how to configure correct state transfer in pac4j

by

On my quest to implement an OIDC connection with pac4j (on client side)
I have hit another roadblock. It seems that the state transfer via URL is
not working or propery configured:

The auth request:

https://authserver.com/mini-sinai/auth?scope=openid profile email&response_type=code&
redirect_uri=https://client.com/jee-pac4j-demo/callback?client_name=MiniSinai&
state=e8e3b77123&nonce=vvDVEE3hv70GLUvDVG5IyaU30S6EJqsAjGHEyuUg_NA&
client_id=9d9a41d95b4907ca13ac60b0568aa3

Is returning:

302 https://client.com/jee-pac4j-demo/callback?client_name=MiniSinai&
code=TrCQCp02fodz071SdKTXisZseJFcNwWJcFs7z3772tw&state=e8e3b77123

But then the client reports this:

org.pac4j.oidc.exceptions.OidcMissingSessionStateException: State cannot be determined
    org.pac4j.oidc.credentials.extractor.OidcCredentialsExtractor.lambda$extract$0(OidcCredentialsExtractor.java:118)
    java.base/java.util.Optional.orElseThrow(Optional.java:403)
    org.pac4j.oidc.credentials.extractor.OidcCredentialsExtractor.extract(OidcCredentialsExtractor.java:118)
    org.pac4j.core.client.BaseClient.getCredentials(BaseClient.java:74)
    org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:83)
    org.pac4j.demo.jee.DemoConfigFactory$MyCallbackLogic.perform(DemoConfigFactory.java:126)
    org.pac4j.jee.filter.CallbackFilter.internalFilter(CallbackFilter.java:63)
    org.pac4j.jee.config.AbstractConfigFilter.doFilter(AbstractConfigFilter.java:92)

Which irritates me as the state is present in the callback. (Both services on the the host worked just fine, hence I assume that the state comes from the tomcat-session). Do I have to configure pac4j in a special way in order to allow state transfer via URI?

The generated state is sent to the authorize endpoint and saved into the web session.

The retrieved state on the callback URL is compared to the one retrieved from the web session.

The error: “State cannot be determined” is when you are not able to retrieved the saved state from the web session. So you might have an issue with your web session. What do you see for the JSESSIONID cookie on the HTTP requests?

Leave a Comment