nextcloud-social-login
nextcloud-social-login copied to clipboard
zorn-v
The authorization state [state=HA-xxxxxxxxxxx] of this page is either invalid or has already been consumed.
At some point, we soemtimes get this error, when a users tries to login via the Social Login Plugin and OpenID Connect to the Keycloak Server. Before updating nextcloud from 24 to 25, the login worked without problem. We tried it with Chrome, Edge, and Firefox. The result is the same.
The authorization state [state=HA-xxxxxxxxxxx] of this page is either invalid or has already been consumed.
I was seeing this with with Discord, but I logged out and back into Discord and the error message went away. So yeah, something with your cookies.
I don't have anything useful to add, but more than once a week someone in my org is hitting this. It's intermittent. It seems to be that certain browsers get jammed with an invalid state and can't give it up, so it's something more-than-spurious. I'm walking people through clearing their cookies but that's a lot for some people to work through. I wish I knew how to make it more reliable.
https://github.com/zorn-v/nextcloud-social-login/issues/306 sounds like it might have been the same, but the resolution there was "apache misconfiguration". I wonder what that was. I'm using nginx; is it possible I have some nginx setting set in some way that's annoying php/nextcloud/hybridauth?
https://github.com/hybridauth/hybridauth/issues/1301 sounds like exactly the symptoms I'm seeing, so, yes, "something with your cookies" is maybe the most immediate cause, but "hybridauth is a bit flakey" seems like a more likely explanation to me at the moment.
EDIT: I have a potential fix in https://github.com/zorn-v/nextcloud-social-login/pull/398
A bit of new information: this has happened three times now on account creation. That is, the first time someone logs in, they get this error and aren't able to log in, but in https://nextcloud.example.com/settings/users I can see their new accounts and I get an email notice about the new account.
I'm not sure what that means but it'll help zero in on the reproducing, maybe.
i currently have an issue after i update to nextcloud v29.0.3 i get the same error but only explicit from Ios devices.
{ "reqId": "gzgNYkxXROSvrET5hg92", "level": 0, "time": "2024-07-17T20:41:24+00:00", "remoteAddr": "46.114.94.171", "user": "--", "app": "no app in context", "method": "GET", "url": "/apps/sociallogin/custom_oidc/sso?state=HA-xxxxxxMPWQ1HNYLCVSAI6UX9354K2G7DR&session_state=3625692b-ac46-44bf-a380-8c05af4a17fb&iss=https%3A%2F%2Fxxxx.de%2Frealms%2xx&code=f375d78c-a357-xxxx-8f4d-7aefb2fb561e.3625692b-ac46-44bf-a380-8c05af4a17fb.237xxxx-6177-4fad-8210-3863e72d70b0", "message": "dirty table reads: SELECT * FROMPREFIXauthtokenWHEREuid= :dcValue1 ORDER BYidASC LIMIT 1", "userAgent": "Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Mobile/15E148 Safari/604.1", "version": "29.0.3.4", "exception": { "Exception": "Exception", "Message": "dirty table reads: SELECT * FROMPREFIXauthtokenWHEREuid= :dcValue1 ORDER BYidASC LIMIT 1", "Code": 0, "Trace": [ { "file": "/var/www/html/3rdparty/doctrine/dbal/src/Query/QueryBuilder.php", "line": 344, "function": "executeQuery", "class": "OC\\DB\\Connection", "type": "->", "args": [ "SELECT * FROMPREFIXauthtokenWHEREuid= :dcValue1 ORDER BYidASC LIMIT 1", ["*** sensitive parameters replaced ***"], [2], "*** sensitive parameters replaced ***" ] }, { "file": "/var/www/html/3rdparty/doctrine/dbal/src/Query/QueryBuilder.php", "line": 384, "function": "executeQuery", "class": "Doctrine\\DBAL\\Query\\QueryBuilder", "type": "->", "args": [] }, { "file": "/var/www/html/lib/private/DB/QueryBuilder/QueryBuilder.php", "line": 280, "function": "execute", "class": "Doctrine\\DBAL\\Query\\QueryBuilder", "type": "->", "args": [] }, { "file": "/var/www/html/lib/private/DB/QueryBuilder/QueryBuilder.php", "line": 293, "function": "execute", "class": "OC\\DB\\QueryBuilder\\QueryBuilder", "type": "->", "args": [] }, { "file": "/var/www/html/lib/private/Authentication/Token/PublicKeyTokenMapper.php", "line": 