Product: TIBCO Spotfire®
When authenticating with OpenID, a user is not able to log in and instead a message is seen on the screen:
Invalid state parameter - please check the redirect URI (the user may have been redirected back to a different host and/or port - resulting in a new HTTP session)
Additionally, the following error is seen in the server.log:
WARN 2018-07-18T04:03:46,007+0530 [unknown, #2, #18239] auth.oidc.OidcAuthenticator: OpenID Connect authentication failed
com.spotfire.server.security.auth.oidc.OidcException: Invalid state parameter - please check the redirect URI (the user may have been redirected back to a different host and/or port - resulting in a new HTTP session)
When authenticating with OpenID, a state parameter is issued to the client. This can be seen in the response body when a client calls on the '/spotfire/rest/pub/authenticationEndpoint' path of the Spotfire server.
The purpose of the state parameter is to negate CSRF (Cross Site Request Forgery) attacks. The state parameter is maintained throughout the HTTP session. If for some reason the HTTP session is terminated (resulting in a new HTTP session) a new state parameter is issued, which can give rise to this error, since this parameter is required to be consistent for the duration of the session.
To solve this issue:
1) Check the public address of the spotfire server. This must be the initial URL the client targets (hostname and protocol). A mismatch here, for example https vs http could cause this error.
2) The public address forms the basis for the return URL in the OpenID settings. Make sure the OpenID provider is using precisely the same return URL
3) If two or more Spotfire servers are in use, ensure that sticky session is enabled on the load balancer (e.g ELB on Amazon). Cookie based session affinity must be enabled based on the JSESSIONID cookie.
If this is not enabled, a new sesion might be established on a different Spotfire server, which could give rise to this error.
Comments
0 comments
Article is closed for comments.