Hi - We’ve configured Datahub with AWS Cognito OID...
# troubleshootm
most-pillow-90882
07/11/2022, 9:41 PMHi - We’ve configured Datahub with AWS Cognito OIDC. The user appears to authenticate correctly, but I get an infinitely looping white screen when trying to redirect to the dathhub homepage. This still happens when using using an incognito window and after clearing browser cookies. Any help diagnosing this would be much appreciated. Thank you.
Each loop displays different oidc code and state query parameters in the url (see browser screenshot)
The frontend logs show multiple repeats of this error:
Copy code
21:05:58 [application-akka.actor.default-dispatcher-16] ERROR auth.sso.oidc.OidcCallbackLogic - Unable to renew the session. The session store may not support this featuremost-pillow-90882
07/11/2022, 9:41 PMThe debug logs seem to show a successful login over and over again:
Copy code
21:35:39 [application-akka.actor.default-dispatcher-912] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: fullname / value: Margit Zwemer / class java.lang.String
21:35:39 [application-akka.actor.default-dispatcher-912] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: token_expiration_advance / value: -1 / class java.lang.Integer
21:35:39 [application-akka.actor.default-dispatcher-912] DEBUG a.sso.oidc.custom.CustomOidcClient - profile: #OidcProfile# | id: 21059eff-0711-4a3b-be0b-807e3ba0a438 | attributes: {at_hash
21:35:39 [application-akka.actor.default-dispatcher-912] DEBUG auth.sso.oidc.OidcCallbackLogic - profile: #OidcProfile# | id: 21059eff-0711-4a3b-be0b-807e3ba0a438 | attributes: {at_hash=Ba
21:35:39 [application-akka.actor.default-dispatcher-912] DEBUG auth.sso.oidc.OidcCallbackLogic - redirectUrl: /
21:35:39 [application-akka.actor.default-dispatcher-912] DEBUG o.p.play.http.PlayHttpActionAdapter - requires HTTP action: 302
21:35:39 [application-akka.actor.default-dispatcher-912] DEBUG auth.sso.oidc.OidcCallbackLogic - Beginning OIDC Callback Handling...
21:35:39 [application-akka.actor.default-dispatcher-912] DEBUG auth.sso.oidc.OidcCallbackLogic - Found authenticated user with profile {at_hash=Ba5PrM0FzU0jVYzMXNJOYA, sub=21059eff-0711-4a
21:35:39 [application-akka.actor.default-dispatcher-912] DEBUG auth.sso.oidc.OidcCallbackLogic - Just-in-time provisioning is enabled. Beginning provisioning process...
21:35:39 [application-akka.actor.default-dispatcher-912] DEBUG auth.sso.oidc.OidcCallbackLogic - Attempting to extract user from OIDC profile {at_hash=Ba5PrM0FzU0jVYzMXNJOYA, sub=21059eff-
21:35:39 [application-akka.actor.default-dispatcher-912] DEBUG auth.sso.oidc.OidcCallbackLogic - Attempting to provision user with urn urn:li:corpuser:margit.zwemer
21:35:39 [R2 Nio Event Loop-1-2] DEBUG c.l.r.t.h.c.rest.RAPResponseHandler - datahub-datahub-gms/10.152.183.186:8080: handling a response
21:35:39 [application-akka.actor.default-dispatcher-912] DEBUG auth.sso.oidc.OidcCallbackLogic - Fetched GMS user with urn urn:li:corpuser:margit.zwemer
21:35:39 [application-akka.actor.default-dispatcher-912] DEBUG auth.sso.oidc.OidcCallbackLogic - User urn:li:corpuser:margit.zwemer already exists. Skipping provisioning
21:35:39 [R2 Nio Event Loop-1-2] DEBUG c.l.r.t.h.c.rest.RAPResponseHandler - datahub-datahub-gms/10.152.183.186:8080: handling a response
21:35:40 [application-akka.actor.default-dispatcher-912] DEBUG o.p.o.r.OidcRedirectActionBuilder - Authentication request url: <https://XXXYYYZZZ.auth.us-east-1.amazoncognito.com/oauth2/autho>
21:35:40 [application-akka.actor.default-dispatcher-912] DEBUG o.p.play.http.PlayHttpActionAdapter - requires HTTP action: 302
21:35:40 [application-akka.actor.default-dispatcher-932] DEBUG auth.sso.oidc.OidcCallbackLogic - === CALLBACK ===
21:35:40 [application-akka.actor.default-dispatcher-932] DEBUG o.p.c.c.f.DefaultCallbackClientFinder - result: [oidc]
21:35:40 [application-akka.actor.default-dispatcher-932] DEBUG auth.sso.oidc.OidcCallbackLogic - foundClient: #CustomOidcClient# | name: oidc | callbackUrl: <https://ABC.XYZ.com/>
