https://datahubproject.io logo
Join Slack
Powered by
Hello Datahub, I'd like to connect my Datahub wit...
# troubleshoot
a
Hello Datahub, I'd like to connect my Datahub with my company OIDC based on Microsoft ADFS. Claims seem to have no abnormalities. I can see created new user urn in datahub mysql after trying to login. But I couldn't see Datahub main page. Colud you help me solve this problem?
b
Hi there! Please try to refrain from posting long code blocks. Taking a look
a
Helm chart configuration
Copy code
extraEnvs:
    - name: AUTH_OIDC_ENABLED
      value: "true"
    - name: AUTH_OIDC_CLIENT_ID
      value: "REDACTED"
    - name: AUTH_OIDC_CLIENT_SECRET
      value: "REDACTED"
    - name: AUTH_OIDC_DISCOVERY_URI
      value: "<https://REDACTED/adfs/.well-known/openid-configuration>"
    - name: AUTH_OIDC_BASE_URL
      value: "<https://REDACTED>"
    - name: AUTH_OIDC_USER_NAME_CLAIM
      value: "REDACTED"
    - name: AUTH_OIDC_EXTRACT_GROUPS_ENABLED
      value: "false"
Frontend pod error messages
Copy code
06:25:31 [application-akka.actor.default-dispatcher-213] ERROR o.p.o.p.creator.OidcProfileCreator - Bad User Info response, error=invalid_token
06:25:31 [application-akka.actor.default-dispatcher-213] ERROR auth.sso.oidc.OidcCallbackLogic - Unable to renew the session. The session store may not support this feature
06:25:31 [application-akka.actor.default-dispatcher-186] ERROR akka.actor.ActorSystemImpl - Internal server error, sending 500 response
java.lang.IllegalArgumentException: Cookie value contains an invalid char:  
	at play.core.netty.utils.CookieEncoder.validateCookie(CookieEncoder.java:47)
	at play.core.netty.utils.ServerCookieEncoder.encode(ServerCookieEncoder.java:77)
	at play.api.mvc.CookieHeaderEncoding$$anonfun$1.apply(Cookie.scala:222)
	at play.api.mvc.CookieHeaderEncoding$$anonfun$1.apply(Cookie.scala:213)
	at scala.collection.TraversableLike$$anonfun$map$1.apply(TraversableLike.scala:234)
	at scala.collection.TraversableLike$$anonfun$map$1.apply(TraversableLike.scala:234)
	at scala.collection.immutable.List.foreach(List.scala:392)
	at scala.collection.TraversableLike$class.map(TraversableLike.scala:234)
	at scala.collection.immutable.List.map(List.scala:296)
	at play.api.mvc.CookieHeaderEncoding$class.encodeSetCookieHeader(Cookie.scala:213)
	at play.api.mvc.DefaultCookieHeaderEncoding.encodeSetCookieHeader(Cookie.scala:324)
	at play.api.mvc.Result.bakeCookies(Results.scala:310)
	at play.core.server.common.ServerResultUtils.prepareCookies(ServerResultUtils.scala:273)
	at play.core.server.AkkaHttpServer$$anonfun$15.apply(AkkaHttpServer.scala:366)
	at play.core.server.AkkaHttpServer$$anonfun$15.apply(AkkaHttpServer.scala:365)
	at scala.concurrent.Future$$anonfun$flatMap$1.apply(Future.scala:253)
	at scala.concurrent.Future$$anonfun$flatMap$1.apply(Future.scala:251)
	at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:36)
	at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
	at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply$mcV$sp(BatchingExecutor.scala:92)
	at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:92)
	at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:92)
	at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:72)
	at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
	at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:41)
	at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:49)
	at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
	at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
	at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
	at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
This is my company OIDC .well-known/openid-configuration
Copy code
{
  "issuer": "https://REDACTED/adfs",
  "authorization_endpoint": "https://REDACTED/adfs/oauth2/authorize/",
  "token_endpoint": "https://REDACTED/adfs/oauth2/token/",
  "jwks_uri": "https://REDACTED/adfs/discovery/keys",
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic",
    "private_key_jwt",
    "windows_client_authentication"
  ],
  "response_types_supported": [
    "code",
    "id_token",
    "code id_token",
    "id_token token",
    "code token",
    "code id_token token"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "grant_types_supported": [
    "authorization_code",
    "refresh_token",
    "client_credentials",
    "urn:ietf:params:oauth:grant-type:jwt-bearer",
    "implicit",
    "password",
    "srv_challenge",
    "urn:ietf:params:oauth:grant-type:device_code",
    "device_code"
  ],
  "subject_types_supported": [
    "pairwise"
  ],
  "scopes_supported": [
    "winhello_cert",
    "allatclaims",
    "email",
    "openid",
    "profile",
    "vpn_cert",
    "user_impersonation",
    "logon_cert",
    "aza"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "RS256"
  ],
  "access_token_issuer": "http://REDACTED/adfs/services/trust",
  "claims_supported": [
    "aud",
    "iss",
    "iat",
    "exp",
    "auth_time",
    "nonce",
    "at_hash",
    "c_hash",
    "sub",
    "upn",
    "unique_name",
    "pwd_url",
    "pwd_exp",
    "mfa_auth_time",
    "sid"
  ],
  "microsoft_multi_refresh_token": true,
  "userinfo_endpoint": "https://REDACTED/adfs/userinfo",
  "capabilities": [],
  "end_session_endpoint": "https://REDACTED/adfs/oauth2/logout",
  "as_access_token_token_binding_supported": true,
  "as_refresh_token_token_binding_supported": true,
  "resource_access_token_token_binding_supported": true,
  "op_id_token_token_binding_supported": true,
  "rp_id_token_token_binding_supported": true,
  "frontchannel_logout_supported": true,
  "frontchannel_logout_session_supported": true,
  "device_authorization_endpoint": "https://REDACTED/adfs/oauth2/devicecode"
}
b
Will check on things soon!
