Another Stale Request Post

Nate Klingenstein ndk at sudonym.me
Fri Nov 11 20:40:14 UTC 2022 

Jason,

SameSite issues would be general to the flows writ large, but if this is
the only SP that uses the CAS or Duo flows and they involve different user
routing, it could manifest as something that would affect only a single SP.

Assuming the flows are right -- and I don't know these flows well, which is
why I didn't respond -- it's a cookie issue or a stickiness/server side
state issue.  The former is more likely and SameSite can be the culprit.  I
would definitely start the investigation there.

Good luck,
Nate

On Fri, Nov 11, 2022 at 1:25 PM Jason Rotunno via users <
users at shibboleth.net> wrote:

> I should have added that I looked at posts by others who have had similar
> issues and for them it seems to have been SameSite. I'll need to read up on
> that but based on the little I know so far, I wouldn't think it would
> affect only a single SP, would it?
>
> Jason
>
>
> On Fri, Nov 11, 2022 at 11:39 AM Jason Rotunno <jrotunno at swarthmore.edu>
> wrote:
>
>> So we have a service provider that uses CAS to authenticate against our
>> Shib 4 instance. Apparently, it stopped working sometime over the summer
>> but the users only just now got around to reporting it to us:
>>
>>    1. Users browse to the SP, click the login link, and are redirected
>>    to our IdP.
>>    2. They perform password authentication, are redirected to Duo, and
>>    authenticate via a push
>>    3. They're then redirected back to Shib. At this point the stale
>>    request error appears.
>>
>> The logs show what I'm sure many of us have seen before:
>>
>> 2022-11-11 10:54:10,956 - ERROR
>> [net.shibboleth.idp.authn.ExternalAuthenticationException:91] -
>> [104.16.99.52] -
>> net.shibboleth.idp.authn.ExternalAuthenticationException: Error
>> retrieving flow conversation
>> at
>> net.shibboleth.idp.authn.ExternalAuthentication.getProfileRequestContext(ExternalAuthentication.java:227)
>> Caused by:
>> org.springframework.webflow.execution.repository.NoSuchFlowExecutionException:
>> No flow execution could be found with key 'e2s2' -- perhaps this executing
>> flow has ended or expired? This could happen if your users are relying on
>> browser history (typically via the back button) that references ended flows.
>> at
>> org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getConversation(AbstractFlowExecutionRepository.java:172)
>> Caused by:
>> org.springframework.webflow.conversation.NoSuchConversationException: No
>> conversation could be found with id '2' -- perhaps this conversation has
>> ended?
>> at
>> org.springframework.webflow.conversation.impl.ConversationContainer.getConversation(ConversationContainer.java:126)
>>
>>
>> I turned up logging for spring and noticed this:
>>
>> 2022-11-11 11:02:22,342 - DEBUG
>> [org.springframework.web.servlet.DispatcherServlet:119] - [104.16.99.52] - *GET
>> "/idp/profile/Authn/Duo/2FA/duo-callback?state=<something>&code=<other>",
>> parameters={masked}*
>> 2022-11-11 11:02:22,342 - DEBUG
>> [org.springframework.webflow.mvc.servlet.FlowHandlerMapping:114] -
>> [104.16.99.52] - *No flow mapping found for request with URI
>> '/idp/profile/Authn/Duo/2FA/duo-callback'*
>> 2022-11-11 11:02:22,342 - DEBUG
>> [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping:522]
>> - [104.16.99.52] - Mapped to
>> net.shibboleth.idp.plugin.authn.duo.impl.DuoOIDCAuthnController#authorizationCallback(HttpServletRequest,
>> HttpServletResponse)
>> 2022-11-11 11:02:22,342 - DEBUG
>> [org.springframework.webflow.execution.repository.impl.DefaultFlowExecutionRepository:106]
>> - [104.16.99.52] - Getting flow execution with key 'e5s3'
>> 2022-11-11 11:02:22,342 - ERROR
>> [net.shibboleth.idp.authn.ExternalAuthenticationException:91] -
>> [104.16.99.52] -
>> 2022-11-11 11:02:22,342 - DEBUG
>> [org.springframework.web.servlet.DispatcherServlet:1349] - [104.16.99.52] -
>> Using resolved error view: ModelAndView [view="error";
>> model={exception=net.shibboleth.idp.authn.ExternalAuthenticationException:
>> Error retrieving flow conversation,
>> request=org.apache.catalina.connector.RequestFacade at 1328262b,
>> encoder=class net.shibboleth.utilities.java.support.codec.HTMLEncoder,
>> springContext=Root WebApplicationContext, started on Wed Oct 26 14:18:57
>> EDT 2022, response=org.apache.catalina.connector.ResponseFacade at 35a01e83
>> }]
>> 2022-11-11 11:02:22,342 - DEBUG
>> [org.springframework.web.servlet.DispatcherServlet:1131] - [104.16.99.52] -
>> Completed 200 OK
>>
>>
>> This happens during every login attempt, in Firefox and Chrome, and on
>> Windows and Linux. I'm at a loss so I'm hoping someone can provide some
>> help.
>>
>> Thanks,
>> Jason
>>
>> --
>>
>> Jason Rotunno
>> System & Security Administrator
>> Swarthmore College
>> 500 College Ave
>> Swarthmore, PA 19081
>> 610.328.8505
>>
>> *VERIFY before you click!!*
>>   - Attackers make their emails look like they come from someone they don't.
>>   - Attackers make links look like they go to websites they don't.
>>   - Attackers disguise malware as receipts, invoices, faxes, etc.
>>
>> Forward suspicious emails to phishing at swarthmore.edu.
>>
>>
>
> --
>
> Jason Rotunno
> System & Security Administrator
> Swarthmore College
> 500 College Ave
> Swarthmore, PA 19081
> 610.328.8505
>
> *VERIFY before you click!!*
>   - Attackers make their emails look like they come from someone they don't.
>   - Attackers make links look like they go to websites they don't.
>   - Attackers disguise malware as receipts, invoices, faxes, etc.
>
> Forward suspicious emails to phishing at swarthmore.edu.
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221111/e142c6c3/attachment.htm>

More information about the users mailing list