Hi here we are experiencing problems with OIDC in the datahu DataHub #troubleshoot

Hi here, we are experiencing problems with OIDC in...

breezy-guitar-97226

11/23/2021, 11:31 AM

Hi here, we are experiencing problems with OIDC in the datahub frontend and more specifically

Copy code

Caused by: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery

breezy-guitar-97226

11/23/2021, 11:33 AM

we are using OKTA as an identity provider. This issue is also time sensitive so it happens only after some time the initial session is established. Clearing the cookies of both Datahub and Okta doesn’t seem to help either

breezy-guitar-97226

11/23/2021, 11:33 AM

here is the stack trace:

Copy code

! @7ln8ignfb - Internal server error, for (GET) [/callback/oidc?code=Xst-4v-ZFKAH5FPZxO_Qh9gFOWOYjwE-mqhE8SFO-RQ&state=P24kz1sfmfkbcGR-g-ETwkhpvsTf_pe0WelAwjxaA9o] ->

play.api.UnexpectedException: Unexpected exception[CompletionException: org.apache.shiro.crypto.CryptoException: Unable to execute 'doFinal' with cipher instance [javax.crypto.Cipher@2c66382].]
	at play.api.http.HttpErrorHandlerExceptions$.throwableToUsefulException(HttpErrorHandler.scala:247)
	at play.api.http.DefaultHttpErrorHandler.onServerError(HttpErrorHandler.scala:176)
	at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:363)
	at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:361)
	at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:346)
	at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:345)
	at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:36)
	at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
	at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply$mcV$sp(BatchingExecutor.scala:92)
	at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:92)
	at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:92)
	at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:72)
	at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
	at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:41)
	at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:49)
	at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
	at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
	at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
	at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
Caused by: java.util.concurrent.CompletionException: org.apache.shiro.crypto.CryptoException: Unable to execute 'doFinal' with cipher instance [javax.crypto.Cipher@2c66382].
	at java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:273)
	at java.util.concurrent.CompletableFuture.completeThrowable(CompletableFuture.java:280)
	at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1606)
	at play.core.j.HttpExecutionContext$$anon$2.run(HttpExecutionContext.scala:56)
	... 6 common frames omitted
Caused by: org.apache.shiro.crypto.CryptoException: Unable to execute 'doFinal' with cipher instance [javax.crypto.Cipher@2c66382].
	at org.apache.shiro.crypto.JcaCipherService.crypt(JcaCipherService.java:462)
	at org.apache.shiro.crypto.JcaCipherService.crypt(JcaCipherService.java:445)
	at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:390)
	at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:382)
	at org.pac4j.play.store.ShiroAesDataEncrypter.decrypt(ShiroAesDataEncrypter.java:42)
	at org.pac4j.play.store.PlayCookieSessionStore.get(PlayCookieSessionStore.java:60)
	at org.pac4j.play.store.PlayCookieSessionStore.get(PlayCookieSessionStore.java:29)
	at org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:73)
	at org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:32)
	at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:65)
	at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:140)
	at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:89)
	at auth.sso.oidc.OidcCallbackLogic.perform(OidcCallbackLogic.java:87)
	at controllers.SsoCallbackController$SsoCallbackLogic.perform(SsoCallbackController.java:62)
	at controllers.SsoCallbackController$SsoCallbackLogic.perform(SsoCallbackController.java:49)
	at org.pac4j.play.CallbackController.lambda$callback$0(CallbackController.java:56)
	at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1604)
	... 7 common frames omitted
Caused by: javax.crypto.AEADBadTagException: Tag mismatch!
	at com.sun.crypto.provider.GaloisCounterMode.decryptFinal(GaloisCounterMode.java:620)
	at com.sun.crypto.provider.CipherCore.finalNoPadding(CipherCore.java:1116)
	at com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1053)
	at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)
	at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446)
	at javax.crypto.Cipher.doFinal(Cipher.java:2168)
	at org.apache.shiro.crypto.JcaCipherService.crypt(JcaCipherService.java:459)
	... 23 common frames omitted
11:16:13 [application-akka.actor.default-dispatcher-4937] ERROR application -

! @7ln8ikofe - Internal server error, for (GET) [/callback/oidc?code=Xst-4v-ZFKAH5FPZxO_Qh9gFOWOYjwE-mqhE8SFO-RQ&state=P24kz1sfmfkbcGR-g-ETwkhpvsTf_pe0WelAwjxaA9o] ->

play.api.UnexpectedException: Unexpected exception[CompletionException: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery]
	at play.api.http.HttpErrorHandlerExceptions$.throwableToUsefulException(HttpErrorHandler.scala:247)
	at play.api.http.DefaultHttpErrorHandler.onServerError(HttpErrorHandler.scala:176)
	at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:363)
	at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:361)
	at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:346)
	at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:345)
	at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:36)
	at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
	at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply$mcV$sp(BatchingExecutor.scala:92)
	at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:92)
	at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:92)
	at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:72)
	at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
	at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:41)
	at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:49)
	at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
	at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
	at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
	at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
Caused by: java.util.concurrent.CompletionException: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery
	at java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:273)
	at java.util.concurrent.CompletableFuture.completeThrowable(CompletableFuture.java:280)
	at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1606)
	at play.core.j.HttpExecutionContext$$anon$2.run(HttpExecutionContext.scala:56)
	... 6 common frames omitted
Caused by: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery
	at org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:74)
	at org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:32)
	at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:65)
	at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:140)
	at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:89)
	at auth.sso.oidc.OidcCallbackLogic.perform(OidcCallbackLogic.java:87)
	at controllers.SsoCallbackController$SsoCallbackLogic.perform(SsoCallbackController.java:62)
	at controllers.SsoCallbackController$SsoCallbackLogic.perform(SsoCallbackController.java:49)
	at org.pac4j.play.CallbackController.lambda$callback$0(CallbackController.java:56)
	at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1604)
	... 7 common frames omitted

breezy-guitar-97226

11/23/2021, 11:35 AM

and these are two screenshots taken at the same time one from Chrome (the one giving the error) and the other from Firefox. The user is the same in both cases

big-carpet-38439

11/23/2021, 4:45 PM

So in Firefox it’s working but nothing in chrome?

