This repository was archived by the owner on May 31, 2022. It is now read-only.
This repository was archived by the owner on May 31, 2022. It is now read-only.
Possible CSRF detected - state parameter was present but no state could be found #322
Closed
Description
Hi,
When i try to create a Spring OAuth server, like this, in Spring blog, i get an error:
curl -X GET http://localhost:8080 -v -L -u user:password
* Rebuilt URL to: http://localhost:8080/
* Hostname was NOT found in DNS cache
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
* Server auth using Basic with user 'user'
> GET / HTTP/1.1
> Authorization: Basic dXNlcjpwYXNzd29yZA==
> User-Agent: curl/7.35.0
> Host: localhost:8080
> Accept: */*
>
< HTTP/1.1 302 Found
* Server Apache-Coyote/1.1 is not blacklisted
< Server: Apache-Coyote/1.1
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Set-Cookie: JSESSIONID=16E880F53147AF4FA4C598615CFE97D4; Path=/; HttpOnly
< Location: http://localhost:8080/login
< Content-Length: 0
< Date: Wed, 26 Nov 2014 19:38:18 GMT
<
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'http://localhost:8080/login'
* Found bundle for host localhost: 0x15cf8b0
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (127.0.0.1) port 8080 (#0)
* Server auth using Basic with user 'user'
> GET /login HTTP/1.1
> Authorization: Basic dXNlcjpwYXNzd29yZA==
> User-Agent: curl/7.35.0
> Host: localhost:8080
> Accept: */*
>
< HTTP/1.1 302 Found
* Server Apache-Coyote/1.1 is not blacklisted
< Server: Apache-Coyote/1.1
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Set-Cookie: JSESSIONID=8BCDD1F49074CA6239BC1E93903180F3; Path=/; HttpOnly
< Location: http://localhost:9998/oauth/authorize?client_id=my-trusted-client&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin&response_type=code&state=Bvp1wZ
< Content-Length: 0
< Date: Wed, 26 Nov 2014 19:38:18 GMT
<
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'http://localhost:9998/oauth/authorize?client_id=my-trusted-client&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin&response_type=code&state=Bvp1wZ'
* Found bundle for host localhost: 0x15cf8b0
* Hostname was NOT found in DNS cache
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9998 (#1)
* Server auth using Basic with user 'user'
> GET /oauth/authorize?client_id=my-trusted-client&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin&response_type=code&state=Bvp1wZ HTTP/1.1
> Authorization: Basic dXNlcjpwYXNzd29yZA==
> User-Agent: curl/7.35.0
> Host: localhost:9998
> Accept: */*
>
< HTTP/1.1 302 Found
* Server Apache-Coyote/1.1 is not blacklisted
< Server: Apache-Coyote/1.1
< Strict-Transport-Security: max-age=31536000 ; includeSubDomains
< Pragma: no-cache
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Cache-Control: no-cache
< Cache-Control: no-store
< Location: http://localhost:8080/login?code=2eJuuj&state=Bvp1wZ
< Content-Language: pt-PT
< Content-Length: 0
< Date: Wed, 26 Nov 2014 19:38:18 GMT
<
* Connection #1 to host localhost left intact
* Issue another request to this URL: 'http://localhost:8080/login?code=2eJuuj&state=Bvp1wZ'
* Found bundle for host localhost: 0x15cf8b0
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (127.0.0.1) port 8080 (#0)
* Server auth using Basic with user 'user'
> GET /login?code=2eJuuj&state=Bvp1wZ HTTP/1.1
> Authorization: Basic dXNlcjpwYXNzd29yZA==
> User-Agent: curl/7.35.0
> Host: localhost:8080
> Accept: */*
>
< HTTP/1.1 500 Internal Server Error
* Server Apache-Coyote/1.1 is not blacklisted
< Server: Apache-Coyote/1.1
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Set-Cookie: JSESSIONID=BB959926086631B7120D7B9ED51C385D; Path=/; HttpOnly
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Wed, 26 Nov 2014 19:38:18 GMT
< Connection: close
<
* Closing connection 0
{"timestamp":1417030698602,"status":500,"error":"Internal Server Error","exception":"org.springframework.security.oauth2.common.exceptions.InvalidRequestException","message":"Possible CSRF detected - state parameter was present but no state could be found","path":"/login"}
Apparently, state param is not maintained between different requests, by OAuthRestTemplate.
Activity
dsyer commentedon Nov 29, 2014
That depends on how you set up the
OAuth2RestTemplate. Since there isn't one in the sample you linked to (and there is no /login either), you must be doing something different. If you use@EnableOAuth2Clientas described in the docs and in the samples you will get a session-scoped context that saves the state.cloud-devops-expert commentedon Nov 29, 2014
In client side, i'm using:
This configuration
@EnableOAuth2Sso, activates@EnableOAuth2Client.dsyer commentedon Nov 29, 2014
The problem is the session then. You have 2 servers running on localhost, on different ports, but cookies don't record the host, only the path, and both are on the root path "/" so they are sharing a cookie. Put one of them in a sub context (e.g. using
server.contextPath=/authfor the auth server) and it should work I think.cloud-devops-expert commentedon Nov 29, 2014
I tried that.
I putted client in /c and server in /s.
But problem continues:
dsyer commentedon Nov 29, 2014
I can see that your client is not sending cookies. I think you can do it with curl, but it might take some effort. Does it work in a browser?
cloud-devops-expert commentedon Nov 29, 2014
I activated the cookies in curl, and now i have a different error: Error requesting token:
dsyer commentedon Nov 29, 2014
Looks like an access denied when the client tries to get the user details. Perfectly normal probably. This isn't really a Spring OAuth feature, but maybe you can share a bit more? How is the client trying to get the user details? Did you forget to set the access rule for the token info endpoint on the server?
dsyer commentedon Dec 1, 2014
Duplicates spring-attic/spring-cloud-security#13
prashantbhate commentedon Jun 18, 2017
Just seen a similar issue while trying out https://spring.io/guides/tutorials/spring-boot-oauth2/
and observed that this issue is with chrome browser that wasn't passing the JSESSIONID after facebook redirect . Same worked when I Used Safari , (just adding it here so that it saves someone's two hours !)
you can see that set-cookie is called twice as second login/facebook call is not passing previously set sessionid
ex0b1t commentedon Aug 24, 2017
An alternative to @dsyer suggestion to change the context path is to change the cookie name one of your services use eg.
ChangdongLi commentedon Nov 2, 2018
Note since Spring Boot 2, to change the cookie name, the parameter is server.servlet.session.cookie.name
3 remaining items