Hi everyone! Can anyone help us with the following scenario: We’re using Datahub (v0.8.16) with OIDC Authentication embedded inside another platform. The deploy was made using helm chart on kubernetes pointing to 0.8.16 version of Datahub: https://github.com/datahub-project/datahub/blob/master/docs/deploy/kubernetes.md Datahub-frontend is configured to add a Content-Security-Policy response header to all requests, like this: (“http://localhost:3000” is running our platform where the Datahub is embedded)

package filters;

import play.mvc.EssentialAction;
import play.mvc.EssentialFilter;

import javax.inject.Inject;
import javax.inject.Singleton;
import java.util.concurrent.Executor;

@Singleton
public class CSPFilter extends EssentialFilter {

    private final Executor exec;

    /**
     * @param exec This class is needed to execute code asynchronously.
     */
    @Inject
    public CSPFilter(Executor exec) {
        this.exec = exec;
    }

    @Override
    public EssentialAction apply(EssentialAction next) {
        return EssentialAction.of(request ->
            next.apply(request).map(result ->
                 result.withHeader(
                     "Content-Security-Policy", 
                     "frame-ancestors 'self' <http://localhost:3000>")
                     , exec)
        );
    }
}

After deployment the OIDC configuration works fine. When we access it using our virtual service url, the login via Keycloak is successfully done but when we try to access Datahub embedded we receive the following logs:

19:28:10 [application-akka.actor.default-dispatcher-34] ERROR application - 

! @7n94niein - Internal server error, for (GET) [/callback/oidc?state=ZGIDs6vDT7b3nE3bY5fti5p99UJKQozIGmVbGImckj0&session_state=a6a687e8-a210-4f7b-b2e2-998ce2c8656c&code=017576af-b373-48fe-9e38-a64510d81c05.a6a687e8-a210-4f7b-b2e2-998ce2c8656c.54b62100-14ad-4c8c-93d0-754f98ddfe4a] ->
 
play.api.UnexpectedException: Unexpected exception[CompletionException: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery]
	at play.api.http.HttpErrorHandlerExceptions$.throwableToUsefulException(HttpErrorHandler.scala:247)
	at play.api.http.DefaultHttpErrorHandler.onServerError(HttpErrorHandler.scala:176)
	at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:363)
	at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:361)
	at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:346)
	at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:345)
	at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:36)
	at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
	at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply$mcV$sp(BatchingExecutor.scala:92)
	at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:92)
	at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:92)
	at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:72)
	at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
	at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:41)
	at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:49)
	at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
	at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
	at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
	at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
Caused by: java.util.concurrent.CompletionException: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery
	at java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:273)
	at java.util.concurrent.CompletableFuture.completeThrowable(CompletableFuture.java:280)
	at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1606)
	at play.core.j.HttpExecutionContext$$anon$2.run(HttpExecutionContext.scala:56)
	... 6 common frames omitted
Caused by: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery
	at org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:74)
	at org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:32)
	at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:65)
	at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:140)
	at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:89)
	at auth.sso.oidc.OidcCallbackLogic.perform(OidcCallbackLogic.java:87)
	at controllers.SsoCallbackController$SsoCallbackLogic.perform(SsoCallbackController.java:62)
	at controllers.SsoCallbackController$SsoCallbackLogic.perform(SsoCallbackController.java:49)
	at org.pac4j.play.CallbackController.lambda$callback$0(CallbackController.java:56)
	at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1604)
	... 7 common frames omitted

@bumpy-umbrella-67147

Hi there! Please try to post long code blocks in the thread :)