21:35:40 [application-akka.actor.default-dispatcher-932] DEBUG o.p.o.c.extractor.OidcExtractor - Authentication response successful
21:35:41 [application-akka.actor.default-dispatcher-932] DEBUG o.p.o.c.a.OidcAuthenticator - Token response: status=200, content={"id_token":"eyJraWQiOiJnMTE0N3VqaEtheExLK3JPNStkSFh0d0J0Q0
21:35:41 [application-akka.actor.default-dispatcher-932] DEBUG o.p.o.c.a.OidcAuthenticator - Token response successful
21:35:41 [application-akka.actor.default-dispatcher-932] DEBUG a.sso.oidc.custom.CustomOidcClient - Credentials validation took: 400 ms
21:35:41 [application-akka.actor.default-dispatcher-932] DEBUG auth.sso.oidc.OidcCallbackLogic - credentials: #OidcCredentials# | code: 6164929c-5389-409c-a0fe-32edec02195f | accessToken:
21:35:41 [application-akka.actor.default-dispatcher-932] DEBUG a.sso.oidc.custom.CustomOidcClient - credentials : #OidcCredentials# | code: 6164929c-5389-409c-a0fe-32edec02195f | accessTok
21:35:41 [application-akka.actor.default-dispatcher-932] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: access_token / value: eyJraWQiOiJcL2Q4MkQxSkFnMmo5RlF2SlpBR3pHanlOVmZuNEN
21:35:41 [application-akka.actor.default-dispatcher-932] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: id_token / value: eyJraWQiOiJnMTE0N3VqaEtheExLK3JPNStkSFh0d0J0Q09mOXpMVHF
21:35:41 [application-akka.actor.default-dispatcher-932] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: refresh_token / value: eyJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUl
21:35:41 [application-akka.actor.default-dispatcher-932] DEBUG o.p.o.p.creator.OidcProfileCreator - Refresh Token successful retrieved
21:35:41 [application-akka.actor.default-dispatcher-932] DEBUG o.p.o.p.creator.OidcProfileCreator - Token response: status=200, content={"sub":"21059eff-0711-4a3b-be0b-807e3ba0a438","email
...
21:35:41 [application-akka.actor.default-dispatcher-932] DEBUG o.p.o.profile.OidcProfileDefinition - no conversion => key: fullname / value: Margit Zwemer / class java.lang.String
21:35:41 [application-akka.actor.default-dispatcher-932] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: fullname / value: Margit Zwemer / class java.lang.String
21:35:41 [application-akka.actor.default-dispatcher-932] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: token_expiration_advance / value: -1 / class java.lang.Integer
21:35:41 [application-akka.actor.default-dispatcher-932] DEBUG a.sso.oidc.custom.CustomOidcClient - profile: #OidcProfile# | id: 21059eff-0711-4a3b-be0b-807e3ba0a438 | attributes: {at_hash
21:35:41 [application-akka.actor.default-dispatcher-932] DEBUG auth.sso.oidc.OidcCallbackLogic - profile: #OidcProfile# | id: 21059eff-0711-4a3b-be0b-807e3ba0a438 | attributes: {at_hash=tb
21:35:41 [application-akka.actor.default-dispatcher-932] DEBUG auth.sso.oidc.OidcCallbackLogic - redirectUrl: /
21:35:41 [application-akka.actor.default-dispatcher-932] DEBUG o.p.play.http.PlayHttpActionAdapter - requires HTTP action: 302
21:35:41 [application-akka.actor.default-dispatcher-932] DEBUG auth.sso.oidc.OidcCallbackLogic - Beginning OIDC Callback Handling...b
better-orange-49102
07/12/2022, 4:56 AMYou probably have a oidc claim that contains too much information to be kept in a cookie.
better-orange-49102
07/12/2022, 4:58 AMhttps://github.com/datahub-project/datahub/issues/4448 similar to this
m
most-pillow-90882
07/12/2022, 10:51 AMThis explaination makes sense, as our SSO profiles contain a lot of fields related to many different internal applications, so they’re pretty chonky. I’ll try turning off the profile claim, but would be great to get that merge request resolved so we can take advantage of some of these additional fields at a later date
most-pillow-90882
07/12/2022, 10:57 AMhmm, I cleared cookies, updated the values.yml and cognito app client, but doesn’t seem to be picking up the change (logs still show fetching all the profile fields).
