Bug 1537120 - Invalid request Client state could not be verified
Summary: Invalid request Client state could not be verified
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 3.6.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 3.6.z
Assignee: Jordan Liggitt
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks: 1579746
TreeView+ depends on / blocked
 
Reported: 2018-01-22 13:21 UTC by Luiz Carvalho
Modified: 2018-06-08 12:15 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1579746 (view as bug list)
Environment:
Last Closed: 2018-04-12 06:01:18 UTC
Target Upstream Version:


Attachments (Terms of Use)
Screenshot of error screen. (38.60 KB, image/png)
2018-01-22 13:21 UTC, Luiz Carvalho
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1483883 None NEW [free-int][free-stg][starter-ca-central-1][online-int] Web login hits error in browser private window 2019-07-19 18:52:07 UTC
Red Hat Product Errata RHBA-2018:1106 None None None 2018-04-12 06:01:46 UTC

Internal Links: 1483883

Description Luiz Carvalho 2018-01-22 13:21:07 UTC
Created attachment 1384440 [details]
Screenshot of error screen.

Description of problem:
Loading the web console displays the following:

Error
Invalid request
Client state could not be verified

Return to the console.


Version-Release number of selected component (if applicable):
v3.6.173.0.49


How reproducible:
Not always, but it does appear to happen more often at the beginning of the day.


Steps to Reproduce:
1. Visit https://.../console URL for OpenShift cluster

Actual results:
Error is shown.


Expected results:
Login page displayed.


Additional info:
This appears to have started after upgrading to 3.6.

No errors in browser console, except for this warning: 
[Violation] 'setTimeout' handler took 82ms

Screenshot is for our OpenShift dedicated cluster, but the same error occurs on our on-premise clusters as well.

Comment 1 Jessica Forrester 2018-01-22 19:29:49 UTC
The way to consistently reproduce this is:

1) Open tab A to the console, let it redirect you to the login page, DO NOT LOG IN
2) Open tab B to the console, let it redirect you to the login page
3) Complete the log in from tab B, it will succeed
4) Complete the log in from tab A, it will fail wth "Client state could not be verified"

This is because every time the console initiates the log in workflow it creates a nonce that it sends to the oauth server, and it stomps the existing one.  So only the last console page that redirected to the oauth server can successfully log in.

Comment 2 Jessica Forrester 2018-01-22 22:48:54 UTC
So the worst part of this is actually this reproducer:
1) Open tab A to the console, let it redirect you to the login page, DO NOT LOG IN
2) Open tab B to the console, let it redirect you to the login page, DO NOT LOG IN
3) Complete the log in from tab A, it will fail with "Client state could not be verified"

We've started fixing this here https://github.com/openshift/origin-web-common/pull/282

So with the fix if you have 5 console tabs sitting on the login page, any of them will be able to successfully log you in, which is something you could easily hit on a system reboot or other scenario where you reload browser history but your token is no longer valid.  Also occurs when you get logged out via the new inactivity timeout feature, or just generally if your token happens to expire while you have many tabs open.

What this will not change - once you log in through any of the tabs, the nonce will be destroyed so that it can not be reused, this is an intentional security measure. This means any other tabs still sitting on the log in page, you will not be able to just log in on those tabs, you will need to hit the back button to go back to the console.

Comment 4 Samuel Padgett 2018-01-23 23:32:18 UTC
3.7 PR: https://github.com/openshift/origin-web-console/pull/2707

Comment 5 Samuel Padgett 2018-01-24 12:49:13 UTC
3.8 PR: https://github.com/openshift/origin-web-console/pull/2709

Comment 6 Samuel Padgett 2018-01-24 13:39:01 UTC
3.6 PR: https://github.com/openshift/origin-web-console/pull/2710

Comment 8 Yadan Pei 2018-01-26 07:47:17 UTC
Tried on v3.7.26 with steps per comment 2, the issue has been fixed

Comment 9 Yadan Pei 2018-01-26 08:59:02 UTC
Checked on v3.9.0-0.24.0 also, the issue has been fixed, will continue to check on 3.6 & 3.8

Comment 10 Yadan Pei 2018-01-29 05:49:05 UTC
Issue also fixed on v3.8.32.

Waiting for a new OCP 3.6 puddle includes the fix.

Comment 11 Yadan Pei 2018-01-30 02:21:12 UTC
Issue also fixed on v3.6.173.0.101

Move to VERIFIED

Comment 14 errata-xmlrpc 2018-04-12 06:01:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1106


Note You need to log in before you can comment on or make changes to this bug.