[MGNLSSO-286] Endless loop while using FF Created: 15/May/23  Updated: 31/May/23  Resolved: 31/May/23

Status: Closed
Project: Single Sign On
Component/s: None
Affects Version/s: 3.1.3
Fix Version/s: None

Type: Bug Priority: Neutral
Reporter: Evzen Fochr Assignee: Evzen Fochr
Resolution: Not an issue Votes: 0
Labels: waitingForResponse
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified
Environment:

PAAS - Magnolia 6.2.29? with sso
Keycloak
FF browser


Attachments: PNG File image-2023-05-24-10-50-35-261.png     PNG File image-2023-05-24-11-37-33-180.png     PNG File image-2023-05-24-11-38-02-347.png     PNG File screenshot-1.png    
Issue Links:
dependency
Sub-Tasks:
Key
Summary
Type
Status
Assignee
MGNLSSO-289 Documentation Sub-task Closed Julie Legendre  
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Documentation update required:
Yes
Date of First Response:
Epic Link: SSO maintenance
Team: AdminX
Work Started:

 Description   

SSO is working, but when deployed to PaaS, Firefox Login ends up in Timeout/Looping on "/.auth=state=" with a 302, complaining that the "Login expired". Other browsers (ie. chrome) are working.

This problem does not occur on local builds.
We can reproduce a slightly different behaviour between Chrome (Spinning Wheel during login) and Firefox (see screenshot), but finally always ended up successfully in Magnolia UI. Before Firefox displayed this status for ~1-2s:

Magnolia SSO Module 3.1.2 was tested so far.

Timeout shouldn't be an issue on Keycloak side, response is quite fast with less than 200ms in most tested cases

  • It does work on LOCAL instances.
  • It does NOT work when deployed on our PaaS.
  • It “never” worked with Firefox

NOTES:
https://stackoverflow.com/questions/76305104/pac4j-raises-state-cannot-be-determined-after-oidc-callback-and-keycloak-provi

Cookie “JSESSIONID” with the “SameSite” attribute value “Lax” or “Strict” was omitted because of a cross-site redirect.

https://stackoverflow.com/questions/75553931/samesite-lax-on-jsessionid-not-working-with-firefox-after-redirect
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value

 

https://stackoverflow.com/questions/52288958/define-same-site-cookie-in-web-xml-cookie-config-for-tomcat

 

https://git.magnolia-cms.com/projects/DOCUMENTATION/repos/cloud-internal-docs/browse/build/site/product-docs/6.2/Administration/Troubleshooting/Known-issues.html#2367,2371

 

https://git.magnolia-cms.com/projects/PLATFORM/repos/tomcat-barebone/browse/src/release/tomcat/conf/context.xml#41

 

LAX - Means that the cookie is not sent on cross-site requests, such as on requests to load images or...

CHROME:

 

Mozzila:

 



 Comments   
Comment by Evzen Fochr [ 26/May/23 ]

acordero all customers on paas that are using sso/openid need to set <CookieProcessor sameSiteCookies="Lax" />
https://docs.magnolia-cms.com/product-docs/6.2/Administration/Troubleshooting/Known-issues.html#_unable_to_log_in_with_an_ssoopenid_setup
cc mgeljic 

Default PaaS environment value is strict.

Comment by Evzen Fochr [ 31/May/23 ]

jlegendre can you please can you put this ling to SSO docu too so user can see this requirement?

Generated at Mon Feb 12 10:52:49 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.