You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2022/03/16 18:47:13 UTC
[GitHub] [cloudstack] kohrar opened a new issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
kohrar opened a new issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127
<!--
Verify first that your issue/request is not already reported on GitHub.
Also test if the latest release and main branch are affected too.
Always add information AFTER of these HTML comments, but no need to delete the comments.
-->
##### ISSUE TYPE
<!-- Pick one below and delete the rest -->
* Bug Report
##### COMPONENT NAME
<!--
Categorize the issue, e.g. API, VR, VPN, UI, etc.
-->
~~~
Authentication, SAML2
~~~
##### CLOUDSTACK VERSION
<!--
New line separated list of affected versions, commit ID for issues on main branch.
-->
~~~
4.16.1
~~~
##### CONFIGURATION
<!--
Information about the configuration if relevant, e.g. basic network, advanced networking, etc. N/A otherwise
-->
SAML2 authentication is enabled and configured to Microsoft Azure
##### OS / ENVIRONMENT
<!--
Information about the environment if relevant, N/A otherwise
-->
Rocky Linux 8.5
##### SUMMARY
<!-- Explain the problem/feature briefly -->
CloudStack SSO works the first time on a clean browser session. However, after the user attempts to log out or when the CloudStack session expires, CloudStack will no longer allow the user to authenticate via SSO any more.
What happens on subsequent SSO sign-in attempts is the user gets sent to the SAML2 server which redirects them back with the token. Everything is good up to here. However, CloudStack for some reason invalidates the session and the user is redirected back to the login page but this time with the 'Single Sign-On' option disabled.
The management-server.log shows the SSO working initially.
```
2022-03-16 12:00:24,504 DEBUG [c.c.a.ApiServlet] (qtp365590665-1149:ctx-a6c7c3f1) (logid:e18c4373) ===START=== ###.###.96.250 -- GET command=samlSso&idpid=https://sts.windows.net/c609a0ec-a5e3-4631-9686-#########/
2022-03-16 12:00:24,513 DEBUG [o.a.c.a.c.SAML2LoginAPIAuthenticatorCmd] (qtp365590665-1149:ctx-a6c7c3f1) (logid:e18c4373) Sending SAMLRequest id=idj8da8n95krcr1bco9r7h13a2008cfrv4
2022-03-16 12:00:24,560 DEBUG [c.c.a.ApiServlet] (qtp365590665-1149:ctx-a6c7c3f1) (logid:e18c4373) ===END=== ###.###.96.250 -- GET command=samlSso&idpid=https://sts.windows.net/c609a0ec-a5e3-4631-9686-#########/
2022-03-16 12:00:25,340 DEBUG [c.c.a.ApiServlet] (qtp365590665-1149:ctx-43bf32d6) (logid:d2efb5a3) ===START=== ###.###.96.250 -- POST command=samlSso
2022-03-16 12:00:25,369 DEBUG [o.a.c.a.c.SAML2LoginAPIAuthenticatorCmd] (qtp365590665-1149:ctx-43bf32d6) (logid:d2efb5a3) Received SAMLResponse in response to id=idj8da8n95krcr1bco9r7h13a2008cfrv4
2022-03-16 12:00:25,370 DEBUG [o.a.c.s.SAMLUtils] (qtp365590665-1149:ctx-43bf32d6) (logid:d2efb5a3) SAML attribute name: http://schemas.microsoft.com/identity/claims/tenantid friendly-name:null value:c609a0ec-a5e3-4631-9686-#########
2022-03-16 12:00:25,370 DEBUG [o.a.c.s.SAMLUtils] (qtp365590665-1149:ctx-43bf32d6) (logid:d2efb5a3) SAML attribute name: http://schemas.microsoft.com/identity/claims/objectidentifier friendly-name:null value:084f18c2-6e97-4d2e-9e09-4938baf5b6b8
2022-03-16 12:00:25,370 DEBUG [o.a.c.s.SAMLUtils] (qtp365590665-1149:ctx-43bf32d6) (logid:d2efb5a3) SAML attribute name: http://schemas.microsoft.com/identity/claims/displayname friendly-name:null value:######## ########
2022-03-16 12:00:25,370 DEBUG [o.a.c.s.SAMLUtils] (qtp365590665-1149:ctx-43bf32d6) (logid:d2efb5a3) SAML attribute name: http://schemas.microsoft.com/identity/claims/identityprovider friendly-name:null value:https://sts.windows.net/c609a0ec-a5e3-4631-9686-#########/
2022-03-16 12:00:25,370 DEBUG [o.a.c.s.SAMLUtils] (qtp365590665-1149:ctx-43bf32d6) (logid:d2efb5a3) SAML attribute name: http://schemas.microsoft.com/claims/authnmethodsreferences friendly-name:null value:urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
