Invalid Authentication Response

Hello!
I’m using OOD 3.1.7 with configured “OnDemand Dex for LDAP”.
There is some strange behavior.
After logging out, if you do not close the browser tab and try to log in after a certain timeout (approximately more than 10 minutes), an error occurs (screenshot below).

image1595×177 7.31 KB

Then if you refresh the page you will see a message like this.

After that, if you close the tab and reopen it, you will be taken to the login page and by clicking the button “Log in to Open OnDemand” you will be logged in.

Please advise how to fix this.

Hmmmm. Can you provide more details on why it’s a Bad Request. I’ve often seen too many cookies result in a similar error. There should be some log in /var/log/httpd/ that indicates why it’s a bad request.

1. after receiving “Invalid Authentication Response” there are following entries in the log:

[Tue Jul 23 17:16:45.988673 2024] [auth_openidc:error] [pid 7704:tid 140690872837696] [client 172.17.2.38:56977] oidc_restore_proto_state: state has expired, referer: https://web-hpc.frccsc.ru/dex/auth/ldap/login?back=&state=rwrvsjz7qzy2xtma6aoolran2
[Tue Jul 23 17:16:45.988762 2024] [auth_openidc:error] [pid 7704:tid 140690872837696] [client 172.17.2.38:56977] oidc_authorization_response_match_state: unable to restore state, referer: https://web-hpc.frccsc.ru/dex/auth/ldap/login?back=&state=rwrvsjz7qzy2xtma6aoolran2
[Tue Jul 23 17:16:45.988778 2024] [auth_openidc:error] [pid 7704:tid 140690872837696] [client 172.17.2.38:56977] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error..., referer: https://web-hpc.frccsc.ru/dex/auth/ldap/login?back=&state=rwrvsjz7qzy2xtma6aoolran2

2. after getting “Bad Request”:

[Tue Jul 23 17:21:08.224261 2024] [auth_openidc:error] [pid 7704:tid 140690772190784] [client 172.17.2.38:57040] oidc_restore_proto_state: no "mod_auth_openidc_state_bIdX-rMkjXiHlX4Dk_zjicyvInM" state cookie found: check domain and samesite cookie settings, referer: https://web-hpc.frccsc.ru/dex/auth/ldap/login?back=&state=rwrvsjz7qzy2xtma6aoolran2
[Tue Jul 23 17:21:08.224321 2024] [auth_openidc:error] [pid 7704:tid 140690772190784] [client 172.17.2.38:57040] oidc_authorization_response_match_state: unable to restore state, referer: https://web-hpc.frccsc.ru/dex/auth/ldap/login?back=&state=rwrvsjz7qzy2xtma6aoolran2
[Tue Jul 23 17:21:08.224331 2024] [auth_openidc:error] [pid 7704:tid 140690772190784] [client 172.17.2.38:57040] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error..., referer: https://web-hpc.frccsc.ru/dex/auth/ldap/login?back=&state=rwrvsjz7qzy2xtma6aoolran2

3. after close the tab, reopen it and successful logged in:

[Tue Jul 23 17:23:32.172295 2024] [lua:info] [pid 7703:tid 140691174778432] [client 172.17.2.38:57058] res_content_disp="" req_accept_encoding="gzip, deflate, br, zstd" req_handler="proxy-server" req_referer="https://web-hpc.frccsc.ru/dex/auth/ldap/login" req_filename="proxy:http://localhost/pun/sys/dashboard" req_user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" res_location="" local_user="sdenisov" req_content_type="" req_port="443" req_protocol="HTTP/1.1" req_is_https="true" req_user_ip="172.17.2.38" res_content_location="" res_content_type="text/html; charset=utf-8" req_accept_charset="" req_is_websocket="false" time_proxy="3036.129" req_status="200" req_server_name="web-hpc.frccsc.ru" remote_user="sdenisov" req_cache_control="max-age=0" res_content_encoding="gzip" log_time="2024-07-23T14:23:32.172178.0Z" time_user_map="0.002" res_content_language="" req_hostname="web-hpc.frccsc.ru" req_accept_language="ru-ru,ru;q=0.9,en-us;q=0.8,en;q=0.7" req_uri="/pun/sys/dashboard" allowed_hosts="web-hpc.frccsc.ru" req_origin="" req_accept="text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" res_content_length="" log_hook="ood" req_method="GET", referer: https://web-hpc.frccsc.ru/dex/auth/ldap/login?back=&state=jf3e6c6cfhgzfx6hh2dd6z3gc

Looking at the mod_auth_openidc repository, you should set the OIDCDefaultURL. It doesn’t look like we set this for you, but you can set it in another .conf file in httpd’s configuration directory.

Yes, thank you very much, this solved the problem!

I noticed that when entering the authorization page, a url is created “https://HOST/dex/auth/ldap/login?back=&state=k7uwlgpg6oorj3o47hwndpmnq” with session id k7uwlgpg6oorj3o47hwndpmnq
Is it possible to make the session id does not expire, then there will be no error “Invalid Authentication Response”

I don’t think you want sessions that don’t expire, if that’s what your asking for. You want sessions to expire so that some malicious user finding your session id (like this one k7uwlgpg6oorj3o47hwndpmnq) can’t use it.

If it didn’t expire, I could use it right now and impersonate you.

I can’t tell exactly if that’s what you’re asking, but yea, you want sessions to expire at some point so that malicious users can’t find them and reuse them indefinitely.

Thanks for the clarification, I understand your point.
It is enough for me to use the solution with OIDCDefaultURL.
Thanks again for your help!

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.