:45:50 UTC
Description of problem:
Customer has connected Azure AD via the OpenID Connect setup and is occasionally seeing a user be unable to authenticate. They have verified that this user is able to login to Azure without issue but when they try to login to OpenShift they simply see the error message "Sate is Invalid" and no amount of increasing log level on OCP will change the message because the actual state is overwritten in the code [0]

[0] https://github.com/openshift/origin/blob/master/pkg/auth/oauth/external/handler.go#L162

Version-Release number of selected component (if applicable):
3.4.1.18


Additional info:
The "problem user" is now reporting success via Chrome and Firefox, though he still sees the same problem when trying to login when using Internet Explorer.

The issue appears to have first been identified when trying to login via Firefox

Comment 1 Jordan Liggitt 2017-05-30 13:47:37 UTC
Is this an HA master setup? If so, do all the masters specify an oauthConfig.sessionSecretsFile with identical authentication/encryption values? If not, the secure session which stores the state may not be readable by all masters.

Comment 2 Eric Jones 2017-05-30 17:46:00 UTC
Customer indicated that it is multi-master and that they logged onto all three masters in the multimaster cluster, and the session secrets (/etc/origin/master/session-secrets.yaml) is the same on all servers.

They also collected the versions of the browsers to provide better context:
Google Chrome(Version 58.0.3029.96 (64-bit)), Firefox(Version 52.1.0(32-bit)) and IE(Version 11.0).

Comment 3 Jordan Liggitt 2017-05-31 14:10:47 UTC
Can they check for time skew between the api servers, and between the client running the browser? This might be an issue with browser discarding the cookie storing state because the client clock is more than 5 minutes behind the server (see https://bugzilla.redhat.com/show_bug.cgi?id=1270436)

Comment 4 Mo 2017-06-21 13:56:28 UTC
Logging issue is fixed in https://github.com/openshift/origin/pull/14692

Comment 6 Chuan Yu 2017-07-05 09:52:47 UTC
Try to verify it with latest OCP3.6 build, the issue still not presented, so put the status to VERIFIED first. 
Here is the verified steps:
1. setup openshift with Azure AD OpenID Connect
2. login openshift with IE(version 10, 11), firefox(52, 54), chrome(59), all login successfully.
3. tried step 2 many times all successfully.

# openshift version
openshift v3.6.133
kubernetes v1.6.1+5115d708d7
etcd 3.2.1

Comment 7 Eric Jones 2017-08-09 17:41:21 UTC
@Jordan,

Apologies for the delay.

The customer uses NTP servers for all of their systems and the customer confirmed that their user was in sync with the NTP server as well.

Comment 11 errata-xmlrpc 2017-11-28 21:56:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188


Note You need to log in before you can comment on or make changes to this bug.