-
Bug
-
Resolution: Not an issue
-
Neutral
-
None
-
None
-
None
-
Latest Magnolia Cloud Simulator with Magnolia 6.2.8 bundle, sso 2.7.0 and GoogleOpenId configured
Latest magnolia-tomcat bundles come with this parameter included in the context.xml:
<CookieProcessor sameSiteCookies="Strict" />
This parameter was also included in Magnolia Cloud by default: https://git.magnolia-cms.com/projects/OD/repos/mgnl-images/commits/fab9d7975f613f77bda1638ea73ea0c2214e966f#cloud-base/roles/magnolia-server/templates/context.xml
This will provoke the session to be lost between steps 1 and 2 of openID’s authorization code flow implementation. If the session is lost, step 2 cant be achieved, so the code sent by google to magnolia (as a background call) is never handled and the token cant be retrieved from google’s token endpoint, which would be the step 3.
This is the part of code from SSOLoginHandler for step 2 relying on a session attribute (already set in step 1):
public LoginResult handle(HttpServletRequest request, HttpServletResponse response) { OICServiceRequest oicServiceRequest = (OICServiceRequest) request.getSession().getAttribute("ssoAuthenticationServiceRequest"); if (oicServiceRequest != null) { ... } return LoginResult.NOT_HANDLED;
since a NOT_HANDLED is returned, Magnolia will continue to the next login handler which is FormLogin instead of continue with OpenId flow (retrieving the token, etc)
Here is the log taken from cloud simulator with session debugger enabled:
2021-05-20 13:18:40,425 WARN info.magnolia.debug : -- Session found -- Session attributes : Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@49c25143 ssoAuthenticationServiceRequest = info.magnolia.connector.sso.oic.service.OICServiceRequest@7c24be21 csrf = CfrFh6UyLV9mtURZGZuDDnGAk2A -- Session is new : false ----------2021-05-20 13:18:40,425 DEBUG info.magnolia.cms.security.auth.login.FormLogin : handle login for null 2021-05-20 13:18:40,426 INFO ty.auth.callback.SSOAuthenticationRedirectCallback: Connecting with SSO authentication service googleOpenIDConnectTemplate 2021-05-20 13:18:40,426 DEBUG ty.auth.callback.SSOAuthenticationRedirectCallback: Requested URL: / 2021-05-20 13:18:47,516 WARN info.magnolia.debug : -- Session found -- Session attributes : Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@4dea3181 -- Session is new : true ----------2021-05-20 13:18:47,517 DEBUG info.magnolia.cms.security.auth.login.FormLogin : handle login for null 2021-05-20 13:18:47,517 INFO ty.auth.callback.SSOAuthenticationRedirectCallback: Connecting with SSO authentication service googleOpenIDConnectTemplate 2021-05-20 13:18:47,518 DEBUG ty.auth.callback.SSOAuthenticationRedirectCallback: Requested URL: /.auth?state=98g1hh2l5balifitprl5vfn93u&code=4%2F0AY0e-g4aWzOqjIcDmGtD_sQ0ViaUoSyRvDF-rKkeRWCfsKSRigZLUyJ1UqGTNBrgQu9PLQ&scope=email+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&hd=magnolia-cms.com&prompt=consent
Â
Dockerfile, context.xml and jaas.config files used attached.Â
- is cloned by
-
MGNLSSO-65 CLONE - Session lost & authentication broken with CookieProcessor sameSiteCookies="Strict"
- Closed
- relates to
-
MAGNOLIA-8112 Login/logout redirects from https to http if behind proxy
- Closed
- mentioned in
-
Page Loading...