[MGNLSSO-56] Session lost & authentication broken with CookieProcessor sameSiteCookies="Strict" Created: 20/May/21  Updated: 29/Aug/23  Resolved: 29/Aug/23

Status: Closed
Project: Single Sign On
Component/s: sso-connector
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Neutral
Reporter: Edwin Guilbert Assignee: Unassigned
Resolution: Not an issue Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Latest Magnolia Cloud Simulator with Magnolia 6.2.8 bundle, sso 2.7.0 and GoogleOpenId configured


Attachments: HTML File Dockerfile     XML File context.xml     PNG File image-2021-09-06-16-01-50-802.png     File jaas.config    
Issue Links:
Cloners
is cloned by MGNLSSO-65 CLONE - Session lost & authentication... Closed
Relates
relates to MAGNOLIA-8112 Login/logout redirects from https to ... Closed
dependency
relation
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Epic Link: SSO maintenance
Team: AdminX

 Description   

Latest magnolia-tomcat bundles come with this parameter included in the context.xml:

<CookieProcessor sameSiteCookies="Strict" />

This parameter was also included in Magnolia Cloud by default: https://git.magnolia-cms.com/projects/OD/repos/mgnl-images/commits/fab9d7975f613f77bda1638ea73ea0c2214e966f#cloud-base/roles/magnolia-server/templates/context.xml

This will provoke the session to be lost between steps 1 and 2 of openID’s authorization code flow implementation. If the session is lost, step 2 cant be achieved, so the code sent by google to magnolia (as a background call) is never handled and the token cant be retrieved from google’s token endpoint, which would be the step 3.
This is the part of code from SSOLoginHandler for step 2 relying on a session attribute (already set in step 1):

    public LoginResult handle(HttpServletRequest request, HttpServletResponse response) {
        OICServiceRequest oicServiceRequest = (OICServiceRequest) request.getSession().getAttribute("ssoAuthenticationServiceRequest");        if (oicServiceRequest != null) {
...
        }
        return LoginResult.NOT_HANDLED;

since a NOT_HANDLED is returned, Magnolia will continue to the next login handler which is FormLogin instead of continue with OpenId flow (retrieving the token, etc)

Here is the log taken from cloud simulator with session debugger enabled:

2021-05-20 13:18:40,425 WARN  info.magnolia.debug                               : -- Session found
-- Session attributes :
    Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@49c25143
    ssoAuthenticationServiceRequest = info.magnolia.connector.sso.oic.service.OICServiceRequest@7c24be21
    csrf = CfrFh6UyLV9mtURZGZuDDnGAk2A
-- Session is new : false
----------2021-05-20 13:18:40,425 DEBUG info.magnolia.cms.security.auth.login.FormLogin   : handle login for null
2021-05-20 13:18:40,426 INFO  ty.auth.callback.SSOAuthenticationRedirectCallback: Connecting with SSO authentication service googleOpenIDConnectTemplate
2021-05-20 13:18:40,426 DEBUG ty.auth.callback.SSOAuthenticationRedirectCallback: Requested URL: /
2021-05-20 13:18:47,516 WARN  info.magnolia.debug                               : -- Session found
-- Session attributes :
    Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@4dea3181
-- Session is new : true
----------2021-05-20 13:18:47,517 DEBUG info.magnolia.cms.security.auth.login.FormLogin   : handle login for null
2021-05-20 13:18:47,517 INFO  ty.auth.callback.SSOAuthenticationRedirectCallback: Connecting with SSO authentication service googleOpenIDConnectTemplate
2021-05-20 13:18:47,518 DEBUG ty.auth.callback.SSOAuthenticationRedirectCallback: Requested URL: /.auth?state=98g1hh2l5balifitprl5vfn93u&code=4%2F0AY0e-g4aWzOqjIcDmGtD_sQ0ViaUoSyRvDF-rKkeRWCfsKSRigZLUyJ1UqGTNBrgQu9PLQ&scope=email+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&hd=magnolia-cms.com&prompt=consent

 

Dockerfile, context.xml and jaas.config files used attached. 



