FusionAuth
[Bug]: Cannot log in anymore after upgrade to v1.50.x
What happened?
After upgrading to v1.50.x (tried with both v1.50.0 and v1.50.1), I cannot log in to FusionAuth anymore. After login, I'm getting presented the login screen again (and no errors shown).
More specifically, when I log in via the login UI (no SSO), the POST request to the authorize endpoint redirects me to the consent endpoint, which redirects me to the authorize endpoint that returns a status 200 and the login form again.
Logins via SSO fail in a similar manner (i.e., I end up in the login screen without any error being shown).
The logs also don't contain any related / helpful message.
Versions up to v1.49.2 worked without problems.
I have a test environment that simply boots a FusionAuth instance against a postgres (all in docker) initiated from a simple kickstart.json and even there I can reproduce the problem. I wonder why no one else seems to have run into this yet. :thinking:
Workaround
This is due to setting the tenant level SSO session timeout too low. If minimizing this value, you must set it high enough to allow users to complete a login workflow. This is application and context dependent. For example, submitting a required registration field or verifying an email address take longer than a typical username and password login.
Do not set this to 0, as that will definitely trigger this bug.
Version
1.50.1
Affects Versions
>= 1.50.0
Hi @alfa-alex,
I'm sorry you're running into this issue. Would you be willing to share your kickstart file with us so we can try to reproduce what you're seeing? If so, you can either email me at andy at fusionaut.io, join our community Slack and DM it to @Andy Pai, or put it in a GitHub gist and share it with @andrewpai. Please redact any sensitive information like passwords or password hashes, API keys, PII, and anything else you deem private.
Thanks, Andy
I have the same issue. I have debug turned on for the application but nothing shows in the logs. I also upgraded to 1.50.1 and now the login just recycles with no errors
@PostImpatica can you please provide as much detail as you can to help us debug this?
- what version you were moving from
- what db you use
- which application you are trying to log in to
- how you are hosting
- anything else you can think of
And as Andy added, if you can share a kickstart file on how you set up FusionAuth, that's super helpful.
Locally on my own computer I got our flagship application working with your latest bundled docker fusionauth at the time running 1.48.3
Now that I have everything working locally, it was time to get this same docker environment working in Azure so I setup an Ubuntu 20.04 server VM and installed docker on it, then I deployed your latest docker bundle for fusionauth using these commands
curl -fsSL https://raw.githubusercontent.com/FusionAuth/fusionauth-containers/master/docker/fusionauth/docker-compose.yml > docker-compose.yml &&
curl -fsSL https://raw.githubusercontent.com/FusionAuth/fusionauth-containers/master/docker/fusionauth/.env > .env &&
docker compose up -d
What is strage is that I get the login provided by fusionauth and I try to login but the same screen comes back up and even though I have debug set to enabled for the application I'm trying to login to, nothing shows in the events log. I've noticed that the "Login Records" does show my user apparently logging in successfully, or at least I assume those logs mean "success" because they don't say.
Sorry, I never used kickstart
From: Dan Moore @.> Sent: Tuesday, May 21, 2024 1:46 PM To: FusionAuth/fusionauth-issues @.> Cc: Clay Brinlee @.>; Mention @.> Subject: Re: [FusionAuth/fusionauth-issues] [Bug]: Cannot log in anymore after upgrade to v1.50.x (Issue #2736)
@PostImpaticahttps://github.com/PostImpatica can you please provide as much detail as you can to help us debug this?
- what version you were moving from
- what db you use
- which application you are trying to log in to
- how you are hosting
- anything else you can think of
And as Andy added, if you can share a kickstart file on how you set up FusionAuth, that's super helpful.
— Reply to this email directly, view it on GitHubhttps://github.com/FusionAuth/fusionauth-issues/issues/2736#issuecomment-2123238261, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABZIYJXGZOR4DVWT5LHRDS3ZDOJAVAVCNFSM6AAAAABHJKTHJCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRTGIZTQMRWGE. You are receiving this because you were mentioned.
Hey folks, one question. What is the value of the SSO session length (under Tenants -> OAuth)?
I got with support and they fixed it by having me change the sessiontimeout to 30 (it was zero) in the tenant config. Sorry for the cross post.
From: Dan Moore @.> Sent: Wednesday, May 22, 2024 12:26 PM To: FusionAuth/fusionauth-issues @.> Cc: Clay Brinlee @.>; Mention @.> Subject: Re: [FusionAuth/fusionauth-issues] [Bug]: Cannot log in anymore after upgrade to v1.50.x (Issue #2736)
Hey folks, one question. What is the value of the SSO session length (under Tenants -> OAuth)?
— Reply to this email directly, view it on GitHubhttps://github.com/FusionAuth/fusionauth-issues/issues/2736#issuecomment-2125380080, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABZIYJV6RZXU7HNRONJEMMLZDTINXAVCNFSM6AAAAABHJKTHJCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRVGM4DAMBYGA. You are receiving this because you were mentioned.Message ID: @.***>
Thanks @PostImpatica . We've just merged a fix warning folks about setting session timeout too low: https://github.com/FusionAuth/fusionauth-site/pull/3083
We're discussing other ways to mitigate this as well.
Hey folks, one question. What is the value of the SSO session length (under Tenants -> OAuth)?
Mine is 3600 seconds.
We finally found out that our issues were caused by a proxy misconfiguration. So the original problem is now solved for me. Sorry for the troubles caused and huge thanks to @andrewpai for your efforts and your support!
Since there appears to have been a similar issue for other users for which a mitigation exists (namely not setting the session timeout to 0), it seems to me like this issue can now be closed. Unless you want to wait until you have other ways to mitigate the issue (as mentioned in https://github.com/FusionAuth/fusionauth-issues/issues/2736#issuecomment-2125586582).
Documentation:
- [x] Update tenant API to account for new TTL config
- [x] Update tenant UI doc with new config
- [x] Anything else?