big-carpet-38439

11/23/2021, 4:45 PM

Can you send me your OIDC configuration values? And which provider are you using?

breezy-guitar-97226

11/24/2021, 11:49 AM

yes sure, these are our Okta and datahub frontend configurations

breezy-guitar-97226

11/24/2021, 11:52 AM

So in Firefox it’s working but nothing in chrome?

correct, even though in chrome it works as well sometimes, but consistently fails others. In Firefox I could not replicate it. It could be just a matter of luck however

big-carpet-38439

11/24/2021, 5:13 PM

one minor thing i'm seeing it the Initiate Login URI -- If you are hosting DataHub as a tile in Okta you'll want this to be

/authenticate

big-carpet-38439

11/24/2021, 5:14 PM

Have you tried using client_secret_basic as the authentication method? if so, was it the same result?

big-carpet-38439

11/24/2021, 5:14 PM

@square-activity-64562 I know you faced something similar back in the day. Were you able to get that resolved?

square-activity-64562

11/25/2021, 3:27 AM

It happens sometimes but very rarely. Resolves itself in a few hours.

breezy-guitar-97226

11/25/2021, 11:32 AM

Have you tried using client_secret_basic as the authentication method? if so, was it the same result?

I will attempt this, thank you for suggesting it

breezy-guitar-97226

11/26/2021, 11:57 AM

Hi @big-carpet-38439 moving to

client_secret_basic

I’m now getting a similar behaviour but the following exception (again, just in Chrome):

Copy code

! @7lo4jbh5k - Internal server error, for (GET) [/callback/oidc?code=YK3FclkTIxCVMO4IK6tEnoD6YZk_VVppkWdLO6RsmvM&state=xe2JAp9t3ZGAVVAGo-DjrLmmLv7ngOdh_W_LhesP3Aw] ->

play.api.UnexpectedException: Unexpected exception[CompletionException: org.apache.shiro.crypto.CryptoException: Unable to execute 'doFinal' with cipher instance [javax.crypto.Cipher@5f5095c1].]
	at play.api.http.HttpErrorHandlerExceptions$.throwableToUsefulException(HttpErrorHandler.scala:247)
	at play.api.http.DefaultHttpErrorHandler.onServerError(HttpErrorHandler.scala:176)
	at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:363)
	at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:361)
	at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:346)
	at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:345)
	at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:36)
	at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
	at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply$mcV$sp(BatchingExecutor.scala:92)
	at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:92)
	at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:92)
	at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:72)
	at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
	at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:41)
	at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:49)
	at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
	at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
	at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
	at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
Caused by: java.util.concurrent.CompletionException: org.apache.shiro.crypto.CryptoException: Unable to execute 'doFinal' with cipher instance [javax.crypto.Cipher@5f5095c1].
	at java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:273)
	at java.util.concurrent.CompletableFuture.completeThrowable(CompletableFuture.java:280)
	at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1606)
	at play.core.j.HttpExecutionContext$$anon$2.run(HttpExecutionContext.scala:56)
	... 6 common frames omitted
Caused by: org.apache.shiro.crypto.CryptoException: Unable to execute 'doFinal' with cipher instance [javax.crypto.Cipher@5f5095c1].
	at org.apache.shiro.crypto.JcaCipherService.crypt(JcaCipherService.java:462)
	at org.apache.shiro.crypto.JcaCipherService.crypt(JcaCipherService.java:445)
	at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:390)
	at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:382)
	at org.pac4j.play.store.ShiroAesDataEncrypter.decrypt(ShiroAesDataEncrypter.java:42)
	at org.pac4j.play.store.PlayCookieSessionStore.get(PlayCookieSessionStore.java:60)
	at org.pac4j.play.store.PlayCookieSessionStore.get(PlayCookieSessionStore.java:29)
	at org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:73)
	at org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:32)
	at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:65)
	at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:140)
	at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:89)
	at auth.sso.oidc.OidcCallbackLogic.perform(OidcCallbackLogic.java:87)
	at controllers.SsoCallbackController$SsoCallbackLogic.perform(SsoCallbackController.java:62)
	at controllers.SsoCallbackController$SsoCallbackLogic.perform(SsoCallbackController.java:49)
	at org.pac4j.play.CallbackController.lambda$callback$0(CallbackController.java:56)
	at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1604)
	... 7 common frames omitted
Caused by: javax.crypto.AEADBadTagException: Tag mismatch!
	at com.sun.crypto.provider.GaloisCounterMode.decryptFinal(GaloisCounterMode.java:620)
	at com.sun.crypto.provider.CipherCore.finalNoPadding(CipherCore.java:1116)
	at com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1053)
	at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)
	at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446)
	at javax.crypto.Cipher.doFinal(Cipher.java:2168)
	at org.apache.shiro.crypto.JcaCipherService.crypt(JcaCipherService.java:459)
	... 23 common frames omitted

agreeable-address-71270

09/11/2023, 5:11 PM

I am experiencing this same issue sing OKTA OIDC authentication. Was there a fix to this?

2 Views

Open in Slack

Previous Next