avoiding repeated redirects

By: Carl Buxbaum user 03 Jun 2016 at 8:46 a.m. CDT

8 Responses
Carl Buxbaum gravatar
Hi, with a token in my browser, going to the gluu server, the browser gets an access denied message and repeated redirects. Here is the URL in the location: https://ec2-54-213-90-148.us-west-2.compute.amazonaws.com/identity/authentication/authcode?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request. Here is a screenshot of the network access: https://www.dropbox.com/s/c8tofd0u29b51lx/Screen%20Shot%202016-06-03%20at%209.38.52%20AM.png?dl=0 And here is the log information from the httpd server: ec2-54-213-90-148.us-west-2.compute.amazonaws.com:443 107.1.78.42 - - [03/Jun/2016:13:43:52 +0000] "GET /identity/authentication/authcode?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request. HTTP/1.1" 200 945 "https://ec2-54-213-90-148.us-west-2.compute.amazonaws.com/identity/authentication/authcode?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request." "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36" ec2-54-213-90-148.us-west-2.compute.amazonaws.com:443 107.1.78.42 - - [03/Jun/2016:13:43:52 +0000] "GET /identity/org.richfaces.resources/javax.faces.resource/org.richfaces.staticResource/4.3.7.Final/PackedCompressed/emeraldTown/skinning_both.css HTTP/1.1" 200 1862 "https://ec2-54-213-90-148.us-west-2.compute.amazonaws.com/identity/authentication/authcode?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request." "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36" ec2-54-213-90-148.us-west-2.compute.amazonaws.com:443 107.1.78.42 - - [03/Jun/2016:13:43:53 +0000] "GET /identity/authentication/getauthcode?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request. HTTP/1.1" 302 307 "https://ec2-54-213-90-148.us-west-2.compute.amazonaws.com/identity/authentication/authcode?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request." "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36" ec2-54-213-90-148.us-west-2.compute.amazonaws.com:443 107.1.78.42 - - [03/Jun/2016:13:43:53 +0000] "GET /identity/home?cid=2650 HTTP/1.1" 302 308 "https://ec2-54-213-90-148.us-west-2.compute.amazonaws.com/identity/authentication/authcode?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request." "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36" ec2-54-213-90-148.us-west-2.compute.amazonaws.com:443 107.1.78.42 - - [03/Jun/2016:13:43:53 +0000] "GET /identity/login?cid=2650 HTTP/1.1" 302 585 "https://ec2-54-213-90-148.us-west-2.compute.amazonaws.com/identity/authentication/authcode?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request." "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36" ec2-54-213-90-148.us-west-2.compute.amazonaws.com:443 107.1.78.42 - - [03/Jun/2016:13:43:53 +0000] "GET /oxauth/authorize?scope=openid+profile+email+user_name&response_type=code+id_token&nonce=nonce&redirect_uri=https%3A%2F%2Fec2-54-213-90-148.us-west-2.compute.amazonaws.com%2Fidentity%2Fauthentication%2Fauthcode&client_id=%40%21EF28.78F4.1E35.23CC%210001%2168FA.BC88%210008%211F36.5E92&acr_values=basic HTTP/1.1" 302 450 "https://ec2-54-213-90-148.us-west-2.compute.amazonaws.com/identity/authentication/authcode?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request." "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36" ec2-54-213-90-148.us-west-2.compute.amazonaws.com:443 107.1.78.42 - - [03/Jun/2016:13:43:53 +0000] "GET /identity/authentication/authcode?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request. HTTP/1.1" 200 945 "https://ec2-54-213-90-148.us-west-2.compute.amazonaws.com/identity/authentication/authcode?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request." "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36" How will we be able to avoid this circumstance once we start using this in production? Thanks, Carl
U1404
closed

Answers

By Mohib Zico staff 03 Jun 2016 at 9:08 a.m. CDT

Copy
Mohib Zico gravatar
oxauth.log should show the reason...