2022-03-16 12:00:25,370 DEBUG [o.a.c.s.SAMLUtils] (qtp365590665-1149:ctx-43bf32d6) (logid:d2efb5a3) SAML attribute name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname friendly-name:null value:########
2022-03-16 12:00:25,370 DEBUG [o.a.c.s.SAMLUtils] (qtp365590665-1149:ctx-43bf32d6) (logid:d2efb5a3) SAML attribute name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname friendly-name:null value:########
2022-03-16 12:00:25,370 DEBUG [o.a.c.s.SAMLUtils] (qtp365590665-1149:ctx-43bf32d6) (logid:d2efb5a3) SAML attribute name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress friendly-name:null value:#########@##################
2022-03-16 12:00:25,370 DEBUG [o.a.c.s.SAMLUtils] (qtp365590665-1149:ctx-43bf32d6) (logid:d2efb5a3) SAML attribute name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name friendly-name:null value:#########@##################
2022-03-16 12:00:25,374 DEBUG [c.c.u.AccountManagerImpl] (qtp365590665-1149:ctx-43bf32d6) (logid:d2efb5a3) Attempting to log in user: #########@################## in domain 1
2022-03-16 12:00:25,385 DEBUG [o.a.c.s.SAML2UserAuthenticator] (qtp365590665-1149:ctx-43bf32d6) (logid:d2efb5a3) Trying SAML2 auth for user: #########@##################
2022-03-16 12:00:25,391 DEBUG [c.c.u.AccountManagerImpl] (qtp365590665-1149:ctx-43bf32d6) (logid:d2efb5a3) CIDRs from which account 'Acct[403fe246-993a-4bec-8602-f935de97ea26-RCS] -- Account {"id": 7, "name": "RCS", "uuid": "403fe246-993a-4bec-8602-f935de97ea26"}' is allowed to perform API calls: 0.0.0.0/0,::/0
2022-03-16 12:00:25,391 DEBUG [c.c.u.AccountManagerImpl] (qtp365590665-1149:ctx-43bf32d6) (logid:d2efb5a3) User: #########@################## in domain 1 has successfully logged in
2022-03-16 12:00:25,397 INFO [c.c.a.ApiServer] (qtp365590665-1149:ctx-43bf32d6) (logid:d2efb5a3) Current user logged in under UTC timezone
2022-03-16 12:00:25,397 INFO [c.c.a.ApiServer] (qtp365590665-1149:ctx-43bf32d6) (logid:d2efb5a3) Timezone offset from UTC is: 0.0
2022-03-16 12:00:25,399 DEBUG [c.c.a.ApiServlet] (qtp365590665-1149:ctx-43bf32d6) (logid:d2efb5a3) ===END=== ###.###.96.250 -- POST command=samlSso
2022-03-16 12:00:30,138 DEBUG [c.c.a.ApiServlet] (qtp365590665-1150:ctx-182d1ee5) (logid:c66cc511) ===START=== ###.###.96.251 -- GET listall=true&command=listZones&response=json
2022-03-16 12:00:30,139 DEBUG [c.c.a.ApiServlet] (qtp365590665-1150:ctx-182d1ee5) (logid:c66cc511) ===END=== ###.###.96.251 -- GET listall=true&command=listZones&response=json
2022-03-16 12:00:30,145 DEBUG [c.c.a.ApiServlet] (qtp365590665-1149:ctx-05801923) (logid:c7905631) ===START=== ###.###.96.250 -- GET command=listApis&response=json
2022-03-16 12:00:30,145 DEBUG [c.c.a.ApiServer] (qtp365590665-1149:ctx-05801923 ctx-a4a75c17) (logid:c7905631) Expired session, missing signature, or missing apiKey -- ignoring request. Signature: null, apiKey: null
2022-03-16 12:00:30,145 DEBUG [c.c.a.ApiServlet] (qtp365590665-1149:ctx-05801923 ctx-a4a75c17) (logid:c7905631) ===END=== ###.###.96.250 -- GET command=listApis&response=json
2022-03-16 12:00:30,159 DEBUG [c.c.a.ApiServlet] (qtp365590665-1155:ctx-627512a2) (logid:8b94f06a) ===START=== ###.###.96.253 -- GET command=listCapabilities&response=json
2022-03-16 12:00:30,160 DEBUG [c.c.a.ApiServer] (qtp365590665-1155:ctx-627512a2 ctx-92910815) (logid:8b94f06a) Expired session, missing signature, or missing apiKey -- ignoring request. Signature: null, apiKey: null
2022-03-16 12:00:30,160 DEBUG [c.c.a.ApiServlet] (qtp365590665-1157:ctx-1b86257d) (logid:c0d262f3) ===START=== ###.###.96.250 -- GET username=#########%40##################&command=listUsers&response=json
2022-03-16 12:00:30,160 DEBUG [c.c.a.ApiServer] (qtp365590665-1157:ctx-1b86257d ctx-376c121e) (logid:c0d262f3) Expired session, missing signature, or missing apiKey -- ignoring request. Signature: null, apiKey: null
