Created attachment 1384440 [details] Screenshot of error screen. Description of problem: Loading the web console displays the following: Error Invalid request Client state could not be verified Return to the console. Version-Release number of selected component (if applicable): v3.6.173.0.49 How reproducible: Not always, but it does appear to happen more often at the beginning of the day. Steps to Reproduce: 1. Visit https://.../console URL for OpenShift cluster Actual results: Error is shown. Expected results: Login page displayed. Additional info: This appears to have started after upgrading to 3.6. No errors in browser console, except for this warning: [Violation] 'setTimeout' handler took 82ms Screenshot is for our OpenShift dedicated cluster, but the same error occurs on our on-premise clusters as well.
The way to consistently reproduce this is: 1) Open tab A to the console, let it redirect you to the login page, DO NOT LOG IN 2) Open tab B to the console, let it redirect you to the login page 3) Complete the log in from tab B, it will succeed 4) Complete the log in from tab A, it will fail wth "Client state could not be verified" This is because every time the console initiates the log in workflow it creates a nonce that it sends to the oauth server, and it stomps the existing one. So only the last console page that redirected to the oauth server can successfully log in.
So the worst part of this is actually this reproducer: 1) Open tab A to the console, let it redirect you to the login page, DO NOT LOG IN 2) Open tab B to the console, let it redirect you to the login page, DO NOT LOG IN 3) Complete the log in from tab A, it will fail with "Client state could not be verified" We've started fixing this here https://github.com/openshift/origin-web-common/pull/282 So with the fix if you have 5 console tabs sitting on the login page, any of them will be able to successfully log you in, which is something you could easily hit on a system reboot or other scenario where you reload browser history but your token is no longer valid. Also occurs when you get logged out via the new inactivity timeout feature, or just generally if your token happens to expire while you have many tabs open. What this will not change - once you log in through any of the tabs, the nonce will be destroyed so that it can not be reused, this is an intentional security measure. This means any other tabs still sitting on the log in page, you will not be able to just log in on those tabs, you will need to hit the back button to go back to the console.
https://github.com/openshift/origin-web-console/pull/2705
3.7 PR: https://github.com/openshift/origin-web-console/pull/2707
3.8 PR: https://github.com/openshift/origin-web-console/pull/2709
3.6 PR: https://github.com/openshift/origin-web-console/pull/2710
Tried on v3.7.26 with steps per comment 2, the issue has been fixed
Checked on v3.9.0-0.24.0 also, the issue has been fixed, will continue to check on 3.6 & 3.8
Issue also fixed on v3.8.32. Waiting for a new OCP 3.6 puddle includes the fix.
Issue also fixed on v3.6.173.0.101 Move to VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1106