 Comments   
Comment by Edwin Guilbert [ 20/May/21 ]

I just tested the same project (non dx-core-cloud based) with a magnolia tomcat bundle and can confirm that the issue is present for dx-core project using sso 2.7.x

Comment by Edwin Guilbert [ 21/May/21 ]

Discussion about sameSiteCookies: https://magnolia-cms.slack.com/archives/CDF2T239Q/p1621497875010500 

and

https://magnolia-cms.slack.com/archives/CKDSMM5CJ/p1621526307008100 

 

Comment by Edwin Guilbert [ 21/May/21 ]

Tomcat's context.xml will probably be reverted to "lax" instead of "strict": https://magnolia-cms.slack.com/archives/CKDSMM5CJ/p1621576718001400 

Comment by Edwin Guilbert [ 21/May/21 ]

Tried with context.xml sameSiteCookies="lax" and it partially worked, i.e the authentication worked but the redirect is till broken, so one has to manually enter the requested URL in the browser again. It appears the redirect URI is still lost further down the business logic (after the authentication is done).

Probably around here in SSOAuthenticationLoginFilter:

 

              // SSO authenticaion request add originally requested URL
                if (StringUtils.isNotBlank(requestedUrl)) {
                    request.getSession().setAttribute("ssoAuthenticationRedirectUrl", requestedUrl);
                }
                // if the store token option is enabled, put the request object into the session to retrieve token information later
                if (oicSettings != null && oicSettings.isStoreToken()) {
                    request.getSession().setAttribute("ssoRequestObj", oicServiceRequest);
                }
              MgnlContext.login(subject);
                AuditLoggingUtil.log(loginResult, request);


                // Send response via redirect to follow PRG (Post/Redirect/Get) pattern to prevent logging in via Back button after logout. http://en.wikipedia.org/wiki/Post/Redirect/Get
                // Applied only in case authentication is done with POST request.
                if (loginResult.getStatus() == LoginResult.STATUS_SUCCEEDED_REDIRECT_REQUIRED) {
                    String location = request.getParameter(FormLogin.PARAMETER_RETURN_TO);
                    // Fallback to current request uri if no FormLogin.PARAMETER_RETURN_TO was specified
                    if (location == null) {
                        location = request.getRequestURL().toString();
                    }
                    location = RequestDispatchUtil.REDIRECT_PREFIX + location;
                    RequestDispatchUtil.dispatch(location, request, response);
                    return;
                }

 The in the SSOPreserveOriginalURIServlet it won't find the ssoAuthenticationRedirectUrl parameter in session:

        String redirectUrl = (String)request.getSession().getAttribute("ssoAuthenticationRedirectUrl");
        boolean isRedirectProvided = StringUtils.isNotBlank(redirectUrl);
        boolean isLogoutRequest = StringUtils.isNotBlank(request.getParameter(LogoutFilter.PARAMETER_LOGOUT));


        if (isRedirectProvided && !isLogoutRequest) {
            log.debug("Redirecting to original request URL {}", redirectUrl);


            if (StringUtils.endsWith(redirectUrl, ADMINCENTRAL_REDIRECT)) {
                log.debug("AdminCentral redirect, adding fragment so that Magnolia does not mess it up.");
                redirectUrl += SHELL_FRAGMENT;
                log.debug("Redirecting to Magnolia AdminCentral URL {}", redirectUrl);
            }


            response.sendRedirect(redirectUrl);                                 
        }

 

Here is the log:

 

