oxd-server error 'state' not registered

By: Geoff Baker user 31 Jul 2019 at 8:56 p.m. CDT

5 Responses
Geoff Baker gravatar
using oxd-server 3.1.4 and nodejs - based on the oxd-node-demo site. i can log a user in using the authorization_url, but if i refresh the page and use the state and code stored in the query string i get an error: ``` 2019-08-01 11:45:27,976 ERROR [org.xdi.oxd.server.Processor] ErrorResponseException{errorResponseCode=ErrorResponseCode{value='bad_request', description=''state' is not registered.'}} at org.xdi.oxd.server.op.GetTokensByCodeOperation.validate(GetTokensByCodeOperation.java:112) at org.xdi.oxd.server.op.GetTokensByCodeOperation.execute(GetTokensByCodeOperation.java:43) at org.xdi.oxd.server.op.GetTokensByCodeOperation.execute(GetTokensByCodeOperation.java:28) at org.xdi.oxd.server.Processor.process(Processor.java:74) at org.xdi.oxd.server.Processor.process(Processor.java:49) at org.xdi.oxd.server.SocketProcessor.run(SocketProcessor.java:55) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) 2019-08-01 11:45:27,976 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"error","data":{"error":"bad_request","details":null,"error_description":"'state' is not registered."}} ``` the javascript stub where the error occurs is: ``` if(req.query.code && req.query.state) { oSetting.state = req.query.state; oSetting.code = req.query.code; oxd.get_tokens_by_code(oSetting,function(err,resTokenCode) { ``` thanks for your help.
CentOS 7.6
closed

Answers

By Meghna Joshi staff 01 Aug 2019 at 2:40 a.m. CDT

Copy
Meghna Joshi gravatar
Hi Geoff, Yes, it is correct because Demo-app already used this state and code. `oxd-node-demo` is just a simple demo of OIDC Code flow with OXD Server. You need to clear it from the URL which we missed in demo. Note: I would like you to suggest to use our latest OXD 4.0.Beta. The OXD 4.0 Beta version now open for community. Which is Support HTTP Protocol, you just need to use Http request to use OXD APIs. Please checks docs for more info https://gluu.org/docs/oxd/4.0/ Thanks, Meghna Joshi

By Geoff Baker user 01 Aug 2019 at 7:24 p.m. CDT

Copy
Geoff Baker gravatar
Hi Meghna, Thanks for the reply. I'm a little confused though, I was under the impression that the "code" and "state" is dynamically provided by Gluu/OXD and using those values I can get a users access token - and essentially validate a user is authenticated? I will certainly have a look at 4.0. thanks, Geoff

By Meghna Joshi staff 02 Aug 2019 at 2:16 a.m. CDT

Copy
Meghna Joshi gravatar
Hi Geoff, Using Code and State, you are getting two tokens `access_token` and `id_token`. The user is mainly authenticate by `id_token` values check. which already doing by OXD. There is one more step, you can get `userinfo` using `access_token` so if you will get userinfo then your user is fully authenticated. Thank you, Meghna Joshi

By Geoff Baker user 04 Aug 2019 at 7:10 p.m. CDT

Copy
Geoff Baker gravatar
Thanks Meghna, That is the plan, but when i use code and state, and call get_tokens_by_code is when i get the 'state is not defined' error? <edit>I can confirm, this is still occuring in oxd4.0 beta, with the code snippet using the javascript swaggerised API: ``` // get access and id tokens from code & state opts = { 'authorization':'Bearer '+access_token, 'getTokensByCodeParams': { 'oxd_id':oSetting.oxd_id, 'code':req.query.code, 'state':req.query.state } }; oxdApi.getTokensByCode(opts,function(err,resTokenCode) ``` The code works if I get redirected from the /authorization-url (ie logged in), but if I refresh the page I get the "state not registered" error. I would like to be able to use these values (possibly stored in a cookie or session) so a user can stay authenticated to my site... thanks, Geoff

By Meghna Joshi staff 05 Aug 2019 at 2:38 a.m. CDT

Copy
Meghna Joshi gravatar
Hi Geoff, `code` and `state` are only one time use. After authentication, you don't really need this values, you need to remove this values from the URL and set the application session(Use some nodejs session technique). After this, add some code in your app where you just need to check the session, if session is available then allow user to login, if it is not available the again authentication flow start from beginning i.e. ` /authorization-url`. Thanks, Meghna Joshi

Post an answer