i am trying to configure datahub to use keycloak (oidc) for authentication in a docker env.   I setup my keycloak and datahub to map to 0.0.0.0 in etc/hosts so this works.  I can login and get the redirect but it fails at the last step on a crsf type thing indicating the "State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery" [1:25 PM] thanks for any help or guidance

Hi @refined-apple-6340. Does this cause the UI to show an error?

! @7lj5jjg1d - Internal server error, for (GET) [/callback/oidc?state=C_HKvhqjeSnRyVfCvaC58lRHQq8B0Ii9nVxSZKK8YN4&session_state=eb160fe9-c77d-4c05-b6d5-48148660facf&code=106efbf8-90d7-497a-a2f9-72bae9e64151.eb160fe9-c77d-4c05-b6d5-48148660facf.24853338-d328-4bfb-99d6-9f00f1d80ced] ->   play.api.UnexpectedException: Unexpected exception[CompletionException: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery] at play.api.http.HttpErrorHandlerExceptions$.throwableToUsefulException(HttpErrorHandler.scala:247) at play.api.http.DefaultHttpErrorHandler.onServerError(HttpErrorHandler.scala:176) at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:363) at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:361) at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:346) at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:345) at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:36) at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55) at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply$mcV$sp(BatchingExecutor.scala:92) at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:92) at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:92) at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:72) at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91) at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:41) at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:49) at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260) at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339) at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979) at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107) Caused by: java.util.concurrent.CompletionException: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery at java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:273) at java.util.concurrent.CompletableFuture.completeThrowable(CompletableFuture.java:280) at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1606) at play.core.j.HttpExecutionContext$$anon$2.run(HttpExecutionContext.scala:56) ... 6 common frames omitted Caused by: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery at org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:74) at org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:32) at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:65) at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:140) at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:89) at auth.sso.oidc.OidcCallbackLogic.perform(OidcCallbackLogic.java:87) at controllers.SsoCallbackController$SsoCallbackLogic.perform(SsoCallbackController.java:62) at controllers.SsoCallbackController$SsoCallbackLogic.perform(SsoCallbackController.java:49) at org.pac4j.play.CallbackController.lambda$callback$0(CallbackController.java:56) at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1604) ... 7 common frames omitted

@refined-apple-6340 Which identity provider are you using?

keycloak

Isn't the callback at oidc client definition end to be ${AUTH_OIDC_BASE_URL}/callback/oidc instead of localhost:9002/*?

Yes!

im also using keycloak in my local environment, as a separate container. this is my settings