2021-05-21 10:39:14,098 WARN  info.magnolia.debug                               : -- Session found
-- Session attributes :
    Admincentral.lock = java.util.concurrent.locks.ReentrantLock@48f28a40[Unlocked]
    Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@11bf3b79
    com.vaadin.server.VaadinSession.Admincentral = com.vaadin.server.VaadinSession@22beb61d
    csrf = UEmqRXrh1x7b966Jy7t8SrvBk80
    javax.security.auth.Subject = Subject:
        Principal: info.magnolia.cms.security.ExternalUser@8921633
        Principal: info.magnolia.cms.security.Realm$RealmImpl@179a1
        Principal: RoleListImpl[name=roles,list={superuser,workflow-base,publisher}]
        Principal: GroupListImpl[name=groups,list={owners,publishers}]
        Principal: PrincipalCollectionImpl[name=PrincipalCollection]-- Session is new : false
----------2021-05-21 10:39:14,098 DEBUG info.magnolia.cms.security.auth.login.FormLogin   : handle login for null
2021-05-21 10:39:14,894 WARN  info.magnolia.debug                               : -- Session found
-- Session attributes :
    Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@411aa3e7
    ssoAuthenticationServiceRequest = info.magnolia.connector.sso.oic.service.OICServiceRequest@2ad41d33
    csrf = JB9nHjdEpojLAqHLZwvRQM2Od3E
-- Session is new : false
----------2021-05-21 10:39:14,894 DEBUG info.magnolia.connector.sso.login.SSOLoginHandler : Authorization code received: 4/0AY0e-g6ble6iBROyNsVLVX_nXuox6R-J0i3da9U3vJZP1XsWssZ2mF0mLJtVlD2q7qdTfg
2021-05-21 10:39:15,084 DEBUG info.magnolia.connector.sso.login.SSOLoginHandler : Received an access token: ya29.a0AfH6SMAz4fgOD79wCf_mKdMB28Hhcce3mM3nYEl7mF8Ld3jQ7vnX2m7RFWN4E_K7kSbSJiPK3q7jKPqubZuwVoSGXsfWL1rBf5Kpvay9yiz24di__6S_BLvn7HmqByn3xd_R_oPC0K7As6jwl_fWnDT9PefJ
2021-05-21 10:39:15,084 DEBUG info.magnolia.connector.sso.login.SSOLoginHandler : Raw response: {
  "access_token": "ya29.a0AfH6SMAz4fgOD79wCf_mKdMB28Hhcce3mM3nYEl7mF8Ld3jQ7vnX2m7RFWN4E_K7kSbSJiPK3q7jKPqubZuwVoSGXsfWL1rBf5Kpvay9yiz24di__6S_BLvn7HmqByn3xd_R_oPC0K7As6jwl_fWnDT9PefJ",
  "expires_in": 3599,
  "refresh_token": "1//03e-J4RoitwghCgYIARAAGAMSNwF-L9IrySuQDsJhjoKS5zxPM0fNpINmVRIx2NWUJO5dDJAbc-x8guHoGIlreWWLEOj7jzY_lXw",
  "scope": "openid https://www.googleapis.com/auth/userinfo.email",
  "token_type": "Bearer",
  "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImQzZmZiYjhhZGUwMWJiNGZhMmYyNWNmYjEwOGNjZWI4ODM0MDZkYWMiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI0NjI4Mzc0OTEzMjEtNTJkMGJicHVqMWY5aTl2Z29rMnNlZmZsc2kzZjh2anUuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI0NjI4Mzc0OTEzMjEtNTJkMGJicHVqMWY5aTl2Z29rMnNlZmZsc2kzZjh2anUuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDIzMTUxMDEzNjIwMTA2NDI0OTQiLCJoZCI6Im1hZ25vbGlhLWNtcy5jb20iLCJlbWFpbCI6ImVkd2luLmd1aWxiZXJ0QG1hZ25vbGlhLWNtcy5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXRfaGFzaCI6IlJsVFh4TDRhYnp6LVBnVU56RTRGVmciLCJpYXQiOjE2MjE1OTM1NTUsImV4cCI6MTYyMTU5NzE1NX0.JmIX0dS3Wo4VfIRMnkcisBv65ym-dKS94X6yMpU5c7oIt7csSLnxv_FYKCqs9VuUpA8eKl0Uow72ghuSvPhAK7viTgmkDNU7_R7XBi2sRxqW2UbRgE4ObYn1NC_QEw8uCPkNzz7zXyLguSrruX9w81VFcI7CwY_iKvDk3FRcchUA1gBEnUMZbs_gGgdM7NfOSd1-R1HYGA5A-aXeK57BlgS8uDYnYeOmdIQaeqPzW0IVne2dqssKj_GR6hAkPfExOztx-HBVUkpw74psMLOE0c-gWV33Wmj91PCSy8LsgVc9ly43KX1lzUqoznopa1ausObrDzMYsLNs03AczzUK9g"
}
2021-05-21 10:39:15,084 DEBUG info.magnolia.connector.sso.login.SSOLoginHandler : Token expires in: 3599 
