awx icon indicating copy to clipboard operation
awx copied to clipboard
verified publisher icon ansible

Firefox login flow hits /api/login/api/v2/config/ and never leaves login page

Open bugtoo opened this issue 3 months ago • 5 comments

Summary

Firefox login flow requests /api/login/api/v2/config/ and never leaves the login page

After deploying AWX 24.6.1 via awx-operator (2.19.1) we noticed that logging in with Firefox succeeds at the HTTP layer but the UI never navigates away from /api/login/. The login banner shows “There was a problem logging in. Please try again.”, whereas the same steps in Chrome or curl work normally. Looking at the Firefox network trace the SPA follows the next query string and attempts to GET /api/login/api/v2/config/, which the backend returns as 404. Because the page stays on /api/login, subsequent API requests inherit that prefix and the React app never transitions to the dashboard.

Steps to reproduce

  1. Navigate to the AWX UI while unauthenticated
  2. In Firefox (tested with 130.0.1 on Windows 10) submit valid credentials.
  3. Observe that the login request returns 302 but the browser stays on /api/login/ with the error banner.
  4. Open DevTools → Network: the follow-up request is GET /api/login/api/v2/config/ (404).
  5. Repeat the same steps in Chrome – the UI redirects to / and loads fine.

Expected results

  • After POSTing to /api/login/ the UI should land on / (or /home) and load the SPA.

Actual results

  • Firefox ends up on /api/login/?next=/api/login/api/v2/config/.
  • The GET to /api/login/api/v2/config/ returns 404; the React login page shows the error banner and never transitions.
  • Chrome (129) and raw curl POSTs are redirected to / or /api/ and succeed.

Logs

2025-10-03 09:16:58,320 WARNING  [516885b586234786bb0157ccdebbd62a] django.request Not Found: /api/login/api/v2/config/
10.42.0.1 - - [03/Oct/2025:09:16:58 +0000] "GET /api/login/api/v2/config/ HTTP/1.1" 404 179 "https://xxxxxxx.cloud/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0" "xxx.xxx.xxx.xxx"

Environment

  • AWX 24.6.1 (/api/v2/ping)
  • awx-operator 2.19.1 on k3s (single-node)
  • Firefox 130.0.1 (Windows 10 x64) – issue reproduces
  • Chrome 129.0.6668.101 (Windows 10) – works normally

Additional info

  • awx-manage print_settings TOWER_URL_BASE => 'https://xxxxxxx.cloud'
  • awx-manage print_settings LOGIN_REDIRECT_URL => '/'
  • No custom ingress rewrites in front of AWX

Happy to gather more details if needed.

bugtoo avatar Oct 03 '25 09:10 bugtoo

I do confirm this issue with Firefox and a similar architecture.

When hitting the login button awx tries to hit https://AWX_DOMAIN/api/login/api/v2/config/ and of course it fails.

When I refresh the page though, it redirects me to the homepage.

Image

libpoet1312 avatar Oct 07 '25 12:10 libpoet1312

Experiencing the same issue here, and as libpoet1312 said a refresh of the page redirects me to the homepage.

This is not happening with Google Chrome.

francesco-furnari avatar Oct 14 '25 08:10 francesco-furnari

+1 for me with Firefox 143.0.4 (64-Bit)

thedatabaseme avatar Oct 14 '25 20:10 thedatabaseme

Seems to have been an issue with Firefox < 144 not immediately applying cookies to storage. I traced it down to a single line in the code to see where it was happening and to see if there was anything that could be done.

https://github.com/ansible/awx/blob/24.6.1/awx/ui/src/api/models/Root.js#L20 Before this line, the cookie in Chrome had userLoggedIn set to false and afterwards it was set to true. In Firefox, it wasn't set afterwards, even though the request returned the correct data and cookie response showing that we were successfully logged in. Nothing I could do would make FF pass it properly either (credentials: include, etc...).

Updating to FF 144 resolved the issue for me. So must have been an issue internally, or maybe its just intermittent and will be back. 🤷

The issue with /api/login/api/v2/config/ has been there for a while, its bad logic that was introduced when they allowed URL prefixing. They broke it in this commit. https://github.com/ansible/awx/commit/9009a21a329cb5b35c480fe416ce1a70717827e1 The default redirectURL used to start with a /, but now it doesn't (when you are not using prefixing). So now it is treated as a relative URL, and appended to the current URL from where it was called (so /api/login/).

My fix was to change this line https://github.com/ansible/awx/blob/24.6.1/awx/ui/src/api/models/Root.js#L14

and double check to ensure we always start with a / while still allowing for prefixing.

    const next = encodeURIComponent(
      redirect.startsWith('/')
        ? redirect
        : `${window.location.pathname.replace(/\/$/, '')}/${redirect}`
    );

cigamit avatar Oct 15 '25 05:10 cigamit

I was having this issue in my self-hosted microk8s cluster. I was using the defaults for the image tags for the awx-operator. I recently went on an upgrade binge and discovered a much newer awx-operator tag. The default was 1.17.2 The most recent one I found is 2.19.1

After upgrading the awx-operator, I'm no longer seeing this behaviour any more. The login is still a little odd, redirecting through seeing the auth'd UI, back to login, back to auth'd UI again. But, it does work for me.

I see that people are having the issue with the 2.19.1 image, though 🤷

pgmac avatar Oct 15 '25 23:10 pgmac