Copy code
- name: AUTH_OIDC_SCOPE
value: "openid email" Copy code
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG o.p.o.profile.OidcProfileDefinition - no conversion => key: 2020_summer_workshop_web / value: true / class java.lang.Str
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: 2020_summer_workshop_web / value: true / class java.lang.String
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG o.p.o.profile.OidcProfileDefinition - no conversion => key: elections_web / value: true / class java.lang.String
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: elections_web / value: true / class java.lang.String
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG o.p.o.profile.OidcProfileDefinition - no conversion => key: docs_web / value: true / class java.lang.String
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: docs_web / value: true / class java.lang.String
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG o.p.o.profile.OidcProfileDefinition - no conversion => key: cognito:username / value: margit.zwemer:<http://XYZ.com|XYZ.com> / clas
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: cognito:username / value: margit.zwemer:<http://XYZ.com|XYZ.com> / class java.l
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG o.p.o.profile.OidcProfileDefinition - no conversion => key: mgrhrchy / value: 1411|2901|6901|56913|86362|92953|86746 / c
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: mgrhrchy / value: 1411|2901|6901|56913|86362|92953|86746 / class jav
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG o.p.o.profile.OidcProfileDefinition - no conversion => key: covid19_web / value: true / class java.lang.String
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: covid19_web / value: true / class java.lang.String
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG o.p.o.profile.OidcProfileDefinition - no conversion => key: argon_web / value: false / class java.lang.String
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: argon_web / value: false / class java.lang.String
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG o.p.o.profile.OidcProfileDefinition - no conversion => key: origin_jti / value: 163218a9-e3cb-4bc7-b4b8-2851235d0fca / c
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: origin_jti / value: 163218a9-e3cb-4bc7-b4b8-2851235d0fca / class jav
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG o.p.o.profile.OidcProfileDefinition - no conversion => key: aud / value: [2a8hvavvvh97q488q7qpuiem6f] / class java.util.
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: aud / value: [2a8hvavvvh97q488q7qpuiem6f] / class java.util.ArrayLis
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG o.p.o.profile.OidcProfileDefinition - no conversion => key: static_web / value: true / class java.lang.String
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: static_web / value: true / class java.lang.String
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG o.p.o.profile.OidcProfileDefinition - no conversion => key: token_use / value: id / class java.lang.String
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: token_use / value: id / class java.lang.String
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG o.p.o.profile.OidcProfileDefinition - no conversion => key: paramsearch_web / value: true / class java.lang.String
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: paramsearch_web / value: true / class java.lang.String
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG o.p.o.profile.OidcProfileDefinition - no conversion => key: paramsearch_admin / value: false / class java.lang.String
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: paramsearch_admin / value: false / class java.lang.String
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG o.p.o.profile.OidcProfileDefinition - no conversion => key: costenterh / value: 89011|44312|43511|7882175|4982175|06081
11:43:00 [application-akka.actor.default-dispatcher-21] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: costenterh / value: 89011|44312|43511|7882175|4982175|06081 / classmost-pillow-90882
07/12/2022, 1:07 PMStill getting rejected when I set AUTH_OIDC_EXTRACT_GROUPS_ENABLED=false
Interestingly, it works in localhost dev mode, but cookie size is right at 4096 so it might be just squeaking under the limit
most-pillow-90882
07/14/2022, 6:34 AMTo close out this thread - ended up using this pull request: https://github.com/datahub-project/datahub/pull/5114 since our setup is small enough to use a single front end instance. Regarding causes of why cookie got so big, it appears that user profile information that was part of iam rather than stored specifically in the cognito user pool was still getting sent in the response, even where restricting the oauth scope
👍 1
2 Views