Another Stale Request Post

Fri Nov 11 16:39:01 UTC 2022

So we have a service provider that uses CAS to authenticate against our
Shib 4 instance. Apparently, it stopped working sometime over the summer
but the users only just now got around to reporting it to us:

   1. Users browse to the SP, click the login link, and are redirected to
   our IdP.
   2. They perform password authentication, are redirected to Duo, and
   authenticate via a push
   3. They're then redirected back to Shib. At this point the stale request
   error appears.

The logs show what I'm sure many of us have seen before:

2022-11-11 10:54:10,956 - ERROR
[net.shibboleth.idp.authn.ExternalAuthenticationException:91] -
[104.16.99.52] -
net.shibboleth.idp.authn.ExternalAuthenticationException: Error retrieving
flow conversation
at
net.shibboleth.idp.authn.ExternalAuthentication.getProfileRequestContext(ExternalAuthentication.java:227)
Caused by:
org.springframework.webflow.execution.repository.NoSuchFlowExecutionException:
No flow execution could be found with key 'e2s2' -- perhaps this executing
flow has ended or expired? This could happen if your users are relying on
browser history (typically via the back button) that references ended flows.
at
org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getConversation(AbstractFlowExecutionRepository.java:172)
Caused by:
org.springframework.webflow.conversation.NoSuchConversationException: No
conversation could be found with id '2' -- perhaps this conversation has
ended?
at
org.springframework.webflow.conversation.impl.ConversationContainer.getConversation(ConversationContainer.java:126)

I turned up logging for spring and noticed this:

2022-11-11 11:02:22,342 - DEBUG
[org.springframework.web.servlet.DispatcherServlet:119] - [104.16.99.52] - *GET
"/idp/profile/Authn/Duo/2FA/duo-callback?state=<something>&code=<other>",
parameters={masked}*
2022-11-11 11:02:22,342 - DEBUG
[org.springframework.webflow.mvc.servlet.FlowHandlerMapping:114] -
[104.16.99.52] - *No flow mapping found for request with URI
'/idp/profile/Authn/Duo/2FA/duo-callback'*
2022-11-11 11:02:22,342 - DEBUG
[org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping:522]
- [104.16.99.52] - Mapped to
net.shibboleth.idp.plugin.authn.duo.impl.DuoOIDCAuthnController#authorizationCallback(HttpServletRequest,
HttpServletResponse)
2022-11-11 11:02:22,342 - DEBUG
[org.springframework.webflow.execution.repository.impl.DefaultFlowExecutionRepository:106]
- [104.16.99.52] - Getting flow execution with key 'e5s3'
2022-11-11 11:02:22,342 - ERROR
[net.shibboleth.idp.authn.ExternalAuthenticationException:91] -
[104.16.99.52] -
2022-11-11 11:02:22,342 - DEBUG
[org.springframework.web.servlet.DispatcherServlet:1349] - [104.16.99.52] -
Using resolved error view: ModelAndView [view="error";
model={exception=net.shibboleth.idp.authn.ExternalAuthenticationException:
Error retrieving flow conversation,
request=org.apache.catalina.connector.RequestFacade at 1328262b, encoder=class
net.shibboleth.utilities.java.support.codec.HTMLEncoder, springContext=Root
WebApplicationContext, started on Wed Oct 26 14:18:57 EDT 2022,
response=org.apache.catalina.connector.ResponseFacade at 35a01e83}]
2022-11-11 11:02:22,342 - DEBUG
[org.springframework.web.servlet.DispatcherServlet:1131] - [104.16.99.52] -
Completed 200 OK

This happens during every login attempt, in Firefox and Chrome, and on
Windows and Linux. I'm at a loss so I'm hoping someone can provide some
help.

Thanks,
Jason

-- 

Jason Rotunno
System & Security Administrator
Swarthmore College
500 College Ave
Swarthmore, PA 19081
610.328.8505

*VERIFY before you click!!*
  - Attackers make their emails look like they come from someone they don't.
  - Attackers make links look like they go to websites they don't.
  - Attackers disguise malware as receipts, invoices, faxes, etc.

Forward suspicious emails to phishing at swarthmore.edu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221111/fa6ec365/attachment.htm>