By Carl Buxbaum user 03 Jun 2016 at 9:13 a.m. CDT

Copy
Carl Buxbaum gravatar
This is probably it. Is there a setting that would prevent the browser from constant retries? 2016-06-03 13:45:47,457 DEBUG [org.gluu.site.ldap.persistence.AbstractEntryManager] LdapProperty: permissionGrantedMap, AttributeName: oxAuthPermissionGrantedMap, AttributeValue: [{"permissionGranted":{"@!EF28.78F4.1E35.23CC!0001!68FA.BC88!0008!8A64.5352":true}}] 2016-06-03 13:45:47,457 DEBUG [org.gluu.site.ldap.persistence.AbstractEntryManager] LdapProperty: sessionAttributes, AttributeName: oxAuthSessionAttribute, AttributeValue: [{"scope":"openid profile user_name email","response_type":"code","redirect_uri":"http://localhost:8080/tradestone-2015R1/LoginSubmit.do","auth_step":"1","client_id":"@!EF28.78F4.1E35.23CC!0001!68FA.BC88!0008!8A64.5352","acr":"basic"}] 2016-06-03 13:45:47,457 DEBUG [org.gluu.site.ldap.persistence.AbstractEntryManager] LdapProperty: state, AttributeName: oxState, AttributeValue: [authenticated] 2016-06-03 13:45:47,457 DEBUG [org.gluu.site.ldap.persistence.AbstractEntryManager] LdapProperty: userDn, AttributeName: oxAuthUserDN, AttributeValue: [inum=@!EF28.78F4.1E35.23CC!0001!68FA.BC88!0000!F0E0.FB89,ou=people,o=@!EF28.78F4.1E35.23CC!0001!68FA.BC88,o=gluu] 2016-06-03 13:45:47,457 DEBUG [org.jboss.seam.Component] trying to inject with hierarchical context search: ldapEntryManager 2016-06-03 13:45:47,457 DEBUG [org.jboss.seam.Component] trying to inject with hierarchical context search: authenticationService 2016-06-03 13:45:47,457 DEBUG [xdi.oxauth.authorize.ws.rs.AuthorizeAction] There is already existing session which has another acr then basic, session: 01bbd017-603e-47d5-9497-4280b376d389 2016-06-03 13:45:47,457 ERROR [xdi.oxauth.authorize.ws.rs.AuthorizeAction] Please provide prompt=login to force login with new ACR or otherwise perform logout and re-authenticate. 2016-06-03 13:45:47,458 DEBUG [org.xdi.oxauth.model.error.ErrorResponseFactory] Looking for the error with id: access_denied 2016-06-03 13:45:47,458 DEBUG [org.xdi.oxauth.model.error.ErrorResponseFactory] Found error, id: access_denied 2016-06-03 13:45:47,458 DEBUG [org.jboss.seam.core.Manager] Discarding conversation state: 2906

By Mohib Zico staff 03 Jun 2016 at 11:51 p.m. CDT

Copy
Mohib Zico gravatar
>> [xdi.oxauth.authorize.ws.rs.AuthorizeAction] There is already existing session which has another acr then basic, session: 01bbd017-603e-47d5-9497-4280b376d389 2016-06-03 13:45:47,457 ERROR [xdi.oxauth.authorize.ws.rs.AuthorizeAction] Please provide prompt=login to force login with new ACR or otherwise perform logout and re-authenticate. Seems like new session is clashing with some active session.

By Carl Buxbaum user 06 Jun 2016 at 8:03 a.m. CDT

Copy
Carl Buxbaum gravatar
Yes, I understand that, but this should not start a cycle that has the potential to create an inadvertant DOS on the server. If there are enough of these sessions floating around, it could cause a problem. There ought to be a limit at which point the server stops redirecting back to itself. Please take a look at the logs I have quoted. There does not appear to be any interaction with our app, so the repeated and endless activity on the server seems to be totally within the control of the GLUU server.

By Michael Schwartz Account Admin 07 Jun 2016 at 10:29 a.m. CDT

Copy
Michael Schwartz gravatar
Yuriy, can you take a look at this and see if we need a github issue as Carl suggest?

By Yuriy Movchan staff 15 Jun 2016 at 2:11 p.m. CDT

Copy
Yuriy Movchan gravatar
Hi, I can't reproduce it in 2.4.4 beta1. I logged in using acr_values=basic. After that I tried to send autorization request in same browser instance with acr_values=internal According to the [code](https://github.com/GluuFederation/oxAuth/blob/master/Server/src/main/java/org/xdi/oxauth/authorize/ws/rs/AuthorizeAction.java#L161) application should redirect user to redirect_uri if it can't handle acr change now. I think we resolved this issue in current code. In this file history in one older version there are lines which can led to this error. But in current code we removed them from code. Can you specify which oxAuth version are you using? Can you try to reproduce this issue in 2.4.4.beta1 once we will build it? Regards, Yura

By Yuriy Zabrovarnyy staff 16 Jun 2016 at 3:41 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
It would be nice if you can record (or show screenshot) from Chrome Developer Tools -> Network (with preserved logs) during those redirects. Thanks, Yuriy Z

By Carl Buxbaum user 16 Jun 2016 at 1:02 p.m. CDT

Copy
Carl Buxbaum gravatar
Well it may not be a perfect screenshot, but I already included a link to it in my original message. Here it is again: https://www.dropbox.com/s/c8tofd0u29b51lx/Screen%20Shot%202016-06-03%20at%209.38.52%20AM.png?dl=0
Video or screenshot link

Post an answer