2022-03-16 12:00:30,160 DEBUG [c.c.a.ApiServlet] (qtp365590665-1155:ctx-627512a2 ctx-92910815) (logid:8b94f06a) ===END=== ###.###.96.253 -- GET command=listCapabilities&response=json
2022-03-16 12:00:30,160 DEBUG [c.c.a.ApiServlet] (qtp365590665-1157:ctx-1b86257d ctx-376c121e) (logid:c0d262f3) ===END=== ###.###.96.250 -- GET username=#########%40##################&command=listUsers&response=json
2022-03-16 12:00:30,164 DEBUG [c.c.a.ApiServlet] (qtp365590665-1153:ctx-56829601) (logid:11ce94ee) ===START=== ###.###.96.253 -- GET command=listLdapConfigurations&response=json
2022-03-16 12:00:30,164 DEBUG [c.c.a.ApiServer] (qtp365590665-1153:ctx-56829601 ctx-afefa441) (logid:11ce94ee) Expired session, missing signature, or missing apiKey -- ignoring request. Signature: null, apiKey: null
2022-03-16 12:00:30,164 DEBUG [c.c.a.ApiServlet] (qtp365590665-1153:ctx-56829601 ctx-afefa441) (logid:11ce94ee) ===END=== ###.###.96.253 -- GET command=listLdapConfigurations&response=json
2022-03-16 12:00:30,168 DEBUG [c.c.a.ApiServlet] (qtp365590665-1156:ctx-3d6d3ba3) (logid:c3876972) ===START=== ###.###.96.251 -- GET command=cloudianIsEnabled&response=json
2022-03-16 12:00:30,168 DEBUG [c.c.a.ApiServer] (qtp365590665-1156:ctx-3d6d3ba3 ctx-71161310) (logid:c3876972) Expired session, missing signature, or missing apiKey -- ignoring request. Signature: null, apiKey: null
2022-03-16 12:00:30,168 DEBUG [c.c.a.ApiServlet] (qtp365590665-1156:ctx-3d6d3ba3 ctx-71161310) (logid:c3876972) ===END=== ###.###.96.251 -- GET command=cloudianIsEnabled&response=json
```
The work around is to completely wipe all cookies and start over or use CloudStack in an incognito session.
Local accounts work as expected. However, logging in and out with a local account does not fix the SSO issue.
##### STEPS TO REPRODUCE
<!--
For bugs, show exactly how to reproduce the problem, using a minimal test-case. Use Screenshots if accurate.
For new features, show how the feature would be used.
-->
<!-- Paste example playbooks or commands between quotes below -->
~~~
1. Log in with Single Sign-On method
2. Once in the management console, click log out or let the session time out
3. On the login page, observe that the SSO option is disabled. Refresh the page with shift+f5 which brings the option back.
4. Click on Single Sign-On and log in again
~~~
<!-- You can also paste gist.github.com links for larger files -->
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
~~~
Expect that subsequent SSO logins should work.
~~~
##### ACTUAL RESULTS
<!-- What actually happened? -->
<!-- Paste verbatim command output between quotes below -->
~~~
Successful SSO authentication redirect me back to the login page.
~~~
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] kohrar commented on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
kohrar commented on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1069769438
I looked at the authentication and session data a bit more and I think the issue might be related to the sessionkey being set multiple times in the cookies.
On the first try which succeeds, the cookie that's set has only one session key.
On the second try, after logging out, the cookie that's sett has two session keys with the original key at the beginning.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
nvazquez commented on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1086061538
Hi @kohrar - can you please test this PR: https://github.com/apache/cloudstack/pull/6193 if it solves your issue?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] kohrar edited a comment on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
kohrar edited a comment on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1070322444
The two session cookies have a different path. One has `/client`, and the other has `/client/api`.
Please correct me if I'm wrong, but I believe the `/client/api` version is the one that should be in use. It's the version that exists when I sign in directly without SAML2.