2021-05-21 10:39:15,085 DEBUG info.magnolia.connector.sso.login.SSOLoginHandler : Using OpenID Connect for SSO authentication.
2021-05-21 10:39:15,100 DEBUG info.magnolia.connector.sso.util.JSONUtils        : Fetched JSON Web Keys for OpenID validation:
2021-05-21 10:39:15,100 DEBUG info.magnolia.connector.sso.util.JSONUtils        : {  "keys": [    {      "n": "z8eiKUkFeJeFWXxqDCCR7R3FATnahlIWPY-drXFv0DOY_GCwmQCZArvNhHjtbJkbpPO9isHykrEkov1B0T8RhsMWalfmOuUCMTGvcc_gJgTtlfTkgY10FOayh0QRQiyW7DfW4SeJijOMrw7JpIyuQ5tHGZEC1L2Y0_-TFSwvWjOhbb8zbNWmI4RnyFtLreHonUM9QUPsjFWJpyLFmCFlu0WqcWDnmnjZTjlAlkm-iWeqfvNs1q3EsDDc9YtNnoy_h8ipi5g-ThG9LIw5KCzMY_C-2BrS9Sa-DsegOht2Y8rew4nEgcqkSokQZpXtDSkSKCkbcaT_rXY7vK13uXg14w",      "alg": "RS256",      "e": "AQAB",      "kid": "d3ffbb8ade01bb4fa2f25cfb108cceb883406dac",      "kty": "RSA",      "use": "sig"    },    {      "kid": "cd49b2ab16e1e9a496c8239dac0dadd09d443012",      "n": "koT6VAUmOwqXQoyMQkk0F1JJd81H7ksx7FHfKtqXvdrDt9LLr1IDJ-CFpbbn4SuJeYQcUo-lHA1_vbbtgCBSyd_H86WGGARlPrsqFF-hbBBauhUQuXMxFxJKAiQS0WIbFvDkwRaNiGIMYQvzwDKbms5tCqZ04T5Qez9v64i3RlU8-upJxG9duzeXQjrnC5uJeeG-9fwE06RRZ1Y8Uul63Lpxicw5Alyd5HQIzF5vSSwjqdVrBUJAToxuTIqIHR24omrz1f7Jf97wy2U7KUoSnytauyaZtph7RmsUPVMFr9fGMxNVU8tKEVeOYJv-piOc0gfPvIahbv2en0DhOax6OQ",      "alg": "RS256",      "e": "AQAB",      "kty": "RSA",      "use": "sig"    }  ]}
2021-05-21 10:39:15,104 DEBUG info.magnolia.connector.sso.util.JSONUtils        : The JWS signature was verified.
2021-05-21 10:39:15,104 DEBUG info.magnolia.connector.sso.util.JSONUtils        : JWS payload: {"iss":"https://accounts.google.com","azp":"462837491321-52d0bbpuj1f9i9vgok2sefflsi3f8vju.apps.googleusercontent.com","aud":"462837491321-52d0bbpuj1f9i9vgok2sefflsi3f8vju.apps.googleusercontent.com","sub":"102315101362010642494","hd":"magnolia-cms.com","email":"edwin.guilbert@magnolia-cms.com","email_verified":true,"at_hash":"RlTXxL4abzz-PgUNzE4FVg","iat":1621593555,"exp":1621597155}
2021-05-21 10:39:15,104 DEBUG info.magnolia.connector.sso.util.JSONUtils        : JWT claims: JWT Claims Set:{iss=https://accounts.google.com, azp=462837491321-52d0bbpuj1f9i9vgok2sefflsi3f8vju.apps.googleusercontent.com, aud=462837491321-52d0bbpuj1f9i9vgok2sefflsi3f8vju.apps.googleusercontent.com, sub=102315101362010642494, hd=magnolia-cms.com, email=edwin.guilbert@magnolia-cms.com, email_verified=true, at_hash=RlTXxL4abzz-PgUNzE4FVg, iat=1621593555, exp=1621597155}
2021-05-21 10:39:15,104 DEBUG info.magnolia.connector.sso.util.JSONUtils        : OpenID issuer OK.
2021-05-21 10:39:15,104 DEBUG info.magnolia.connector.sso.util.JSONUtils        : OpenID audience OK.
2021-05-21 10:39:15,104 DEBUG info.magnolia.connector.sso.util.JSONUtils        : OpenID issued-at OK
2021-05-21 10:39:15,105 DEBUG info.magnolia.connector.sso.util.JSONUtils        : OpenID expiration OK
2021-05-21 10:39:15,105 DEBUG info.magnolia.connector.sso.login.SSOLoginHandler : Validation of the OpenID token was successful.
2021-05-21 10:39:15,105 DEBUG info.magnolia.connector.sso.login.SSOLoginHandler : Assigned the OpenID token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImQzZmZiYjhhZGUwMWJiNGZhMmYyNWNmYjEwOGNjZWI4ODM0MDZkYWMiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI0NjI4Mzc0OTEzMjEtNTJkMGJicHVqMWY5aTl2Z29rMnNlZmZsc2kzZjh2anUuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI0NjI4Mzc0OTEzMjEtNTJkMGJicHVqMWY5aTl2Z29rMnNlZmZsc2kzZjh2anUuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDIzMTUxMDEzNjIwMTA2NDI0OTQiLCJoZCI6Im1hZ25vbGlhLWNtcy5jb20iLCJlbWFpbCI6ImVkd2luLmd1aWxiZXJ0QG1hZ25vbGlhLWNtcy5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXRfaGFzaCI6IlJsVFh4TDRhYnp6LVBnVU56RTRGVmciLCJpYXQiOjE2MjE1OTM1NTUsImV4cCI6MTYyMTU5NzE1NX0.JmIX0dS3Wo4VfIRMnkcisBv65ym-dKS94X6yMpU5c7oIt7csSLnxv_FYKCqs9VuUpA8eKl0Uow72ghuSvPhAK7viTgmkDNU7_R7XBi2sRxqW2UbRgE4ObYn1NC_QEw8uCPkNzz7zXyLguSrruX9w81VFcI7CwY_iKvDk3FRcchUA1gBEnUMZbs_gGgdM7NfOSd1-R1HYGA5A-aXeK57BlgS8uDYnYeOmdIQaeqPzW0IVne2dqssKj_GR6hAkPfExOztx-HBVUkpw74psMLOE0c-gWV33Wmj91PCSy8LsgVc9ly43KX1lzUqoznopa1ausObrDzMYsLNs03AczzUK9g
2021-05-21 10:39:15,105 DEBUG info.magnolia.connector.sso.login.SSOLoginHandler : Trying to retrieve user information by using the URL: https://www.googleapis.com/oauth2/v1/userinfo
2021-05-21 10:39:15,161 DEBUG info.magnolia.connector.sso.util.JSONUtils        : Original response body: {
  "id": "102315101362010642494",
  "email": "edwin.guilbert@magnolia-cms.com",
  "verified_email": true,
  "picture": "https://lh3.googleusercontent.com/a-/AOh14GiJUShAp7E9KgrgvINjDynUHs3YJc-jEW57dzuP=s96-c",
  "hd": "magnolia-cms.com"
}2021-05-21 10:39:15,163 DEBUG info.magnolia.connector.sso.util.UserAccountUtils : The payload from the OIDC token can be used to fill user properties.
2021-05-21 10:39:15,163 DEBUG info.magnolia.connector.sso.util.JSONUtils        : Original response body: {"iss":"https://accounts.google.com","azp":"462837491321-52d0bbpuj1f9i9vgok2sefflsi3f8vju.apps.googleusercontent.com","aud":"462837491321-52d0bbpuj1f9i9vgok2sefflsi3f8vju.apps.googleusercontent.com","sub":"102315101362010642494","hd":"magnolia-cms.com","email":"edwin.guilbert@magnolia-cms.com","email_verified":true,"at_hash":"RlTXxL4abzz-PgUNzE4FVg","iat":1621593555,"exp":1621597155}
2021-05-21 10:39:15,163 DEBUG info.magnolia.connector.sso.util.UserAccountUtils : Created user properties: {name=edwin.guilbert, id=googleOpenIDConnectTemplate:oauth:102315101362010642494, email=edwin.guilbert@magnolia-cms.com}
2021-05-21 10:39:15,251 DEBUG info.magnolia.connector.sso.util.UserAccountUtils : Creating user with details {name=edwin.guilbert, id=googleOpenIDConnectTemplate:oauth:102315101362010642494, email=edwin.guilbert@magnolia-cms.com}
2021-05-21 10:39:15,251 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Executing query "select * from [mgnl:group] where name() = 'publishers'".
2021-05-21 10:39:15,253 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Retrieving node took 2ms (isInstallationPhase: false): path = /publishers
2021-05-21 10:39:15,254 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Executing query "select * from [mgnl:role] where name() = 'superuser'".
2021-05-21 10:39:15,255 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Retrieving node took 1ms (isInstallationPhase: false): path = /superuser
2021-05-21 10:39:15,260 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Executing query "select * from [mgnl:group] where name() = 'publishers'".
2021-05-21 10:39:15,261 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Retrieving node took 1ms (isInstallationPhase: false): path = /publishers
2021-05-21 10:39:15,261 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Executing query "select * from [mgnl:group] where name() = 'publishers'".
2021-05-21 10:39:15,263 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Retrieving node took 2ms (isInstallationPhase: false): path = /publishers
2021-05-21 10:39:15,263 DEBUG info.magnolia.cms.security.SSOConnectorUserManager: External user object:
2021-05-21 10:39:15,263 DEBUG info.magnolia.cms.security.SSOConnectorUserManager: -- properties: {name=edwin.guilbert, id=googleOpenIDConnectTemplate:oauth:102315101362010642494, email=edwin.guilbert@magnolia-cms.com}
2021-05-21 10:39:15,263 DEBUG info.magnolia.cms.security.SSOConnectorUserManager: -- groups:     [publishers]
2021-05-21 10:39:15,263 DEBUG info.magnolia.cms.security.SSOConnectorUserManager: -- roles:      [workflow-base, publisher, superuser]
2021-05-21 10:39:15,263 DEBUG info.magnolia.cms.security.SSOConnectorUserManager: Please consider effective permissions when assigning groups and roles.
2021-05-21 10:39:15,265 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Executing query "select * from [mgnl:role] where name() = 'workflow-base'".
2021-05-21 10:39:15,266 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Retrieving node took 1ms (isInstallationPhase: false): path = /workflow-base
2021-05-21 10:39:15,267 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Executing query "select * from [mgnl:role] where name() = 'publisher'".
2021-05-21 10:39:15,268 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Retrieving node took 1ms (isInstallationPhase: false): path = /publisher
2021-05-21 10:39:15,269 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Executing query "select * from [mgnl:role] where name() = 'superuser'".
2021-05-21 10:39:15,270 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Retrieving node took 1ms (isInstallationPhase: false): path = /superuser
2021-05-21 10:39:15,274 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Executing query "select * from [mgnl:group] where name() = 'publishers'".
2021-05-21 10:39:15,274 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Retrieving node took 0ms (isInstallationPhase: false): path = /publishers
2021-05-21 10:39:15,277 WARN  info.magnolia.cms.filters.ContentTypeFilter       : Content type for http://localhost:8080/.auth?state=tntof7lrii29s39u5cms7138gf&code=4%2F0AY0e-g6ble6iBROyNsVLVX_nXuox6R-J0i3da9U3vJZP1XsWssZ2mF0mLJtVlD2q7qdTfg&scope=email+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&hd=magnolia-cms.com&prompt=consent is not set.
2021-05-21 10:39:47,198 WARN  info.magnolia.debug                               : -- Session found
-- Session attributes :
    Admincentral.lock = java.util.concurrent.locks.ReentrantLock@48f28a40[Unlocked]
    Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@11bf3b79
    com.vaadin.server.VaadinSession.Admincentral = com.vaadin.server.VaadinSession@22beb61d
    csrf = UEmqRXrh1x7b966Jy7t8SrvBk80
    javax.security.auth.Subject = Subject:
        Principal: info.magnolia.cms.security.ExternalUser@8921633
        Principal: info.magnolia.cms.security.Realm$RealmImpl@179a1
        Principal: RoleListImpl[name=roles,list={superuser,workflow-base,publisher}]
        Principal: GroupListImpl[name=groups,list={owners,publishers}]
        Principal: PrincipalCollectionImpl[name=PrincipalCollection]-- Session is new : false
----------2021-05-21 10:39:47,198 DEBUG info.magnolia.cms.security.auth.login.FormLogin   : handle login for null
2021-05-21 10:40:44,117 WARN  info.magnolia.debug                               : -- Session found
-- Session attributes :
    Admincentral.lock = java.util.concurrent.locks.ReentrantLock@48f28a40[Unlocked]
    Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@11bf3b79
    com.vaadin.server.VaadinSession.Admincentral = com.vaadin.server.VaadinSession@22beb61d
    csrf = UEmqRXrh1x7b966Jy7t8SrvBk80
    javax.security.auth.Subject = Subject:
        Principal: info.magnolia.cms.security.ExternalUser@8921633
        Principal: info.magnolia.cms.security.Realm$RealmImpl@179a1
        Principal: RoleListImpl[name=roles,list={superuser,workflow-base,publisher}]
        Principal: GroupListImpl[name=groups,list={owners,publishers}]
        Principal: PrincipalCollectionImpl[name=PrincipalCollection]-- Session is new : false
----------2021-05-21 10:40:44,117 DEBUG info.magnolia.cms.security.auth.login.FormLogin   : handle login for null
2021-05-21 10:40:47,148 WARN  info.magnolia.debug                               : -- Session found
-- Session attributes :
    Admincentral.lock = java.util.concurrent.locks.ReentrantLock@48f28a40[Unlocked]
    Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@11bf3b79
    com.vaadin.server.VaadinSession.Admincentral = com.vaadin.server.VaadinSession@22beb61d
    csrf = UEmqRXrh1x7b966Jy7t8SrvBk80
    javax.security.auth.Subject = Subject:
        Principal: info.magnolia.cms.security.ExternalUser@8921633
        Principal: info.magnolia.cms.security.Realm$RealmImpl@179a1
        Principal: RoleListImpl[name=roles,list={superuser,workflow-base,publisher}]
        Principal: GroupListImpl[name=groups,list={owners,publishers}]
        Principal: PrincipalCollectionImpl[name=PrincipalCollection]-- Session is new : false
----------2021-05-21 10:40:47,148 DEBUG info.magnolia.cms.security.auth.login.FormLogin   : handle login for null
2021-05-21 10:41:47,093 WARN  info.magnolia.debug                               : -- Session found
-- Session attributes :
    Admincentral.lock = java.util.concurrent.locks.ReentrantLock@48f28a40[Unlocked]
    Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@11bf3b79
    com.vaadin.server.VaadinSession.Admincentral = com.vaadin.server.VaadinSession@22beb61d
    csrf = UEmqRXrh1x7b966Jy7t8SrvBk80
    javax.security.auth.Subject = Subject:
        Principal: info.magnolia.cms.security.ExternalUser@8921633
        Principal: info.magnolia.cms.security.Realm$RealmImpl@179a1
        Principal: RoleListImpl[name=roles,list={superuser,workflow-base,publisher}]
        Principal: GroupListImpl[name=groups,list={owners,publishers}]
        Principal: PrincipalCollectionImpl[name=PrincipalCollection]-- Session is new : false
----------2021-05-21 10:41:47,093 DEBUG info.magnolia.cms.security.auth.login.FormLogin   : handle login for null
2021-05-21 10:42:15,124 WARN  info.magnolia.debug                               : -- Session found
-- Session attributes :
    Admincentral.lock = java.util.concurrent.locks.ReentrantLock@48f28a40[Unlocked]
    Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@11bf3b79
    com.vaadin.server.VaadinSession.Admincentral = com.vaadin.server.VaadinSession@22beb61d
    csrf = UEmqRXrh1x7b966Jy7t8SrvBk80
    javax.security.auth.Subject = Subject:
        Principal: info.magnolia.cms.security.ExternalUser@8921633
        Principal: info.magnolia.cms.security.Realm$RealmImpl@179a1
        Principal: RoleListImpl[name=roles,list={superuser,workflow-base,publisher}]
        Principal: GroupListImpl[name=groups,list={owners,publishers}]
        Principal: PrincipalCollectionImpl[name=PrincipalCollection]-- Session is new : false
----------2021-05-21 10:42:15,124 DEBUG info.magnolia.cms.security.auth.login.FormLogin   : handle login for null
2021-05-21 10:42:47,041 WARN  info.magnolia.debug                               : -- Session found
-- Session attributes :
    Admincentral.lock = java.util.concurrent.locks.ReentrantLock@48f28a40[Unlocked]
    Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@11bf3b79
    com.vaadin.server.VaadinSession.Admincentral = com.vaadin.server.VaadinSession@22beb61d
    csrf = UEmqRXrh1x7b966Jy7t8SrvBk80
    javax.security.auth.Subject = Subject:
        Principal: info.magnolia.cms.security.ExternalUser@8921633
        Principal: info.magnolia.cms.security.Realm$RealmImpl@179a1
        Principal: RoleListImpl[name=roles,list={superuser,workflow-base,publisher}]
        Principal: GroupListImpl[name=groups,list={owners,publishers}]
        Principal: PrincipalCollectionImpl[name=PrincipalCollection]-- Session is new : false
----------2021-05-21 10:42:47,041 DEBUG info.magnolia.cms.security.auth.login.FormLogin   : handle login for null
2021-05-21 10:43:46,081 WARN  info.magnolia.debug                               : -- Session found
-- Session attributes :
    Admincentral.lock = java.util.concurrent.locks.ReentrantLock@48f28a40[Unlocked]
    Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@11bf3b79
    com.vaadin.server.VaadinSession.Admincentral = com.vaadin.server.VaadinSession@22beb61d
    csrf = UEmqRXrh1x7b966Jy7t8SrvBk80
    javax.security.auth.Subject = Subject:
        Principal: info.magnolia.cms.security.ExternalUser@8921633
        Principal: info.magnolia.cms.security.Realm$RealmImpl@179a1
        Principal: RoleListImpl[name=roles,list={superuser,workflow-base,publisher}]
        Principal: GroupListImpl[name=groups,list={owners,publishers}]
        Principal: PrincipalCollectionImpl[name=PrincipalCollection]-- Session is new : false
----------2021-05-21 10:43:46,081 DEBUG info.magnolia.cms.security.auth.login.FormLogin   : handle login for null
2021-05-21 10:43:46,984 WARN  info.magnolia.debug                               : -- Session found
-- Session attributes :
    Admincentral.lock = java.util.concurrent.locks.ReentrantLock@48f28a40[Unlocked]
    Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@11bf3b79
    com.vaadin.server.VaadinSession.Admincentral = com.vaadin.server.VaadinSession@22beb61d
    csrf = UEmqRXrh1x7b966Jy7t8SrvBk80
    javax.security.auth.Subject = Subject:
        Principal: info.magnolia.cms.security.ExternalUser@8921633
        Principal: info.magnolia.cms.security.Realm$RealmImpl@179a1
        Principal: RoleListImpl[name=roles,list={superuser,workflow-base,publisher}]
        Principal: GroupListImpl[name=groups,list={owners,publishers}]
        Principal: PrincipalCollectionImpl[name=PrincipalCollection]-- Session is new : false
----------2021-05-21 10:43:46,985 DEBUG info.magnolia.cms.security.auth.login.FormLogin   : handle login for null

 The trace "Redirecting to original request URL" from SSOPreserveOriginalURIServlet is never reached.

 

Comment by Evzen Fochr [ 29/Aug/23 ]

Documented https://docs.magnolia-cms.com/magnolia-sso/3.1.6/troubleshooting.html#_unable_to_log_in_with_an_ssoopenid_setup
Closing as not an issue.

Generated at Mon Feb 12 10:50:41 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.