how to configure correct state transfer in pac4j

81 views Asked by At

On my quest to implement an OIDC connection with pac4j (on client side) I have hit another roadblock. It seems that the state transfer via URL is not working or propery configured:

The auth request:

https://authserver.com/mini-sinai/auth?scope=openid profile email&response_type=code&
redirect_uri=https://client.com/jee-pac4j-demo/callback?client_name=MiniSinai&
state=e8e3b77123&nonce=vvDVEE3hv70GLUvDVG5IyaU30S6EJqsAjGHEyuUg_NA&
client_id=9d9a41d95b4907ca13ac60b0568aa3

Is returning:

302 https://client.com/jee-pac4j-demo/callback?client_name=MiniSinai&
code=TrCQCp02fodz071SdKTXisZseJFcNwWJcFs7z3772tw&state=e8e3b77123

But then the client reports this:

org.pac4j.oidc.exceptions.OidcMissingSessionStateException: State cannot be determined
    org.pac4j.oidc.credentials.extractor.OidcCredentialsExtractor.lambda$extract$0(OidcCredentialsExtractor.java:118)
    java.base/java.util.Optional.orElseThrow(Optional.java:403)
    org.pac4j.oidc.credentials.extractor.OidcCredentialsExtractor.extract(OidcCredentialsExtractor.java:118)
    org.pac4j.core.client.BaseClient.getCredentials(BaseClient.java:74)
    org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:83)
    org.pac4j.demo.jee.DemoConfigFactory$MyCallbackLogic.perform(DemoConfigFactory.java:126)
    org.pac4j.jee.filter.CallbackFilter.internalFilter(CallbackFilter.java:63)
    org.pac4j.jee.config.AbstractConfigFilter.doFilter(AbstractConfigFilter.java:92)

Which irritates me as the state is present in the callback. (Both services on the the host worked just fine, hence I assume that the state comes from the tomcat-session). Do I have to configure pac4j in a special way in order to allow state transfer via URI?

1

There are 1 answers

2
jleleu On BEST ANSWER

The generated state is sent to the authorize endpoint and saved into the web session.

The retrieved state on the callback URL is compared to the one retrieved from the web session.

The error: "State cannot be determined" is when you are not able to retrieved the saved state from the web session. So you might have an issue with your web session. What do you see for the JSESSIONID cookie on the HTTP requests?