Add state to authentication error response

By: Janis Kulins user 14 Feb 2023 at 8:25 a.m. CST

6 Responses
Janis Kulins gravatar
Hello, is there any way how to add state detail in error response after failed authentication (i.e error=login_required etc)? At the moment error_description, hint, error values are returned. State attribute is present in original request. Thank you. State detail is required according to: https://openid.net/specs/openid-connect-core-1_0.html#AuthError 3.1.2.6. Authentication Error Response
Gluu 4.4 CentOS 8.0
closed

Answers

By Aliaksandr Samuseu staff 16 Feb 2023 at 2:58 p.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Janis. No additional actions should be needed if it's a required parameter according to the spec. Could you please describe the conditions in which the issue occurs? Having the actual authorization request that triggers it would be great, can you share it?

By Janis Kulins user 17 Feb 2023 at 5:28 a.m. CST

Copy
Janis Kulins gravatar
Hello, problem appear when, for example, error=login_required is responded to client (remote error handling method). Here are some fragments from http log (cropped out headers ): req: 2023-02-13 10:35:49,735 DEBUG [qtp2114444063-19] [org.gluu.oxauth.audit.debug.ServletLoggingFilter] (ServletLoggingFilter.java:91) - {"senderIP":"127.0.0.1","method":"GET","path":"/oxauth/restv1/authorize","params": {"mdsessionid":"203900000000009E78","scope":"openid profile persistentId","acr_values":"secure","response_type":"code","redirect_uri":"https://callback.url","state":"d2758ceb-a03c-563d-8000-00000489c07b","nonce":"eA3NSJ9","prompt":"login","client_id":"54tgrgf34-0c44-49fb-8a0e-1det43tg3a0d"} .............. resp: 2023-02-13 10:35:57,854 DEBUG [qtp2114444063-19] [org.gluu.oxauth.audit.debug.ServletLoggingFilter] (ServletLoggingFilter.java:92) - {"status":302,"headers": {"Set-Cookie":"csfcfc=bfF1z9l%2BkzXct43t4tgQOv%2F%2F%2Bg%3D%3D; Path=/oxauth; Secure; HttpOnly","Expires":"Thu, 01 Jan 1970 00:00:00 GMT","Location":"https://callback.url?error_description=The+Authorization+Server+requires+End-User+authentication.+This+error+MAY+be+returned+when+the+prompt+parameter+in+the+Authorization+Request+is+set+to+none+to+request+that+the+Authorization+Server+should+not+display+any+user+interfaces+to+the+End-User%2C+but+the+Authorization+Request+cannot+be+completed+without+displaying+a+user+interface+for+user+authentication.&hint=Create+authorization+request+to+start+new+authentication+session.&error=login_required"} }

By Janis Kulins user 13 Mar 2023 at 2:54 a.m. CDT

Copy
Janis Kulins gravatar
Hello, do you need any additional details for investigation? Thank you.

By Mohib Zico staff 28 Mar 2023 at 12:13 p.m. CDT

Copy
Mohib Zico gravatar
Assigning to @Mobarak Hosen.Shakil

By Mobarak Hosen Shakil staff 30 Mar 2023 at 12:14 a.m. CDT

Copy
Mobarak Hosen Shakil gravatar
Hi, Janis! Can you please share a screenshot of your error page? Please check attached image where state are visible in authentication error response. Regards ~ Shakil
Screenshot_2023-03-30_at_11.12.45_AM.png

By Harri Kerko user 19 Feb 2024 at 3:50 a.m. CST

Copy
Harri Kerko gravatar
Hi, we have also noticed the same. Error response is missing state-parameter in some cases, e.g. with access_denied (The resource owner or authorization server denied the request.). In some cases state is returned, e.g. unauthorized_client (The client is not authorized to request an access token using this method.).

Post an answer