If that's true, the issue here is the `/client` version which is being incorrectly set by when we get redirected back from the SAML2 authentication server which is defined by [`saml2.sp.sso.url`](https://github.com/apache/cloudstack/blob/main/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAML2AuthManager.java#L46). Because no path is set, the cookie's path gets set to `/client` based on the URI path. I tried to change this so it included an extra slash (ie. from `/client/api?command=samlSso` to `/client/api/?command=samlSso`) but that just made all the other cookies set with the wrong path.
I'll try patching in a path for this cookie, which is set in `SAMLUtils.java`, and see if that fixes the issue.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
nvazquez commented on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1086280463
Thanks for testing @kohrar, that exceeds my Vue knowledge but would like some input from @utchoang @davidjumani @Pearl1594
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
nvazquez commented on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1076568824
Hi @kohrar - as advised by @weizhouapache can you please try the latest UI from the main branch? In case it is fixed then the PR https://github.com/apache/cloudstack/pull/6149 will not be needed
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] kohrar commented on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
kohrar commented on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1074208394
It looks like there's an uncaught promise in Login.vue in the fetchData. I'm not great with JS or Vue. It's possible that the recent upgrade to Vue in #5151 would fix the issue. I'll wait until 4.17 and see if those changes fixes the SSO button issue.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] kohrar commented on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
kohrar commented on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1074176296
I started with CloudStack since 4.15 which I think is the first version to use the redesigned UI.
I didn't have this issue in 4.15. In 4.15, after clicking on logout, I get redirected to a login page. Looking at the network calls, I see a call to `/client/api/?command=listIdps&response=json` when I get shown the login page.
In 4.16.1, I don't see this behavior unless I do a full page refresh. I think something isn't populating the idps list in vue and is causing the button to be disabled.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] kohrar commented on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
kohrar commented on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1070322444
The two session cookies have a different path. One has `/client`, and the other has `/client/api`.
Please correct me if I'm wrong, but I believe the `/client/api` version is the one that should be in use. It's the version that exists when I sign in directly without SAML2.
If that's true, the issue here is the `/client` which is being incorrectly set by when we get redirected back from the SAML2 authentication server which is defined by [`saml2.sp.sso.url`](https://github.com/apache/cloudstack/blob/main/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAML2AuthManager.java#L46). Because no path is set, the cookie's path gets set to `/client`. I tried to change this so it included an extra slash (ie. `/client/api?command=samlSso`) but that just made all the other cookies set with the wrong path.
I'll try patching in a path for this cookie, which is set in `SAMLUtils.java`, and see if that fixes the issue.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1076093195
this may be related to #5481 #5855 #5487
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1074244025
>
@kohrar
you can test the new UI on your local machine (no need to install on management server)
see https://github.com/apache/cloudstack/blob/main/ui/README.md#development
just change the .env.local
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] kohrar commented on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
kohrar commented on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1077889321
I might be talking rubbish since I'm not familiar with JS or Vue, but looking through the UI code, [requests will be cancelled when the source token is cancelled](https://github.com/apache/cloudstack/blob/main/ui/src/utils/request.js#L135). When we call [logout](https://github.com/apache/cloudstack/blob/main/ui/src/api/index.js#L62), we cancel the source token which would cancel any API request as well. Would this be the cause?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1077895618
thanks @kohrar
cc @utchoang @davidjumani @shwstppr
can you have a look at this issue ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1073987877
> Adding `Path=/client/api` to the sessionkey cookie that gets set in `SAMLUtils` did seem to fix this issue. I'm not sure why this issue only started to appear though, unless something changed recently with handling duplicate session cookie values?
>
> The remaining issue is the Single Sign-On button appears disabled when the user hits the login page after logging out or timing out. It only re-enables after refreshing the page.
@kohrar
great. could you create a pull request ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] kohrar commented on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
kohrar commented on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1077871683
Hi @nvazquez. If I understand the problem properly, the issue addressed by PR #6149 isn't related to the UI issue because the sessionkey cookie is set by the SAML SSO API call after the client is redirected back from the IdP.
@weizhouapache, I built the latest UI from the main branch and I'm still seeing the same behavior with the Single Sign-On button being disabled due to an uncaught promise in the Login.vue view. Here's what I'm seeing:
I'll do some more debugging on my end to see where the issue is. Any pointers would be great though.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] kohrar edited a comment on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
kohrar edited a comment on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1086188340
Hi @nvazquez, I tried the PR against the latest commit on the main branch but I'm now getting an exception when loading the login page and the SAML2 login button no longer functions. The 'portal login' login button still works, however.
Edit: So, if I set a language in the language menu, the exception goes away when I reload the page. However, the SSO login button still doesn't work.
