Uploaded image for project: 'Single Sign On'
  1. Single Sign On
  2. MGNLSSO-286

Endless loop while using FF

    XMLWordPrintable

Details

    • Bug
    • Resolution: Not an issue
    • Neutral
    • None
    • 3.1.3
    • None
    • PAAS - Magnolia 6.2.29? with sso
      Keycloak
      FF browser

    Description

      SSO is working, but when deployed to PaaS, Firefox Login ends up in Timeout/Looping on "/.auth=state=" with a 302, complaining that the "Login expired". Other browsers (ie. chrome) are working.

      This problem does not occur on local builds.
      We can reproduce a slightly different behaviour between Chrome (Spinning Wheel during login) and Firefox (see screenshot), but finally always ended up successfully in Magnolia UI. Before Firefox displayed this status for ~1-2s:

      Magnolia SSO Module 3.1.2 was tested so far.

      Timeout shouldn't be an issue on Keycloak side, response is quite fast with less than 200ms in most tested cases

      • It does work on LOCAL instances.
      • It does NOT work when deployed on our PaaS.
      • It “never” worked with Firefox

      NOTES:
      https://stackoverflow.com/questions/76305104/pac4j-raises-state-cannot-be-determined-after-oidc-callback-and-keycloak-provi

      Cookie “JSESSIONID” with the “SameSite” attribute value “Lax” or “Strict” was omitted because of a cross-site redirect.

      https://stackoverflow.com/questions/75553931/samesite-lax-on-jsessionid-not-working-with-firefox-after-redirect
      https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value

       

      https://stackoverflow.com/questions/52288958/define-same-site-cookie-in-web-xml-cookie-config-for-tomcat

       

      https://git.magnolia-cms.com/projects/DOCUMENTATION/repos/cloud-internal-docs/browse/build/site/product-docs/6.2/Administration/Troubleshooting/Known-issues.html#2367,2371

       

      https://git.magnolia-cms.com/projects/PLATFORM/repos/tomcat-barebone/browse/src/release/tomcat/conf/context.xml#41

       

      LAX - Means that the cookie is not sent on cross-site requests, such as on requests to load images or...

      CHROME:

       

      Mozzila:

       

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              efochr Evzen Fochr
              efochr Evzen Fochr
              AdminX
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                Work Started:

                Checklists

                  Bug DoR
                  Task DoD