Summary
This article provides information about the [state] parameter configuration for OpenID-based Single Sign-On (SSO) authentication in Dremio, discussed for Auth0 here, for Okta here.
Reported Issue
When using an external provider for Single Sign-On (SSO) integrated authentication with the OpenID authentication model, setting the [state] parameter in the oauth.json configuration file can break the SSO authentication flow, preventing users from authenticating.
Relevant Versions
All Enterprise Edition versions of Dremio.
Troubleshooting Steps
If the [state] parameter is set in the oauth.json configuration file, errors such as the following may be seen in the access.log on the coordinator or in the UI session:
2022-10-18 13:35:06,614 [qtp799515859-153] ERROR c.d.d.server.GenericExceptionMapper - Unexpected exception when processing POST http://localhost:9047/apiv2/login/sso/finish : java.lang.RuntimeException: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'state': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')
at [Source: (String)"state-111223aaa-a1a1-4a32-ab1a-f0e2dc1ba345"; line: 1, column: 6]
java.lang.RuntimeException: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'state': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')
Cause
When using an external provider for Single Sign On (SSO) integrated authentication, if using OpenID authentication model it is possible to define additional parameters in your oauth.json as discussed here, for example:
{
"clientId": "<ClientId>",
"clientSecret": "<ClientSecret>",
"redirectUrl": "https://<dremio node address>:9047/sso",
"authorityUrl": "https://<OpenID provider account URL>/",
"scope": "openid profile email",
"jwtClaims": {
"userName": "email"
},
"parameters": [
{"name": "access_type", "value": "offline"},
{"name": "redirect_uri", "value": "https://<dremio node address>:9047/sso"},
{"name": "client_id", "value": "<clientId>"}
]
}
With the SSO authentication flow, Dremio does not expect any state configuration to be done. For the SSO flow, Dremio becomes the relying party and acts as a client to initiate the login request/SSO request to the OpenID provider.
Dremio during this process creates a [state] value of its own (as per the specification), and this state is completely managed by the client - in this case, Dremio.
The state value is specified to be an arbitrary value. Dremio internally constructs a random state value of its own by encapsulating the client state as well (mostly in JSON format) and sends it to the OAuth Provider.
Any attempt to specify the [state] value will break the flow. The [state] parameter is designed specifically to not be a static value here, and should not be set.
Steps to Resolve
Remove any configuration setting for the [state] parameter from the oauth.json file.
Best Practices
Do not implement the [state] parameter inn your SSO configuration.