a
Update: I resolved 'Bad User Info response error' but I keep getting 'Internal Server Error'. My compnay OIDC based on ADFS doesn't use Userinfo endpoint. To avoid using Userinfo endpoint in Pac4j, I modified my company oidc-configuration and served it as my custom url. https://github.com/pac4j/pac4j/blob/master/pac4j-oidc/src/main/java/org/pac4j/oidc/profile/creator/OidcProfileCreator.java#L93
Copy code
01:32:31 [application-akka.actor.default-dispatcher-11797] WARN  o.p.o.profile.creator.TokenValidator - Preferred JWS algorithm: null not available. Using all metadata algorithms: [RS256]
01:32:32 [application-akka.actor.default-dispatcher-11797] ERROR auth.sso.oidc.OidcCallbackLogic - Unable to renew the session. The session store may not support this feature
01:32:33 [application-akka.actor.default-dispatcher-11797] ERROR akka.actor.ActorSystemImpl - Internal server error, sending 500 response
java.lang.IllegalArgumentException: Cookie value contains an invalid char:  
	at play.core.netty.utils.CookieEncoder.validateCookie(CookieEncoder.java:47)
	at play.core.netty.utils.ServerCookieEncoder.encode(ServerCookieEncoder.java:77)
	at play.api.mvc.CookieHeaderEncoding$$anonfun$1.apply(Cookie.scala:222)
	at play.api.mvc.CookieHeaderEncoding$$anonfun$1.apply(Cookie.scala:213)
	at scala.collection.TraversableLike$$anonfun$map$1.apply(TraversableLike.scala:234)
	at scala.collection.TraversableLike$$anonfun$map$1.apply(TraversableLike.scala:234)
	at scala.collection.immutable.List.foreach(List.scala:392)
	at scala.collection.TraversableLike$class.map(TraversableLike.scala:234)
	at scala.collection.immutable.List.map(List.scala:296)
	at play.api.mvc.CookieHeaderEncoding$class.encodeSetCookieHeader(Cookie.scala:213)
	at play.api.mvc.DefaultCookieHeaderEncoding.encodeSetCookieHeader(Cookie.scala:324)
	at play.api.mvc.Result.bakeCookies(Results.scala:310)
	at play.core.server.common.ServerResultUtils.prepareCookies(ServerResultUtils.scala:273)
	at play.core.server.AkkaHttpServer$$anonfun$15.apply(AkkaHttpServer.scala:366)
	at play.core.server.AkkaHttpServer$$anonfun$15.apply(AkkaHttpServer.scala:365)
	at scala.concurrent.Future$$anonfun$flatMap$1.apply(Future.scala:253)
	at scala.concurrent.Future$$anonfun$flatMap$1.apply(Future.scala:251)
	at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:36)
	at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
	at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply$mcV$sp(BatchingExecutor.scala:92)
	at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:92)
	at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:92)
	at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:72)
	at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
	at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:41)
	at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:49)
	at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
	at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
	at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
	at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
Update: I resolved 'Cookie value contains an invalid char' error. The error occurred because the username claim value contained a blank (Hagun Kim). (https://github.com/t2v/play2-auth/issues/180) But I keep getting 'Unable to renew the session' error. It occurs infinitely when I try to login. Browser(Chrome) goes in infinte loop.
Copy code
04:31:18 [application-akka.actor.default-dispatcher-234] ERROR auth.sso.oidc.OidcCallbackLogic - Unable to renew the session. The session store may not support this feature
04:31:19 [application-akka.actor.default-dispatcher-248] ERROR auth.sso.oidc.OidcCallbackLogic - Unable to renew the session. The session store may not support this feature
04:31:20 [application-akka.actor.default-dispatcher-234] ERROR auth.sso.oidc.OidcCallbackLogic - Unable to renew the session. The session store may not support this feature
04:31:21 [application-akka.actor.default-dispatcher-247] ERROR auth.sso.oidc.OidcCallbackLogic - Unable to renew the session. The session store may not support this feature
Update: I resolved the infinite loop issue. I referred this thread. https://datahubspace.slack.com/archives/C029A3M079U/p1644940202569599
Hello @big-carpet-38439, I resolved my issues and succeeded login into UI with OIDC but frontend pod still shows this error. (There seems to be no problem using Datahub.) The error only occurs the first time I log in. There is no error when refreshing main page after logging in. If you know about this log, please let me know.
Copy code
09:11:09 [application-akka.actor.default-dispatcher-427] ERROR auth.sso.oidc.OidcCallbackLogic - Unable to renew the session. The session store may not support this feature
b
Hi @adorable-flower-19656 - This is okay
It is unfortunately a red herring (not real error) warning logged by the library we depend on
3 Views
Open in Slack
PreviousNext
Powered by