[chrome bug] CSRF Warning! State not equal in request and response.

[andrewzah]

Describe the bug

When logging in via OIDC, an error occurs, CSRF Warning! State not equal in request and response.. This only happens on chrome/chromium. It does not happen on firefox.

Specifically, chrome 89.0.4389.114, firefox 78.8.0esr, and chromium 88.0.4324.182. And on mac/linux.

Error Stacks

Something bad has happened.
Please consider letting us know by creating a bug report using GitHub.
Python version: 3.8.6
Airflow version: 2.0.1
Node: airflow-5cfb6496fd-zkjm2
-------------------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/abc/.local/lib/python3.8/site-packages/flask/app.py", line 2447, in wsgi_app
    response = self.full_dispatch_request()
  File "/home/abc/.local/lib/python3.8/site-packages/flask/app.py", line 1952, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/home/abc/.local/lib/python3.8/site-packages/flask/app.py", line 1821, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/home/abc/.local/lib/python3.8/site-packages/flask/_compat.py", line 39, in reraise
    raise value
  File "/home/abc/.local/lib/python3.8/site-packages/flask/app.py", line 1950, in full_dispatch_request
    rv = self.dispatch_request()
  File "/home/abc/.local/lib/python3.8/site-packages/flask/app.py", line 1936, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/home/abc/.local/lib/python3.8/site-packages/flask_appbuilder/security/views.py", line 681, in oauth_authorized
    resp = self.appbuilder.sm.oauth_remotes[provider].authorize_access_token()
  File "/usr/local/lib/python3.8/site-packages/authlib/integrations/flask_client/remote_app.py", line 74, in authorize_access_token
    params = self.retrieve_access_token_params(flask_req, request_token)
  File "/usr/local/lib/python3.8/site-packages/authlib/integrations/base_client/base_app.py", line 145, in retrieve_access_token_params
    params = self._retrieve_oauth2_access_token_params(request, params)
  File "/usr/local/lib/python3.8/site-packages/authlib/integrations/base_client/base_app.py", line 126, in _retrieve_oauth2_access_token_params
    raise MismatchingStateError()
authlib.integrations.base_client.errors.MismatchingStateError: mismatching_state: CSRF Warning! State not equal in request and response.

To Reproduce

We are using Keycloak to login via OIDC with Airflow, which apparently uses flask/authlib.

Expected behavior

A clear and concise description of what you expected to happen.

Environment:

Docker

• OS: debian bullseye slim
• Python Version: 3.8
• Authlib Version: 0.15.3

Additional context

Add any other context about the problem here.

[syucream]

I got the same issue with Chrome 89.0.4389.114, Airflow 2.0.1 and Authlib 0.15.3

[andrewzah]

Any plans for looking into this? This also occurs if we use LDAP.

[lepture]

This is fixed in Authlib 1.0.0a2. I'll fix it in 0.15 then.

[dnskr]

I reproduced the issue with Authlib 1.0.0a2 #376 (comment)

[lepture]

fixed in 1.0.0

[sm-Fifteen]

I'm currently getting this error with Authlib 1.1 (Starlette/FastAPI integration), but only in Chrome, not in Firefox, and not on all the servers I have this application deployed on.

I'm not sure how Airflow does it, but Starlette only supports storing session data in a client-side session cookie. In my case, this error seems to come from Chrome sometimes not acknowledging the set-cookie header that updates the session data during the authorize_redirect step and still sending the old value to the callback route. It's a painfully tricky issue to debug, but it may not be Authlib's fault.

[sm-Fifteen]

Ok, so the session data fron authorize_redirect may get overwritten in Chrome if an API route (called via JS) returns set-cookie after the browser has already navigated to the authorization/login form, meaning the OAuth session data (depending on how the server stores it, but especially if it's stored as a signed object in a session cookie) may have vanished from the session by the time the user has finished filling in the form. This means it's technically not an Authlib bug, it's sort-of an application bug (some could argue it's a bug with Chrome, but it's unclear to me whether this is intended behavior or not) and I've personally started discussion on encode/starlette#2018 about it.

If anyone is still running into this issue with Apache Airflow, you would need to report it to them or to whatever middleware they are using for OAuth.

[andrewzah]

For anyone running into this, this fixed it. It previously was set to None:

[webserver]
cookie_samesite = Lax