~This is what I'm now seeing when I do a full page refresh on the login page:
~
I'll do some debugging, but any tips? Thanks!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] kohrar commented on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
kohrar commented on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1086235163
I reverted back to the 4.16.1 tag and applied your PR but it still has the same issue where the listIdps call fails which results in the SSO option being disabled. After reloading the login page again, the SSO option works again and the login button also works, so there's a regression somewhere that's breaking the SSO login button on the latest branch too.
Here is 4.16.1 with PR #6193
Just to be clear, I deleted the node_modules and re-ran `npm install`/`npm run build` each time I build the UI for 4.16.1 and the latest main branch. Is there anything else I need to do, in case it's something in my environment that's causing this issue?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] kohrar commented on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
kohrar commented on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1074161718
Sure thing. I've created a pull request.
I'm still not sure why this issue only started appearing in 4.16.1. I have an older 4.15 version of CloudStack which doesn't exhibit this behavior with the same SSO configuration.
Furthermore, the Single Sign-On button becomes disabled in 4.16 after logging out. The button is disabled when [`idps.length === 0`](https://github.com/apache/cloudstack/blob/main/ui/src/views/auth/Login.vue) and it looks like the API call to list the IDPs isn't being made unless I do a full page refresh. I'll make another issue for this as it looks unrelated to the original authentication problem.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] kohrar commented on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
kohrar commented on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1077911653
I commented out [`sourceToken.cancel()`](https://github.com/apache/cloudstack/blob/main/ui/src/api/index.js#L63) in the logout function and the listIdps request now gets called and the Single Sign-On button works again after logging out.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] kohrar commented on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
kohrar commented on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1086188340
Hi @nvazquez, I tried the PR against the latest commit on the main branch but I'm now getting an exception when loading the login page and the SAML2 login button no longer functions. The 'portal login' login button still works, however.
This is what I'm now seeing when I do a full page refresh on the login page:
I'll do some debugging, but any tips? Thanks!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] kohrar edited a comment on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
kohrar edited a comment on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1070322444
The two session cookies have a different path. One has `/client`, and the other has `/client/api`.
Please correct me if I'm wrong, but I believe the `/client/api` version is the one that should be in use. It's the version that exists when I sign in directly without SAML2.
If that's true, the issue here is the `/client` version which is being incorrectly set by when we get redirected back from the SAML2 authentication server which is defined by [`saml2.sp.sso.url`](https://github.com/apache/cloudstack/blob/main/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAML2AuthManager.java#L46). Because no path is set, the cookie's path gets set to `/client` based on the URI path. I tried to change this so it included an extra slash (ie. `/client/api?command=samlSso`) but that just made all the other cookies set with the wrong path.
I'll try patching in a path for this cookie, which is set in `SAMLUtils.java`, and see if that fixes the issue.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] kohrar commented on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
kohrar commented on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1070355276
Adding `Path=/client/api` to the sessionkey cookie that gets set in `SAMLUtils` did seem to fix this issue. I'm not sure why this issue only started to appear though, unless something changed recently with handling duplicate session cookie values?
The remaining issue is the Single Sign-On button appears disabled when the user hits the login page after logging out or timing out. It only re-enables after refreshing the page.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1074166496
> I'm still not sure why this issue only started appearing in 4.16.1. I have an older 4.15 version of CloudStack which doesn't exhibit this behavior with the same SSO configuration.
>
> Furthermore, the Single Sign-On button becomes disabled in 4.16 after logging out. The button is disabled when [`idps.length === 0`](https://github.com/apache/cloudstack/blob/main/ui/src/views/auth/Login.vue) and it looks like the API call to list the IDPs isn't being made unless I do a full page refresh. I'll make another issue for this as it looks unrelated to the original authentication problem.
@kohrar
did you mean the issue does not exist in legacy UI ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1075040161
> It looks like there's an uncaught promise in Login.vue in the fetchData. I'm not great with JS or Vue. It's possible that the recent upgrade to Vue in #5151 would fix the issue. I'll wait until 4.17 and see if those changes fixes the SSO button issue.
@kohrar
could you please test with the UI in latest main branch ?
it looks more like a UI bug.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] kohrar edited a comment on issue #6127: SSO fails with error "Expired session, missing signature, or missing apiKey"
Posted by GitBox <gi...@apache.org>.
kohrar edited a comment on issue #6127:
URL: https://github.com/apache/cloudstack/issues/6127#issuecomment-1077911653
I commented out [`sourceToken.cancel()`](https://github.com/apache/cloudstack/blob/main/ui/src/api/index.js#L63) in the logout function and the listIdps request now gets called and the Single Sign-On button works again after logging out.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org