-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Double calls to client's Redirect URI breaks client SSO #1926
Comments
We also experience same issue with our Bridge of Knowledge platform. In the logs of the platform we can see such entries:
And in the browser devtools we can see same situation as mentioned in this issue: The issue seems to be the same, and we also experience it starting with April 3rd: I've created simple PR that should solve this issue by simply introducing flag that would prevent double call of the |
thank you @cslzchen and @kadet1090 for all the details provided to resolve this issue. |
Thank a lot @cslzchen and @kadet1090 for reporting the issue and all your help! We are going to push this fix to our QA environment to review it on Monday, then, if we don't find any other issues we will deploy the fix to orcid.org early on Tuesday. Thanks @leomendoza123 for the quick fix. |
Hi @cslzchen and @kadet1090 Thanks again for reporting this, we just released the fix and I can't reproduce the issue anymore, could you please verify and confirm? Thanks a lot! |
Hey @cslzchen, Sorry, I forgot to answer your question, we use the Thanks |
@leomendoza123 and @amontenegro , fix confirmed for our OSF app (5/5 successful SSO), thanks a bunch! |
Unfortunately I cannot confirm that this fixed the issue - I still can see "Reused authorization code" entries in our logs, the last entry is from 2023-04-11T19:23:35.073Z. As of me (and in fact other team members), I cannot reproduce the issue, so perhaps this is some caching issue on our users side. Tomorrow I'll try to check if the log number is lower and if there is any issue on our side. |
@leomendoza123 and @amontenegro Cc @kadet1090 I didn't verify Safari last time. The same error and behavior still happens on Safari (reported by our users). Chrome, Firefox and Edge work fine (on macOS and on windows). In addition, Safari, Chrome and Firefox on IOS/iPhones still fail too. (Verified by our employees and by our QA via browser stack). No issue at all with multiple browsers on android phones. I think it might be the script not working as expected on Safari (or Safari-ish browsers such as IOS version of Chrome and Firefox). Should I report a new issue? |
Safari's developer tool is very confusing, and I am not seeing any call to redirected URI there from the network logs. Attaching the screenshots but they are not very helpful. However, we are confident this is still the 4 seconds time-out issue. When we use a feature in our auth server that intercepts the redirections to land on a 200 page much faster, (such as enabling OSF's two-factor), it almost never fails. |
Thanks for reporting this @cslzchen. @leomendoza123 could you please take a look? |
@cslzchen We have resolve this issue on our Sandbox environment, and this should be on production next week. Thanks for reporting this issue, and please keep us updating if you found anything else. |
Hi @cslzchen, This should be fixed in orcid.org now, could you please take a look? Thanks |
@amontenegro Yes, SSO works as expected. Verified in Safari on all three OS (macOS, iPadOS, iOS). Thanks for the quick fix again. |
@kadet1090 thank you for the report! Firefox (with add blockers) and Brave still had some issues. This should be fix with our last PR on the next sprint. |
Describe the bug
When client attempts to do OAuth, after the
authroize
request is successful, ORCiD server returns a 200 (1), in which a script runs and triggers the redirection to the client's configured Redirect URI (2). However, a second request to the Redirect URI is made about 4-5 seconds later (3). The second request causes the browser to cancel the first request.The issue is, the first request has already cleared the client server of the one-time OAuth SSO state when it is canceled. It is in the process of a few final redirections between our authentication server (which is also the OAuth client, from ORCiD server's perspective) and our app server to finish authentication into our app. Thus, when the second request comes in, it fails SSO due to the invalid state.
Below, I attached both screenshots of doc-only network history and a full network history, a screenshot of the error page and a short video clip.
prod-osf-orcid-sso-login-failed.mov
To Reproduce
Steps to reproduce the behavior:
Note: If this is your first time login into OSF with ORCiD, you will go through a different process that ask you to enter an email and your full name. You will then receive a confirmation email to confirm account creation with ORCiD. After confirmation, log out of OSF to reproduce the error.
Expected behavior
/authorize
should return a 302 to client's redirect URI; or if it returns 200, the script on that page should make only one call the the client's Redirect URI; or if it needs to make another request after some timeout, currently 4 seconds is way too short.Screenshots
See Description
Desktop (please complete the following information):
This is not browser/os/version specific. It happenes on safari, chrome and firefox, before and after update. I personally tested it on macOS 12 and 10 with latest Chrome, Safari and Firefox.
Smartphone (please complete the following information):
Not tested
Additional context
development
branch is used for production server. Is this correct?The text was updated successfully, but these errors were encountered: