two simultaneous requests on same URL, different redirect results

[leo-b]

Hi!

I am using mod_auth_openidc in a reverse proxy to secure the homeassistant web-frontend.

Unfortunately, after the oidc session expired, the web-interface currently doesn't correctly re-authenticate and gets a 400 Bad request due to expired state cookies.

I investigated the requests using the chrome developer-tools: It seems that there are two simultaneous requests for the start page (/lovelace/default_view): One from the main browser thread and one from a service worker:

• The first one, coming from the main thread gets a 302 Found redirect with a Location header redirecting to the /authorize endpoint correctly using a new state parameter.

• However the second one yields a 303 Response and a Location header containing an old expired state parameter, which finally results in an "invalid authorization response state and no default SSO URL is set, sending an error" 400 error.

As I cannot see an entry corresponding to the second request in the access_log, I guess the second one will be the result of some illegal caching? (There is not even a single 303 redirect in the access log.)

The chrome .har file and some relevant access_log and error_log lines are attached. (I guess I should invalidate my IDP session now..)

Do you have any hints how to prevent this kind of caching? (As you can see there are already "no-cache" headers present.)

Cheers,
--leo

10.0.0.116 - - [06/Jan/2023:00:47:46 +0100] "POST /auth/token HTTP/1.1" 401 - 381 "https://ha.kloburg.at/lovelace/default_view" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
10.0.0.116 - - [06/Jan/2023:00:47:46 +0100] "GET /api/websocket HTTP/1.1" 200 websocket - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
10.0.0.116 - - [06/Jan/2023:00:47:47 +0100] "GET /lovelace/default_view HTTP/1.1" 302 - 524 "https://ha.kloburg.at/lovelace/default_view" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
10.0.0.116 - - [06/Jan/2023:00:47:47 +0100] "GET /oidc/callback?code=jjbULuHqMMIW6th6dAn151gos3cSd3cydmkBPrACcbDfBEjCGGsuoAXVZdZstgX2LZhSknt2KQ31Vgw6di7WCwnT2dB4l5i4hnheIKdK8JgVlLfVxGOO20efxGZe2E7G&state=sU7ufxGX79UElF3C4Q9wZS2oRO8 HTTP/1.1" 400 - 226 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
10.0.0.116 - - [06/Jan/2023:00:47:49 +0100] "GET /service_worker.js HTTP/1.1" 401 - 381 "https://ha.kloburg.at/service_worker.js" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"

[Fri Jan 06 00:47:47.084347 2023] [auth_openidc:warn] [pid 2663355:tid 139813239899904] [client 10.0.0.116:51474] oidc_clean_expired_state_cookies: state (mod_auth_openidc_state_sU7ufxGX79UElF3C4Q9wZS2oRO8) has expired (original_url=https://ha.kloburg.at/lovelace/default_view), referer: https://ha.kloburg.at/lovelace/default_view
[Fri Jan 06 00:47:47.084460 2023] [auth_openidc:warn] [pid 2663355:tid 139813239899904] [client 10.0.0.116:51474] oidc_clean_expired_state_cookies: state (mod_auth_openidc_state_edk7tOgwn79dxvcxlVXSFEG_Xl0) has expired (original_url=https://ha.kloburg.at/), referer: https://ha.kloburg.at/lovelace/default_view
[Fri Jan 06 00:47:47.283362 2023] [auth_openidc:error] [pid 2663355:tid 139813231507200] [client 10.0.0.116:51474] oidc_restore_proto_state: no "mod_auth_openidc_state_sU7ufxGX79UElF3C4Q9wZS2oRO8" state cookie found: check domain and samesite cookie settings
[Fri Jan 06 00:47:47.283411 2023] [auth_openidc:error] [pid 2663355:tid 139813231507200] [client 10.0.0.116:51474] oidc_authorization_response_match_state: unable to restore state
[Fri Jan 06 00:47:47.283418 2023] [auth_openidc:error] [pid 2663355:tid 139813231507200] [client 10.0.0.116:51474] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error...

ha.kloburg.at-service-worker-state.har.zip

[zandbelt]

what is the version of the module that you are using?

[leo-b]

what is the version of the module that you are using?

mod_auth_openidc-2.4.12.2-1.el8.x86_64

with this config:

  OIDCProviderMetadataURL https://cloud.kloburg.at/.well-known/openid-configuration
  OIDCClientID XXX
  OIDCClientSecret XXX
  OIDCCryptoPassphrase XXX
  OIDCRedirectURI /oidc/callback
  OIDCScope "openid profile email roles"
  OIDCRemoteUserClaim preferred_username
  OIDCAuthNHeader X-Forwarded-Preferred-Username

  <Location />
    AuthType openid-connect
    <RequireAny>
      Require claim roles:ms14
      Require env no_oidc_auth
    </RequireAny>
  </Location>

  ProxyPreserveHost On
  ProxyRequests off # disable forward proxy

  RewriteEngine on
  RewriteRule "^/oidc/callback$" - [L]

  RewriteRule "^/manifest\.json$" - [E=no_oidc_auth]
  OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest' \
                       || ( -n %{HTTP:Sec-Fetch-Mode} && %{HTTP:Sec-Fetch-Mode} != 'navigate' ) \
                       || ( -n %{HTTP:Sec-Fetch-Dest} && %{HTTP:Sec-Fetch-Dest} != 'iframe' && %{HTTP:Sec-Fetch-Dest} != 'document' && %{HTTP:Sec-Fetch-Dest} != 'empty') \
                       || (    ( %{HTTP_ACCEPT} !~ m#text/html# ) \
                           && ( %{HTTP_ACCEPT} !~ m#application/xhtml\+xml# ) \
                           && ( %{HTTP_ACCEPT} !~ m#\*/\*# ) )"

  RewriteRule "^/api/websocket(/.*)?$" ws://${ha_host}:8123/api/websocket$1 [E=no_oidc_auth:1,P,L]  

  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteCond ${HTTP:Connection} upgrade [NC]
  RewriteRule "^/(.*)"  ws://${ha_host}:8123/$1 [E=no_oidc_auth:1,P,L]

  RewriteRule "^/(.*)" http://${ha_host}:8123/$1 [P,L]
  ProxyPassReverse /api/websocket ws://${ha_host}:8123/api/websocket
  ProxyPassReverse / http://${ha_host}:8123/

[zandbelt]

the defaults for OIDCUnAuthAction should prevent the behaviour that you're seeing, see also: https://github.com/zmartzone/mod_auth_openidc/wiki/Sessions-and-Timeouts#single-page-applications

[leo-b]

The default for OIDCUnAuthAction would immediately return 401 Unauthorized for the second (service-worker) request because the request has Sec-Fetch-Dest: document.
I have already tried that but this also doesn't work. With the default setting it even doesn't recover on browser reload.

[leo-b]

I agree that the frontend SPA should reload itself after receiving the 401 response. Probably this will be a bug.
I have also defined an exception for the websockets to bypass mod_auth_openidc authentication.
Should websockets also receive 401 after the OIDC session expires?

[leo-b]

OK. It seems to be a problem with Stale-While-Revalidate caching in homeassistant's service worker. Here is an analysis of a similar problem (nonce lags one request behind):
https://github.com/goauthentik/authentik/issues/884#issuecomment-851542477