[MGNLSSO-65] CLONE - Session lost & authentication broken with CookieProcessor sameSiteCookies="Strict" Created: 04/Jul/21  Updated: 23/Feb/23  Resolved: 23/Feb/23

Status: Closed
Project: Single Sign On
Component/s: sso-connector
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Blocker
Reporter: Nikhil Dindorkar Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Latest Magnolia Cloud Simulator with Magnolia 6.2.8 bundle, sso 2.7.0 and GoogleOpenId configured


Attachments: HTML File Dockerfile     XML File context.xml     File jaas.config    
Issue Links:
Cloners
clones MGNLSSO-56 Session lost & authentication broken ... Closed
Relates
relates to MAGNOLIA-8112 Login/logout redirects from https to ... Closed
dependency
relation
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Epic Link: SSO maintenance
Team: AdminX

 Description   

Latest magnolia-tomcat bundles come with this parameter included in the context.xml:

<CookieProcessor sameSiteCookies="Strict" />

This parameter was also included in Magnolia Cloud by default: https://git.magnolia-cms.com/projects/OD/repos/mgnl-images/commits/fab9d7975f613f77bda1638ea73ea0c2214e966f#cloud-base/roles/magnolia-server/templates/context.xml

This will provoke the session to be lost between steps 1 and 2 of openID’s authorization code flow implementation. If the session is lost, step 2 cant be achieved, so the code sent by google to magnolia (as a background call) is never handled and the token cant be retrieved from google’s token endpoint, which would be the step 3.
This is the part of code from SSOLoginHandler for step 2 relying on a session attribute (already set in step 1):

    public LoginResult handle(HttpServletRequest request, HttpServletResponse response) {
        OICServiceRequest oicServiceRequest = (OICServiceRequest) request.getSession().getAttribute("ssoAuthenticationServiceRequest");        if (oicServiceRequest != null) {
...
        }
        return LoginResult.NOT_HANDLED;

since a NOT_HANDLED is returned, Magnolia will continue to the next login handler which is FormLogin instead of continue with OpenId flow (retrieving the token, etc)

Here is the log taken from cloud simulator with session debugger enabled:

2021-05-20 13:18:40,425 WARN  info.magnolia.debug                               : -- Session found
-- Session attributes :
    Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@49c25143
    ssoAuthenticationServiceRequest = info.magnolia.connector.sso.oic.service.OICServiceRequest@7c24be21
    csrf = CfrFh6UyLV9mtURZGZuDDnGAk2A
-- Session is new : false
----------2021-05-20 13:18:40,425 DEBUG info.magnolia.cms.security.auth.login.FormLogin   : handle login for null
2021-05-20 13:18:40,426 INFO  ty.auth.callback.SSOAuthenticationRedirectCallback: Connecting with SSO authentication service googleOpenIDConnectTemplate
2021-05-20 13:18:40,426 DEBUG ty.auth.callback.SSOAuthenticationRedirectCallback: Requested URL: /
2021-05-20 13:18:47,516 WARN  info.magnolia.debug                               : -- Session found
-- Session attributes :
    Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@4dea3181
-- Session is new : true
----------2021-05-20 13:18:47,517 DEBUG info.magnolia.cms.security.auth.login.FormLogin   : handle login for null
2021-05-20 13:18:47,517 INFO  ty.auth.callback.SSOAuthenticationRedirectCallback: Connecting with SSO authentication service googleOpenIDConnectTemplate
2021-05-20 13:18:47,518 DEBUG ty.auth.callback.SSOAuthenticationRedirectCallback: Requested URL: /.auth?state=98g1hh2l5balifitprl5vfn93u&code=4%2F0AY0e-g4aWzOqjIcDmGtD_sQ0ViaUoSyRvDF-rKkeRWCfsKSRigZLUyJ1UqGTNBrgQu9PLQ&scope=email+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&hd=magnolia-cms.com&prompt=consent

 

Dockerfile, context.xml and jaas.config files used attached. 



 Comments   
Comment by Matt Rajkovic [ 23/Feb/23 ]

Closing as duplicate, I think this was raised by mistake.

Generated at Mon Feb 12 10:50:46 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.