259, "function": "executeQuery", "class": "OC\\DB\\QueryBuilder\\QueryBuilder", "type": "->", "args": [] }, { "file": "/var/www/html/lib/private/Authentication/Token/PublicKeyTokenProvider.php", "line": 123, "function": "getFirstTokenForUser", "class": "OC\\Authentication\\Token\\PublicKeyTokenMapper", "type": "->", "args": ["*** sensitive parameters replaced ***"] }, { "file": "/var/www/html/lib/private/Authentication/Token/Manager.php", "line": 71, "function": "generateToken", "class": "OC\\Authentication\\Token\\PublicKeyTokenProvider", "type": "->", "args": ["*** sensitive parameters replaced ***"] }, { "file": "/var/www/html/lib/private/User/Session.php", "line": 709, "function": "generateToken", "class": "OC\\Authentication\\Token\\Manager", "type": "->", "args": ["*** sensitive parameters replaced ***"] }, { "file": "/var/www/html/custom_apps/sociallogin/lib/Service/ProviderService.php", "line": 614, "function": "createSessionToken", "class": "OC\\User\\Session", "type": "->", "args": ["*** sensitive parameters replaced ***"] }, { "file": "/var/www/html/custom_apps/sociallogin/lib/Service/ProviderService.php", "line": 466, "function": "login", "class": "OCA\\SocialLogin\\Service\\ProviderService", "type": "->", "args": ["*** sensitive parameters replaced ***"] }, { "file": "/var/www/html/custom_apps/sociallogin/lib/Service/ProviderService.php", "line": 301, "function": "auth", "class": "OCA\\SocialLogin\\Service\\ProviderService", "type": "->", "args": [ "OCA\\SocialLogin\\Provider\\CustomOpenIDConnect", [ "https://cloud.partei-des-fortschritts.de/apps/sociallogin/custom_oidc/sso", "", "openid", ["nextcloud", "4f432303-2f6e-4e81-aaf9-xxxxxx"], [ "https://xxx.de/realms/xx/protocol/openid-connect/auth", "https://xxx.de/realms/xx/protocol/openid-connect/token", "https://xxx.de/realms/xx/protocol/openid-connect/userinfo" ], "", "nextcloud-roles", [ "xx", "xx", "xx", "xx", "xx", "xx", "xx", "xx", "xx" ], "" ], "sso" ] }, { "file": "/var/www/html/custom_apps/sociallogin/lib/Controller/LoginController.php", "line": 41, "function": "handleCustom", "class": "OCA\\SocialLogin\\Service\\ProviderService", "type": "->", "args": ["custom_oidc", "sso"] }, { "file": "/var/www/html/lib/private/AppFramework/Http/Dispatcher.php", "line": 232, "function": "custom", "class": "OCA\\SocialLogin\\Controller\\LoginController", "type": "->", "args": ["custom_oidc", "sso"] }, { "file": "/var/www/html/lib/private/AppFramework/Http/Dispatcher.php", "line": 138, "function": "executeController", "class": "OC\\AppFramework\\Http\\Dispatcher", "type": "->", "args": [["OCA\\SocialLogin\\Controller\\LoginController"], "custom"] }, { "file": "/var/www/html/lib/private/AppFramework/App.php", "line": 184, "function": "dispatch", "class": "OC\\AppFramework\\Http\\Dispatcher", "type": "->", "args": [["OCA\\SocialLogin\\Controller\\LoginController"], "custom"] }, { "file": "/var/www/html/lib/private/Route/Router.php", "line": 338, "function": "main", "class": "OC\\AppFramework\\App", "type": "::", "args": [ "OCA\\SocialLogin\\Controller\\LoginController", "custom", ["OC\\AppFramework\\DependencyInjection\\DIContainer"], ["custom_oidc", "sso", "sociallogin.login.custom"] ] }, { "file": "/var/www/html/lib/base.php", "line": 1050, "function": "match", "class": "OC\\Route\\Router", "type": "->", "args": ["/apps/sociallogin/custom_oidc/sso"] }, { "file": "/var/www/html/index.php", "line": 49, "function": "handleRequest", "class": "OC", "type": "::", "args": [] } ], "File": "/var/www/html/lib/private/DB/Connection.php", "Line": 316, "message": "dirty table reads: SELECT * FROMPREFIXauthtokenWHEREuid= :dcValue1 ORDER BYidASC LIMIT 1", "tables": ["oc_preferences", "oc_authtoken"], "reads": ["oc_authtoken"], "exception": {}, "CustomMessage": "dirty table reads: SELECT * FROMPREFIXauthtokenWHEREuid= :dcValue1 ORDER BYidASC LIMIT 1" } }
My idp returns than the error user is all ready logged in.
