While running Federation Services as OAuthClient when a user tries to login in Azure AD (OAuth Authorization Server) the browser gets the
below error :
500 - Internal Error occurred while trying to process the request.
The Federation Services ends the request with the error :
[TokenConsumer.java][processOAuthLogin][No authorization server ID or state cookie available.]
[OAuthUtils.java][removeStateDataCookie][Removing the state data cookie]
[TokenConsumer.java][processRequest][Sending an error.]
Policy Server 12.8SP.x
Web Agent Option Pack 12.52SP1CR09 on ServletExec 6 on RedHat ;
Web Agent 12.52SP1CR09 on Apache 2.2.34 on RedHat ;
The first request to the Federation Services produces a OAuthStateDataCookie with the samesite flag set to strict :
fiddler.saz
Line 5 :
GET https://example.com/affwebservices/public/oauthtokenconsumer/a26fa4fb-d8b5-4979-932e-ce9665b582be?AuthzServerID=myazureoauthaz
HTTP/1.1 302 Moved temporarily
Date: Mon, 11 Apr 2022 12:19:22 GMT
Server: Apache
Set-Cookie: OAuthStateDataCookie=NOdq7lx1fm/BzooMDtZA3d2FY9TuBnQy [...] Domain=example.com; Path=/; secure; HTTPOnly; SameSite=strict
Line 95 :
POST https://login.microsoftonline.com/login.srf
HTTP/1.1 302 Found
Location: https://example.com/affwebservices/public/oauthtokenconsumer/a26fa4fb-d8b5-4979-932e-ce9665b582be?code=0. [...] -1&session_state=3aac4ea8-8s5s-47b3-a8f4-ef04a17aa9fb#
Date: Mon, 11 Apr 2022 12:19:55 GMT
As the request comes from microsoftonline.com and the browser has the
OAuthStateDataCookie with samesite flag set to strict, then the
browser doesn't send the cookie back to the Federation Service, and as
Federation Services doesn't get the OAuthStateDataCookie value, then
it returns 500 code to the browser :
Line 97 :
GET https://example.com/affwebservices/public/oauthtokenconsumer/a26fa4fb-d8b5-4979-932e-ce9665b582be?code=0. [...] -1&session_state=3aac4ea8-8s5s-47b3-a8f4-ef04a17aa9fb
This request did not send any cookie data.
HTTP/1.1 500 Internal Error occured while trying to process the request.
Transaction ID: 1a3876e9-093736ac-61581d02-9434e68d-afc64733-4 failed.
Date: Mon, 11 Apr 2022 12:19:56 GMT
Server: Apache
FWSTrace.log :
[04/11/2022][14:19:56][7373][3937363712][1a3876e9-093736ac-61581d02-9434e68d-afc64733-4]
[TokenConsumer.java][doGet][Query String: code=0
[...]
A&state=11a55580-f02ec057-3fd5246e-85e343ab-da92d4fe-1
&session_state=3aac4ea8-8s5s-47b3-a8f4-ef04a17aa9fb]
[04/11/2022][14:19:56][7373][3937363712][1a3876e9-093736ac-61581d02-9434e68d-afc64733-4]
[OAuthUtils.java][getStateDataCookieValue][Retrieving State Data Cookie values]
[04/11/2022][14:19:56][7373][3937363712][1a3876e9-093736ac-61581d02-9434e68d-afc64733-4]
[OAuthUtils.java][getStateDataCookie][Could not find state data cookie]
[04/11/2022][14:19:56][7373][3937363712][1a3876e9-093736ac-61581d02-9434e68d-afc64733-4]
[OAuthUtils.java][getStateDataCookieValue][State data cookie does not exist.]
[04/11/2022][14:19:56][7373][3937363712][1a3876e9-093736ac-61581d02-9434e68d-afc64733-4]
[TokenConsumer.java][processOAuthLogin][No authorization server ID or state cookie available.]
[04/11/2022][14:19:56][7373][3937363712][1a3876e9-093736ac-61581d02-9434e68d-afc64733-4]
[OAuthUtils.java][removeStateDataCookie][Removing the state data cookie]
[04/11/2022][14:19:56][7373][3937363712][1a3876e9-093736ac-61581d02-9434e68d-afc64733-4]
[TokenConsumer.java][processRequest][Sending an error.]
- Upgrade Web Agent and Web Agent Option Pack to 12.52SP1CR11, and set
ACO
SameSite to none or lax
UseSecureCookies to yes
to solve the issue;