Skip to main content

Unable to set STATE parameter when using OpenID for SSO

  • Updated

Overview

State parameter configuration for SSO when using OpenID.

Applies To

All Enterprise Edition versions of Dremio.

Details

When using an external provider for Single Sign On (SSO) integrated authentication, if using OpenID authentication model it is possible to define additional parameters in your oauth.json as discussed here, for example:

{
  "clientId": "<ClientId>",
  "clientSecret": "<ClientSecret>",
  "redirectUrl": "https://<dremio node address>:9047/sso",
  "authorityUrl": "https://<OpenID provider account URL>/",
  "scope": "openid profile email",
  "jwtClaims": {
    "userName": "email"
  },
  "parameters": [
    {"name": "access_type", "value": "offline"},
    {"name": "redirect_uri", "value": "https://<dremio node address>:9047/sso"},
    {"name": "client_id", "value": "<clientId>"}
  ]
}

One of the parameters that can be set is the [state] parameter, discussed for Auth0 here, for Okta here. The purpose of this parameter is to prevent cross-site request  (CSRF) attacks which can take place manipulating trusted browser sessions.

If this parameter is set in oauth.json, such as like so:

  "parameters": [
    {"name": "access_type", "value": "offline"},
    {"name": "redirect_uri", "value": "https://<dremio node address>:9047/sso"},
    {"name": "client_id", "value": "<clientId>"}
    {"state": "state-111223aaa-a1a1-4a32-ab1a-f0e2dc1ba345"}
  ]

....it will break the SSO authentication flow and users will be unable to authenticate over SSO. Errors such as the following will be seen in the access.log on the co-ordinator, or UI session:

2022-10-18 13:35:06,614 [qtp799515859-153] ERROR c.d.d.server.GenericExceptionMapper - Unexpected exception when processing POST http://localhost:9047/apiv2/login/sso/finish : java.lang.RuntimeException: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'state': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')
 at [Source: (String)"state-111223aaa-a1a1-4a32-ab1a-f0e2dc1ba345"; line: 1, column: 6]
java.lang.RuntimeException: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'state': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')

Cause

With the SSO authentication flow dremio does not expect any state configuration to be done. For SSO flow Dremio becomes the relying party and acts as a client to initiate the login request / sso request to the OpenID provider.
Dremio during this process creates a [state] value of its own (as per the specification).
and this state is completely managed by the client - in this case Dremio.

The state value is specified to be an arbitrary value. Dremio internally constructs a random state value of its own by encapsulating the client state as well (mostly in JSON format) and sends it to the OAuth Provider.

Any attempt to specify the [state] value will break the flow. The [state] parameter is designed specifically to not be a static value here, and should not be set.

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles