[MGNLSSO-65] CLONE - Session lost & authentication broken with CookieProcessor sameSiteCookies="Strict" Created: 04/Jul/21 Updated: 23/Feb/23 Resolved: 23/Feb/23 |
|
| Status: | Closed |
| Project: | Single Sign On |
| Component/s: | sso-connector |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Blocker |
| Reporter: | Nikhil Dindorkar | Assignee: | Unassigned |
| Resolution: | Duplicate | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Latest Magnolia Cloud Simulator with Magnolia 6.2.8 bundle, sso 2.7.0 and GoogleOpenId configured |
||
| Attachments: |
|
||||||||||||||||||||||||
| Issue Links: |
|
||||||||||||||||||||||||
| Template: |
|
||||||||||||||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||||||||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||||||||||||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||||||||||||||||||||||
| Date of First Response: | |||||||||||||||||||||||||
| Epic Link: | SSO maintenance | ||||||||||||||||||||||||
| Team: | |||||||||||||||||||||||||
| Description |
|
Latest magnolia-tomcat bundles come with this parameter included in the context.xml:
<CookieProcessor sameSiteCookies="Strict" />
This parameter was also included in Magnolia Cloud by default: https://git.magnolia-cms.com/projects/OD/repos/mgnl-images/commits/fab9d7975f613f77bda1638ea73ea0c2214e966f#cloud-base/roles/magnolia-server/templates/context.xml This will provoke the session to be lost between steps 1 and 2 of openID’s authorization code flow implementation. If the session is lost, step 2 cant be achieved, so the code sent by google to magnolia (as a background call) is never handled and the token cant be retrieved from google’s token endpoint, which would be the step 3.
public LoginResult handle(HttpServletRequest request, HttpServletResponse response) {
OICServiceRequest oicServiceRequest = (OICServiceRequest) request.getSession().getAttribute("ssoAuthenticationServiceRequest"); if (oicServiceRequest != null) {
...
}
return LoginResult.NOT_HANDLED;
since a NOT_HANDLED is returned, Magnolia will continue to the next login handler which is FormLogin instead of continue with OpenId flow (retrieving the token, etc) Here is the log taken from cloud simulator with session debugger enabled:
2021-05-20 13:18:40,425 WARN info.magnolia.debug : -- Session found
-- Session attributes :
Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@49c25143
ssoAuthenticationServiceRequest = info.magnolia.connector.sso.oic.service.OICServiceRequest@7c24be21
csrf = CfrFh6UyLV9mtURZGZuDDnGAk2A
-- Session is new : false
----------2021-05-20 13:18:40,425 DEBUG info.magnolia.cms.security.auth.login.FormLogin : handle login for null
2021-05-20 13:18:40,426 INFO ty.auth.callback.SSOAuthenticationRedirectCallback: Connecting with SSO authentication service googleOpenIDConnectTemplate
2021-05-20 13:18:40,426 DEBUG ty.auth.callback.SSOAuthenticationRedirectCallback: Requested URL: /
2021-05-20 13:18:47,516 WARN info.magnolia.debug : -- Session found
-- Session attributes :
Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@4dea3181
-- Session is new : true
----------2021-05-20 13:18:47,517 DEBUG info.magnolia.cms.security.auth.login.FormLogin : handle login for null
2021-05-20 13:18:47,517 INFO ty.auth.callback.SSOAuthenticationRedirectCallback: Connecting with SSO authentication service googleOpenIDConnectTemplate
2021-05-20 13:18:47,518 DEBUG ty.auth.callback.SSOAuthenticationRedirectCallback: Requested URL: /.auth?state=98g1hh2l5balifitprl5vfn93u&code=4%2F0AY0e-g4aWzOqjIcDmGtD_sQ0ViaUoSyRvDF-rKkeRWCfsKSRigZLUyJ1UqGTNBrgQu9PLQ&scope=email+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&hd=magnolia-cms.com&prompt=consent
Dockerfile, context.xml and jaas.config files used attached. |
| Comments |
| Comment by Matt Rajkovic [ 23/Feb/23 ] |
|
Closing as duplicate, I think this was raised by mistake. |