State value is converting into cookie when passed from Public to protected

[pulkumar]

HI team,

we are seeing few issues while migrating our ping agents to okta with OIDC mechanism on linux machines. we have below architecture which serves Perl application.

CECWEB-->CDCIRP-->CDCWPB-->APP SERVERS

CECWEB Layer we have migrated from PING to OKTA with OIDC module.
CDCIRP Layer we have migrated from PING AGENTS to OKTA with OIDC module.

When calling https://wwwin-dev.cisco.com/it/gtrc/xxgtrc/ltsc/location.shtml?location=101 which resides in cecweb layer where traffic coming from cgi-bin,pcgi-bin set free,which in turn calls one .cgi script which is set protected in cdcirp layer. we see the request errors out at the redirect uri (https://wwwin-dev.cisco.com/protected/openid.html?code=7186hIErHDon4CgNBjCp0Ux8HEuOTSxFY5xmhLcgAeA&state=A15C9haBTKgYCD2HVugR8iTpkgg) as it cannot find the state.

where calling .cgi URL (https://wwwin-dev.cisco.com/pcgi-bin/it/gtrc/core/ltsc/get_locations.cgi) from other tab is able to convert state value to cookie in IRP and failing when calling from public SHTML URL

SHTML Script : https://wwwin-dev.cisco.com/it/gtrc/xxgtrc/ltsc/location.shtml?location=101 -- servers from CECWEB (Public URL)
[pulkumar@cecweb-nprd3-01 CSR]$ less /opt/httpd/root-wwwin-ssl/htdocs/it/gtrc/ltsc/location.shtml |grep .cgi

CGI path :https://wwwin-dev.cisco.com/pcgi-bin/it/gtrc/core/ltsc/get_locations.cgi -- servers from CDCAPP (Protected in CDCIRP layer )

Error in CDCIRP:
Thu Feb 02 01:28:19.239155 2023] [auth_openidc:error] [pid 1056:tid 140386148271872] [client 173.38.18.13:30878] oidc_restore_prot
o_state: no "mod_auth_openidc_state_4-to45hGKk-t0cEMPXW0M8uHldw" state cookie found: check domain and samesite cookie settings [Thu Feb 02 01:28:19.239171 2023] [auth_openidc:error] [pid 1056:tid 140386148271872] [client 173.38.18.13:30878] oidc_authorizatio
n_response_match_state: unable to restore state

Can you please help us on how to convert state value form public URL to protected URL

[pulkumar]

@zandbelt can you please help here

[zandbelt]

this is very use case specific and not clearly described; assuming you're working for Cisco, which is a commercial support customer, you can contact support@openidc.com (from a Cisco e-mail address) whilst providing exhaustive information such as platform, version of the module, server debug logs, browser details and browser traces/logs