AndreaVida commented on issue #12360: URL: https://github.com/apache/apisix/issues/12360#issuecomment-3003864088
Hi, I got the same issue as well, which I think is due to `lua-resty-openidc` library being unable to handle the state of 2 or more concurrent login sessions (see [lua-resty-openidc/issues/482](https://github.com/zmartzone/lua-resty-openidc/issues/482)). When this happens apisix logs show those errors: ``` 2025/06/23 15:04:32 [error] 51#51: *125572 [lua] openidc.lua:1106: authenticate(): state from argument: 0719c5fc06a12354487e0a531b31689c does not match state restored from session: 065c3b3ba7625fafe9e670355571841a, client: 10.42.0.3, server: _, request: "GET /callback?state=0719c5fc06a12354487e0a531b31689c&session_state=b0648d29-742a-4c7b-b0d6-6bb07dd0988f&iss=https%3A%2F%2Fportal.10.60.66.58.nip.io%3A31390%2Fauth%2Frealms%2Fmaster&code=1a4bc137-6c1c-4b2c-b92e-da93568e4a72.b0648d29-742a-4c7b-b0d6-6bb07dd0988f.3001bb42-4e21-4549-9201-b285c591db20 HTTP/1.1", host: "portal.10.60.66.58.nip.io:31390" 2025/06/23 15:04:32 [error] 51#51: *125572 [lua] openid-connect.lua:588: phase_func(): OIDC authentication failed: state from argument does not match state restored from session, client: 10.42.0.3, server: _, request: "GET /callback?state=0719c5fc06a12354487e0a531b31689c&session_state=b0648d29-742a-4c7b-b0d6-6bb07dd0988f&iss=https%3A%2F%2Fportal.10.60.66.58.nip.io%3A31390%2Fauth%2Frealms%2Fmaster&code=1a4bc137-6c1c-4b2c-b92e-da93568e4a72.b0648d29-742a-4c7b-b0d6-6bb07dd0988f.3001bb42-4e21-4549-9201-b285c591db20 HTTP/1.1", host: "portal.10.60.66.58.nip.io:31390" 2025/06/23 15:04:32 [warn] 51#51: *125572 [lua] plugin.lua:1174: run_plugin(): openid-connect exits with http status code 500, client: 10.42.0.3, server: _, request: "GET /callback?state=0719c5fc06a12354487e0a531b31689c&session_state=b0648d29-742a-4c7b-b0d6-6bb07dd0988f&iss=https%3A%2F%2Fportal.10.60.66.58.nip.io%3A31390%2Fauth%2Frealms%2Fmaster&code=1a4bc137-6c1c-4b2c-b92e-da93568e4a72.b0648d29-742a-4c7b-b0d6-6bb07dd0988f.3001bb42-4e21-4549-9201-b285c591db20 HTTP/1.1", host: "portal.10.60.66.58.nip.io:31390" ``` The user instead gets a 500 error returned from /callback endpoint call: `GET https://portal.10.60.66.58.nip.io:31390/callback?state=0719c5fc06a12354487e0a531b31689c&session_state=b0648d29-742a-4c7b-b0d6-6bb07dd0988f&iss=https%3A%2F%2Fportal.10.60.66.58.nip.io%3A31390%2Fauth%2Frealms%2Fmaster&code=1a4bc137-6c1c-4b2c-b92e-da93568e4a72.b0648d29-742a-4c7b-b0d6-6bb07dd0988f.3001bb42-4e21-4549-9201-b285c591db20` However, the user is actually already logged in despite the error so redirecting the browser to a valid page is enough to bypass it. IMHO what apisix can do in this case is to catch the error coming from the library and redirect the browser to the originally requested redirect_uri; I believe in most of the cases this will work fine and transparently. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
