Error validating csrf cookie on single page apps [v2.2]

[mwitkow]

I have intermittent issues logging in on both Android Chrome and desktop Chrome with pre-signed up user. I am presented with a consent screen, select the user, do the flow and end up on a Not authorized page.

It may be due to #113 (CSRF rewrite) as it is during loading Home Assistant which fetches multiple pages / /service_worker.js due to previously cashed single page app. The log clearly show different CSRF cookies in flight. I think the problem is quite large, because a new CSRF cookie would be set even for a favicon if any of the hosted page was cached.

Here is a full set of debug logs, with anonymysed IP, and hostname. Note: auth.example.com is Forward Auth and home.example.com is Home Assistant.

Sep 02 11:28:49 wiregate docker[1893749]: time="2020-09-02T15:28:49Z" level=info msg="Listening on :4181"
Sep 02 11:29:00 wiregate docker[1893749]: time="2020-09-02T15:29:00Z" level=debug msg="Authenticating request" cookies="[_traefik_forward_auth_csrf=9f6923e7ba0a223fccd5644556498989]" handler=Auth host=home.example.com method=GET proto=https rule=default source_ip=A.B.C.D uri=/
Sep 02 11:29:00 wiregate docker[1893749]: time="2020-09-02T15:29:00Z" level=debug msg="Set CSRF cookie and redirected to provider login url" csrf_cookie="_traefik_forward_auth_csrf=d3a02a410a4c83388b2b813512313db7; Path=/; Domain=example.com; Expires=Sat, 05 Sep 2020 15:29:00 GMT; HttpOnly; Secure" handler=Auth host=home.example.com login_url="https://accounts.google.com/o/oauth2/auth?client_id=ABC-tsv6stil69eb7hdc6vkedll38lhu4fc7.apps.googleusercontent.com&prompt=select_account&redirect_uri=https%3A%2F%2Fauth.example.com%2F_oauth&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&state=d3a02a410a4c83388b2b813512313db7%3Agoogle%3Ahttps%3A%2F%2Fhome.example.com%2F" method=GET proto=https rule=default source_ip=A.B.C.D uri=/
Sep 02 11:29:09 wiregate docker[1893749]: time="2020-09-02T15:29:09Z" level=debug msg="Handling callback" cookies="[_traefik_forward_auth_csrf=d3a02a410a4c83388b2b813512313db7]" handler=AuthCallback host=auth.example.com method=GET proto=https rule=default source_ip=A.B.C.D uri="/_oauth?state=de2eb47f98beae85dfca2e84518ff16d%3Agoogle%3Ahttps%3A%2F%2Fhome.example.com%2F&code=4%2F3wGsYEPmWKgULI-LQ_pjzxOe6ZlxOp0BJv09_M2pKYrYEwENi3aN1XU5_NUTCO37-2VBEPzbjGtBBv7yBe0y99c&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&prompt=none"
Sep 02 11:29:09 wiregate docker[1893749]: time="2020-09-02T15:29:09Z" level=warning msg="Error validating csrf cookie" csrf_cookie="_traefik_forward_auth_csrf=d3a02a410a4c83388b2b813512313db7" error="CSRF cookie does not match state" handler=AuthCallback host=auth.example.com method=GET proto=https rule=default source_ip=A.B.C.D uri="/_oauth?state=de2eb47f98beae85dfca2e84518ff16d%3Agoogle%3Ahttps%3A%2F%2Fhome.example.com%2F&code=4%2F3wGsYEPmWKgULI-LQ_pjzxOe6ZlxOp0BJv09_M2pKYrYEwENi3aN1XU5_NUTCO37-2VBEPzbjGtBBv7yBe0y99c&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&prompt=none"
Sep 02 11:29:10 wiregate docker[1893749]: time="2020-09-02T15:29:10Z" level=debug msg="Authenticating request" cookies="[_traefik_forward_auth_csrf=d3a02a410a4c83388b2b813512313db7]" handler=Auth host=auth.example.com method=GET proto=https rule=default source_ip=A.B.C.D uri=/favicon.ico
Sep 02 11:29:10 wiregate docker[1893749]: time="2020-09-02T15:29:10Z" level=debug msg="Set CSRF cookie and redirected to provider login url" csrf_cookie="_traefik_forward_auth_csrf=1b771dbfd192ef4a07a6a60138d5d74e; Path=/; Domain=example.com; Expires=Sat, 05 Sep 2020 15:29:10 GMT; HttpOnly; Secure" handler=Auth host=auth.example.com login_url="https://accounts.google.com/o/oauth2/auth?client_id=ABC-tsv6stil69eb7hdc6vkedll38lhu4fc7.apps.googleusercontent.com&prompt=select_account&redirect_uri=https%3A%2F%2Fauth.example.com%2F_oauth&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&state=1b771dbfd192ef4a07a6a60138d5d74e%3Agoogle%3Ahttps%3A%2F%2Fauth.example.com%2Ffavicon.ico" method=GET proto=https rule=default source_ip=A.B.C.D uri=/favicon.ico
Sep 02 11:29:11 wiregate docker[1893749]: time="2020-09-02T15:29:11Z" level=debug msg="Authenticating request" cookies="[_traefik_forward_auth_csrf=1b771dbfd192ef4a07a6a60138d5d74e]" handler=Auth host=home.example.com method=GET proto=https rule=default source_ip=A.B.C.D uri=/service_worker.js
Sep 02 11:29:11 wiregate docker[1893749]: time="2020-09-02T15:29:11Z" level=debug msg="Set CSRF cookie and redirected to provider login url" csrf_cookie="_traefik_forward_auth_csrf=e752e07ff3c69f390f2d96e9503d79c9; Path=/; Domain=example.com; Expires=Sat, 05 Sep 2020 15:29:11 GMT; HttpOnly; Secure" handler=Auth host=home.example.com login_url="https://accounts.google.com/o/oauth2/auth?client_id=ABC-tsv6stil69eb7hdc6vkedll38lhu4fc7.apps.googleusercontent.com&prompt=select_account&redirect_uri=https%3A%2F%2Fauth.example.com%2F_oauth&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&state=e752e07ff3c69f390f2d96e9503d79c9%3Agoogle%3Ahttps%3A%2F%2Fhome.example.com%2Fservice_worker.js" method=GET proto=https rule=default source_ip=A.B.C.D uri=/service_worker.js

Relevant config ini

# Run in separate-host configuration, issuing auth for  all of *.example.com.
auth-host=auth.example.com
cookie-domain=example.com
default-provider=google

# Secret for signing cookies.
secret=TRUNCATED
csrf-cookie-name=_traefik_forward_auth_csrf
cookie-name=_traefik_auth_cookie
insecure-cookie=false
lifetime=259200

Running docker version v2.2

[thomseddon]

I believe this is related to #113 as you suggest, thanks for #178 this has now been merged in #187 and is pegged for release in 2.3 :)