https://datahubproject.io logo
Join Slack
Powered by
This happened again today <https://datahubspace.sl...
# troubleshoot
s
I saw the welcome screen -> redirected to google login -> logged in -> welcome screen -> redirected -> ... happened a few times and then this error page happened
Stopped after a few minutes. Maybe something goes wrong with google? It is weird because we use google login for a lot of things but have not seen this problem happening in any other service
b
Hmmm. Let me look in to this. Do you mind sending over your datahub front end logs and debug logs?
s
Will need to clean them up for tokens. Will send them over next time it happens
front end logs for the errors It all started with
Copy code
14:16:13 [application-akka.actor.default-dispatcher-1734] WARN o.p.o.profile.creator.TokenValidator - Preferred JWS algorithm: null not available. Using all metadata algorithms: [RS256]
14:16:14 [application-akka.actor.default-dispatcher-1734] ERROR react.auth.AuthModule$2 - Unable to renew the session. The session store may not support this feature
14:16:31 [application-akka.actor.default-dispatcher-1685] WARN p.api.mvc.LegacySessionCookieBaker - Cookie failed message authentication check
14:16:34 [application-akka.actor.default-dispatcher-1757] ERROR react.auth.AuthModule$2 - Unable to renew the session. The session store may not support this feature
then
Copy code
14:16:47 [application-akka.actor.default-dispatcher-1746] ERROR application -
{}
! @7ki8bm5ei - Internal server error, for (GET) [/callback/oidc?state=REDACTED&code=REDACTED&scope=email%20openid%20<https://www.googleapis.com/auth/userinfo.email&authuser=1&hd=gogox.com&prompt=none>] ->
play.api.UnexpectedException: Unexpected exception[CompletionException: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery] at play.api.http.HttpErrorHandlerExceptions$.throwableToUsefulException(HttpErrorHandler.scala:247) at play.api.http.DefaultHttpErrorHandler.onServerError(HttpErrorHandler.scala:176) at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:363) at play.core.server.AkkaHttpServer$$anonfun$2.applyOrElse(AkkaHttpServer.scala:361) at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:346) at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:345) at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:36) at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55) at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply$mcV$sp(BatchingExecutor.scala:91) at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:91) at akka.dispatch.BatchingExecutor$BlockableBatch$$anonfun$run$1.apply(BatchingExecutor.scala:91) at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:72) at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:90) at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40) at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:44) at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260) at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339) at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979) at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107) Caused by: java.util.concurrent.CompletionException: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery at java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:273) at java.util.concurrent.CompletableFuture.completeThrowable(CompletableFuture.java:280) at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1606) at play.core.j.HttpExecutionContext$$anon$2.run(HttpExecutionContext.scala:56) ... 6 common frames omitted Caused by: org.pac4j.core.exception.TechnicalException: State parameter is different from the one sent in authentication request. Session expired or possible threat of cross-site request forgery at org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:74) at org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:32) at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:65) at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:140) at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:89) at react.auth.AuthModule$2.perform(AuthModule.java:84) at react.auth.AuthModule$2.perform(AuthModule.java:79) at org.pac4j.play.CallbackController.lambda$callback$0(CallbackController.java:56) at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1604) ... 7 common frames omitted
15:31:40 [application-akka.actor.default-dispatcher-2397] WARN p.api.mvc.LegacySessionCookieBaker - Cookie failed message authentication check
15:31:42 [application-akka.actor.default-dispatcher-2280] ERROR react.auth.AuthModule$2 - Unable to renew the session. The session store may not support this feature
15:31:42 [application-akka.actor.default-dispatcher-2412] WARN p.api.mvc.LegacySessionCookieBaker - Cookie failed message authentication check
... same cookie error 7 more times
15:31:50 [application-akka.actor.default-dispatcher-2241] ERROR react.auth.AuthModule$2 - Unable to renew the session. The session store may not support this feature
... same cookie error 9 more times
This is still happening approximately 1.5 hours after it happened for the first time today. Multiple logins and then the error screen
Sometimes I am able to login. Then as I am browsing it takes me back to the login screen and the login loop restarts
This is in devtools if it helps
b
Thank you this is all super helpful
s
I tried clearing the cookies. But it started happening again. It is becoming almost impossible to navigate. This is v0.8.7. It happened with v0.8.6 but not this frequently. Not sure if just a coincidence or something went wrong in the update
b
Interestingly, we didn't change anything about OIDC or auth in that release
And you're using Google Identity
s
Also seeing this error
Copy code
06:57:26 [application-akka.actor.default-dispatcher-10372] WARN  akka.actor.ActorSystemImpl - Explicitly set HTTP header 'Content-Length: 3355306' is ignored, explicit `Content-Length` header is not allowed. Use the appropriate HttpEntity subtype.
Copy code
06:57:27 [application-akka.actor.default-dispatcher-10372] ERROR auth.sso.oidc.OidcCallbackLogic - Unable to renew the session. The session store may not support this feature
Copy code
06:57:27 [application-akka.actor.default-dispatcher-10372] WARN  auth.sso.oidc.OidcCallbackLogic - Failed to extract groups: No OIDC claim with name groups found
Copy code
06:57:28 [application-akka.actor.default-dispatcher-3475] WARN  p.api.mvc.LegacySessionCookieBaker - Cookie failed message authentication check
This happened after I saw google ask me to login once again to cross-check that I still have access
I tried going to 
<datahub_root_url>/logout
to see if that helps. Tried clearing cookies for the domain. Did not help
It goes into login redirect loop for around 3 times and then throws this error
b
Can you do a screen capture and send it over?
It's really odd because we also using Google OIDC internally and we do not find this happening
s
It does not happen all the time. There is a day or two when it happens. Usually the ones when google asks me to re-login to verify my identity. But as it happens infrequently it is hard to pin down what could be causing this. I'll do a screen capture next time it happens
b
thank you thank you
c
What is workaround for this issue?
b
Hi @careful-artist-3840 can you please send over some logs from the 
datahub-frontend
container?
c
b
Cookie failed authentication check. Hmm. Can you clear browser cookies and try again? When we get a response from your Identity Provider IBM we set a DataHub auth cookie. I'm wondering if that is containing unexpected characters.. it's possible. Can you try adjusting the claim where your DataHub username is extracted from? You can do so using something like
Copy code
AUTH_OIDC_USER_NAME_CLAIM=email
AUTH_OIDC_USER_NAME_CLAIM_REGEX=([^@]+)
in the environment vars for your 
datahub-frontend
container
Open in Slack
PreviousNext
Powered by