OIDC and Invalid authorization request state

[Nephilim84]

Hi,

I am having some strange behaviour regarding OIDC configuration with SSO with my self-hosted Budibase.

Indeed, I am experencing this erratic error on bdibase-worker when I try to login:
ERROR [1676393525910] (99 on f799b75d4485): Invalid authorization request state. ForbiddenError: Invalid authorization request state. at Object.throw (/app/packages/worker/node_modules/koa/lib/context.js:97:11) at /app/packages/worker/dist/api/controllers/global/auth.js:45:29 at Generator.next (<anonymous>) at /app/packages/worker/dist/api/controllers/global/auth.js:8:71 at new Promise (<anonymous>) at __awaiter (/app/packages/worker/dist/api/controllers/global/auth.js:4:12) at authInternal (/app/packages/worker/dist/api/controllers/global/auth.js:39:12) at /app/packages/worker/dist/api/controllers/global/auth.js:241:15 at Generator.next (<anonymous>) at /app/packages/worker/dist/api/controllers/global/auth.js:8:71 at new Promise (<anonymous>) at __awaiter (/app/packages/worker/dist/api/controllers/global/auth.js:4:12) at /app/packages/worker/dist/api/controllers/global/auth.js:240:118 at callback (/app/packages/backend-core/node_modules/koa-passport/lib/framework/koa.js:93:25) at allFailed (/app/packages/backend-core/node_modules/passport/lib/middleware/authenticate.js:107:18) at attempt (/app/packages/backend-core/node_modules/passport/lib/middleware/authenticate.js:180:28)

What is strange is that if I refresh the login page and try to sign in again on budibase, the OIDC connection and SSO works. So it looks that fresh new logins are being denied at first connection. The successive logins do work.

I have configured OIDC with the following parameters:
Config URL: https://oidc_server/v1/.well-known/openid-configuration
Callback URL: https://budibase_server/api/global/auth/oidc/callback

When analyzing the authentication flow when connecting, it does look that the state parameter is not URL encoded correctly when coming back from the OIDC server:

Auth request sent from client:
https://oidc_server/v1/authorize?response_type=code&client_id=xxx&redirect_uri=https%3A%2F%2budibase_server%2Fapi%2Fglobal%2Fauth%2Foidc%2Fcallback&scope=openid%20profile%20email%20offline_access&state=%7B%22handle%22%3A%22eMAHilX6ZYSbBRTJztAqhKi9%22%7D

Answer from Auth request:
https://budibase_server/api/global/auth/oidc/callback?code=xxx&state={%22handle%22:%22eMAHilX6ZYSbBRTJztAqhKi9%22}

Could that be the issue ?

Thanks in advance for any help

[melohagan]

Hey @Nephilim84

What OIDC provider are you using? A video recording of the problem or some screenshots could be helpful for us to investigate as well.

[Nephilim84]

Hi @melohagan ,
Thanks for the quick reply, I am using F5 OIDC server to communication with our internal AD and allow SSO authentication.
Here is a snapshot of an auth failed request flow:

It looks like that the url encoding is missing somewhere so that the special characters contained in the state GET header is not correctly decoded by budibase-worker.

When a correct login is achieved, no special character appear in the state header so the authentication payload is correctly validated by the budibase-worker:

Hope this brings more understanding on this issue.

[melohagan]

Thank you for the extra info @Nephilim84

I have raised a bug issue here: #9846

[mielune]

I have the same issue with my OIDC provider and it is due to the '+' char in the state parameter that is decoded (not the other % encoded chars) and then at the end of the OAuth workflow, BB reject the received state due to a changed value :

Some details here :

BB request

End of process with redirect to BB

BB reject the final value of the state received from the OIDC provider state: {"handle":"ODEn9SbityzQFPMwmLGE d1l"} it is not the same than the original one sent by BB state: {"handle":"ODEn9SbityzQFPMwmLGE+d1l"}