OAuthRequestAuthenticator. state parameter invalid. Invalid value in OAuth_Token_Request_State cookie

Securing applications
1

Hi all.

I have a ocasinally problem with authentication in spring boot secure app.

I have a KC 14.0.0 in HA mode, behind a reverse proxy and cluster correctly. The realm is configured with Microsoft AD, and the Kerberos/Spnego integration is enabled.

I have a lot of apps, developed with spring boot, and securized with spring security with this kc. Apps are deployed in two tomcat 9, behind the reverser proxy.

Ok, only punctually, one app show to user 401 tomcat error screen.

HTTP 401 - No autorizado
Unable to authenticate using de Authorization header

It’s when KC authenticate user correctly and return to path /sso/login in app with params state, session_state and code

In app log i found this:
OAuthRequestAuthenticator - state parameter invalid
OAuthRequestAuthenticator - cookie: 69c927fe-96ef-457a-826b-50d15282ce68
OAuthRequestAuthenticator - queryParam: 6fdb4952-ac71-42a4-9ff4-f826eb363a4c

Debug code, i think that the state value of cookie OAuth_Token_Request_State in user browser it’s diferent of state value return from KC. But, WHY?

It’s only happend rarely, and i suspect that happend when user session expire in KC (10 hours).

Any idea???

Thank you very much for your help.

2

Ok, I cheked that when the error appear is because the browser send two request for authentication to the KC, practically at same time. This happens in Chrome browser.

The second request overwrite the value of the OAuth_Token_Request_State cookie and, on return of first request from KC, the value of state is diferent. This is de log of spring boot app:

2021-07-30 09:13:47.325 [DEBUG] [app name] [http-nio-8080-exec-53] PreAuthActionsHandler - adminRequest http://app.domain.com/app-name/sso/login?param-name=7473
2021-07-30 09:13:47.326 [DEBUG] [app name] [http-nio-8080-exec-53] KeycloakAuthenticationProcessingFilter - Request is to process authentication
2021-07-30 09:13:47.326 [DEBUG] [app name] [http-nio-8080-exec-53] OAuthRequestAuthenticator - there was no code
2021-07-30 09:13:47.326 [DEBUG] [app name] [http-nio-8080-exec-53] OAuthRequestAuthenticator - redirecting to auth server
2021-07-30 09:13:47.327 [DEBUG] [app name] [http-nio-8080-exec-53] OAuthRequestAuthenticator - callback uri: http://app.domain.com/app-name/sso/login?param-name=7473
2021-07-30 09:13:47.327 [DEBUG] [app name] [http-nio-8080-exec-53] OAuthRequestAuthenticator - Sending redirect to login page: https://kc.domain.com/auth/realms/realm-name/protocol/openid-connect/auth?response_type=code&client_id=app-name&redirect_uri=http%3A%2F%2Fapp.domain.com%2Fapp-name%2Fsso%2Flogin?param-name%3D7473&state=8ba2b92f-a3b8-4cda-98e9-4281ded3576f&login=true&scope=openid
2021-07-30 09:13:47.340 [DEBUG] [app name] [http-nio-8080-exec-55] PreAuthActionsHandler - adminRequest http://app.domain.com/app-name/sso/login?param-name=7473
2021-07-30 09:13:47.340 [DEBUG] [app name] [http-nio-8080-exec-55] KeycloakAuthenticationProcessingFilter - Request is to process authentication
2021-07-30 09:13:47.340 [DEBUG] [app name] [http-nio-8080-exec-55] OAuthRequestAuthenticator - there was no code
2021-07-30 09:13:47.341 [DEBUG] [app name] [http-nio-8080-exec-55] OAuthRequestAuthenticator - redirecting to auth server
2021-07-30 09:13:47.341 [DEBUG] [app name] [http-nio-8080-exec-55] OAuthRequestAuthenticator - callback uri: http://app.domain.com/app-name/sso/login?param-name=7473
2021-07-30 09:13:47.341 [DEBUG] [app name] [http-nio-8080-exec-55] OAuthRequestAuthenticator - Sending redirect to login page: https://kc.domain.com/auth/realms/realm-name/protocol/openid-connect/auth?response_type=code&client_id=app-name&redirect_uri=http%3A%2F%2Fapp.domain.com%2Fapp-name%2Fsso%2Flogin?param-name%3D7473&state=03f328f9-15d2-42da-8d6f-55f35ca52a65&login=true&scope=openid
2021-07-30 09:13:48.576 [DEBUG] [app name] [http-nio-8080-exec-40] PreAuthActionsHandler - adminRequest http://app.domain.com/app-name/sso/login?param-name=7473&state=8ba2b92f-a3b8-4cda-98e9-4281ded3576f&session_state=ce3b5eaa-edc1-4eec-acbd-b10d3bd3bc6b&code=f01bbccc-8591-4268-a402-90c10b564f1b.ce3b5eaa-edc1-4eec-acbd-b10d3bd3bc6b.a700741c-6ed9-4c95-afe8-d693288ad5c5
2021-07-30 09:13:48.577 [DEBUG] [app name] [http-nio-8080-exec-40] KeycloakAuthenticationProcessingFilter - Request is to process authentication
2021-07-30 09:13:48.578 [DEBUG] [app name] [http-nio-8080-exec-40] OAuthRequestAuthenticator - there was a code, resolving
2021-07-30 09:13:48.578 [DEBUG] [app name] [http-nio-8080-exec-40] OAuthRequestAuthenticator - checking state cookie for after code
2021-07-30 09:13:48.578 [DEBUG] [app name] [http-nio-8080-exec-40] OAuthRequestAuthenticator - ** reseting application state cookie
2021-07-30 09:13:48.578 [WARN ] [app name] [http-nio-8080-exec-40] OAuthRequestAuthenticator - state parameter invalid
2021-07-30 09:13:48.578 [WARN ] [app name] [http-nio-8080-exec-40] OAuthRequestAuthenticator - cookie: 03f328f9-15d2-42da-8d6f-55f35ca52a65
2021-07-30 09:13:48.578 [WARN ] [app name] [http-nio-8080-exec-40] OAuthRequestAuthenticator - queryParam: 8ba2b92f-a3b8-4cda-98e9-4281ded3576f
2021-07-30 09:13:48.583 [DEBUG] [app name] [http-nio-8080-exec-40] KeycloakAuthenticationProcessingFilter - Authentication request failed: org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details
org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details

Has anyone encountered this problem? Any idea for resolve?

Thank you in advance.

3

Hello,

Were you able to find a solution?

I’m having the same problem that you are describing, it might be something related with

https://issues.redhat.com/browse/KEYCLOAK-1828?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel