argo-cd
argo-cd copied to clipboard
argoproj
Poor handling of `data length is less than nonce size`
Checklist:
- [x] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
- [x] I've included steps to reproduce the bug.
- [x] I've pasted the output of
argocd version.
Describe the bug
I was trying to visit argocd while it was upgrading from an older version after having not visited it in a bit.
I got the login page and clicked the button to log in via github
My browser was redirected to a top level page of the form:
argourl/auth/callback?code=code&state=state
The initial message had an error (I can't recall the error).
I tried reloading the page and then got a page with:
data length is less than nonce size
To Reproduce
- Don't use argocd in the browser for a while (to ensure login credentials have expired)
- Trigger an upgrade of argocd
- Visit argocd
- Trigger the oauth login flow
- Get sent back to argocd
- See an error
- Reload the page
- Get another error
Expected behavior
Ideally users would get a pretty error page with access to the various login buttons
Screenshots
Version
{
"Version": "v2.3.2+ecc2af9",
"BuildDate": "2022-03-23T00:40:57Z",
"GitCommit": "ecc2af9dcaa12975e654cde8cbbeaffbb315f75c",
"GitTreeState": "clean",
"GoVersion": "go1.17.6",
"Compiler": "gc",
"Platform": "linux/amd64",
"KsonnetVersion": "v0.13.1",
"KustomizeVersion": "v4.4.1 2021-11-11T23:36:27Z",
"HelmVersion": "v3.8.0+gd141386",
"KubectlVersion": "v0.23.1",
"JsonnetVersion": "v0.18.0"
}
Logs
Paste any relevant application logs here.
Error: https://github.com/argoproj/argo-cd/blob/fd8ecf49b2ad2acc5227c8a899354e39a7b51ea1/util/crypto/crypto.go#L43-L54
Caller: https://github.com/argoproj/argo-cd/blob/fd8ecf49b2ad2acc5227c8a899354e39a7b51ea1/util/oidc/oidc.go#L181-L192
Not entirely certain about the caller, it's one of these two: https://github.com/argoproj/argo-cd/blob/fd8ecf49b2ad2acc5227c8a899354e39a7b51ea1/util/oidc/oidc.go#L321-L342 https://github.com/argoproj/argo-cd/blob/fd8ecf49b2ad2acc5227c8a899354e39a7b51ea1/util/oidc/oidc.go#L422-L433
In any case, the fix would be to replace http.Error calls with something else....
Half a proposal:
Replace them with an http.Redirect call to the login page with a query parameter containing the error. (And have the login page check for the parameter and show a toast when it's present.)
Alternate proposal: add enough code so that http.Error can render a pretty page containing the error and a link to the login page.
I don't really have a particular preference between these two approaches. The advantage of retaining http.Error is that if a non web browser is trying to follow this flow, it would get to keep the error status. In terms of code, I suspect that the go code to make a pretty html page inside http.Error would be more painful than writing handling for the login page to show the toast. But I could be wrong on all points.
We're seeing this currently with v2.5.4+86b2dde
To replicate I log out + clear cookies. Navigate to ArgoCD URL (argocd.domain.com) Click "Login with Auth0"
Error Displayed: failed to get token: oauth2: cannot fetch token: 401 Unauthorized Response: {"error":"access_denied","error_description":"Unauthorized"}
Refresh: data length is less than nonce size
If you then manually refresh to argocd.domain.com the page loads without issue.
Note: If you login via this URL: argocd.domain.com/login?return_url=https%3A%2F%2Fargocd.domain.com%2Fapplications everything seems to work.
Same issue for me... I've configured ArgoCD with OIDC to log in via Azure AD and I'm getting the same error.
This method works for me:
Note:
If you login via this URL: argocd.domain.com/login?return_url=https%3A%2F%2Fargocd.domain.com%2Fapplications everything seems to work.
