Another Stale Request Post

Jason Rotunno jrotunno at swarthmore.edu
Sat Nov 12 01:24:41 UTC 2022 

I should have added that I looked at posts by others who have had similar
issues and for them it seems to have been SameSite. I'll need to read up on
that but based on the little I know so far, I wouldn't think it would
affect only a single SP, would it?

Jason


On Fri, Nov 11, 2022 at 11:39 AM Jason Rotunno <jrotunno at swarthmore.edu>
wrote:

> So we have a service provider that uses CAS to authenticate against our
> Shib 4 instance. Apparently, it stopped working sometime over the summer
> but the users only just now got around to reporting it to us:
>
>    1. Users browse to the SP, click the login link, and are redirected to
>    our IdP.
>    2. They perform password authentication, are redirected to Duo, and
>    authenticate via a push
>    3. They're then redirected back to Shib. At this point the stale
>    request error appears.
>
> The logs show what I'm sure many of us have seen before:
>
> 2022-11-11 10:54:10,956 - ERROR
> [net.shibboleth.idp.authn.ExternalAuthenticationException:91] -
> [104.16.99.52] -
> net.shibboleth.idp.authn.ExternalAuthenticationException: Error retrieving
> flow conversation
> at
> net.shibboleth.idp.authn.ExternalAuthentication.getProfileRequestContext(ExternalAuthentication.java:227)
> Caused by:
> org.springframework.webflow.execution.repository.NoSuchFlowExecutionException:
> No flow execution could be found with key 'e2s2' -- perhaps this executing
> flow has ended or expired? This could happen if your users are relying on
> browser history (typically via the back button) that references ended flows.
> at
> org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getConversation(AbstractFlowExecutionRepository.java:172)
> Caused by:
> org.springframework.webflow.conversation.NoSuchConversationException: No
> conversation could be found with id '2' -- perhaps this conversation has
> ended?
> at
> org.springframework.webflow.conversation.impl.ConversationContainer.getConversation(ConversationContainer.java:126)
>
>
> I turned up logging for spring and noticed this:
>
> 2022-11-11 11:02:22,342 - DEBUG
> [org.springframework.web.servlet.DispatcherServlet:119] - [104.16.99.52] - *GET
> "/idp/profile/Authn/Duo/2FA/duo-callback?state=<something>&code=<other>",
> parameters={masked}*
> 2022-11-11 11:02:22,342 - DEBUG
> [org.springframework.webflow.mvc.servlet.FlowHandlerMapping:114] -
> [104.16.99.52] - *No flow mapping found for request with URI
> '/idp/profile/Authn/Duo/2FA/duo-callback'*
> 2022-11-11 11:02:22,342 - DEBUG
> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping:522]
> - [104.16.99.52] - Mapped to
> net.shibboleth.idp.plugin.authn.duo.impl.DuoOIDCAuthnController#authorizationCallback(HttpServletRequest,
> HttpServletResponse)
> 2022-11-11 11:02:22,342 - DEBUG
> [org.springframework.webflow.execution.repository.impl.DefaultFlowExecutionRepository:106]
> - [104.16.99.52] - Getting flow execution with key 'e5s3'
> 2022-11-11 11:02:22,342 - ERROR
> [net.shibboleth.idp.authn.ExternalAuthenticationException:91] -
> [104.16.99.52] -
> 2022-11-11 11:02:22,342 - DEBUG
> [org.springframework.web.servlet.DispatcherServlet:1349] - [104.16.99.52] -
> Using resolved error view: ModelAndView [view="error";
> model={exception=net.shibboleth.idp.authn.ExternalAuthenticationException:
> Error retrieving flow conversation,
> request=org.apache.catalina.connector.RequestFacade at 1328262b,
> encoder=class net.shibboleth.utilities.java.support.codec.HTMLEncoder,
> springContext=Root WebApplicationContext, started on Wed Oct 26 14:18:57
> EDT 2022, response=org.apache.catalina.connector.ResponseFacade at 35a01e83}]
> 2022-11-11 11:02:22,342 - DEBUG
> [org.springframework.web.servlet.DispatcherServlet:1131] - [104.16.99.52] -
> Completed 200 OK
>
>
> This happens during every login attempt, in Firefox and Chrome, and on
> Windows and Linux. I'm at a loss so I'm hoping someone can provide some
> help.
>
> Thanks,
> Jason
>
> --
>
> Jason Rotunno
> System & Security Administrator
> Swarthmore College
> 500 College Ave
> Swarthmore, PA 19081
> 610.328.8505
>
> *VERIFY before you click!!*
>   - Attackers make their emails look like they come from someone they don't.
>   - Attackers make links look like they go to websites they don't.
>   - Attackers disguise malware as receipts, invoices, faxes, etc.
>
> Forward suspicious emails to phishing at swarthmore.edu.
>
>

-- 

Jason Rotunno
System & Security Administrator
Swarthmore College
500 College Ave
Swarthmore, PA 19081
610.328.8505

*VERIFY before you click!!*
  - Attackers make their emails look like they come from someone they don't.
  - Attackers make links look like they go to websites they don't.
  - Attackers disguise malware as receipts, invoices, faxes, etc.

Forward suspicious emails to phishing at swarthmore.edu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221111/36325db7/attachment.htm>

More information about the users mailing list