ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Error : Google OAuth failing with State data cookie does not exist

book

Article ID: 5316

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

When running CA Access Gateway (SPS) with OAuth Federation
Partnership, the transaction fails with below error while receiving an
OAuth Authorization response code from Google.

1. Browser accesses the below URL :

   https://abc.ca.com/affwebservices/public/oauthtokenconsumer/google687896921825?AuthzServerID=Google

2. After verifying the Authorization Server Info, FWS creates and set
   the OauthStateDataCookie in the browser and it redirects to Google
   Login page;

3. User enters the credentials;

4. After Successful Authentication from Google, the request redirects
   to Siteminder along with Oauth Authorization response code but
   failing with below errors :

    [01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b]
    [FWSBase.java][doRequestLog][Requesting Host: 10.0.0.1
    Requesting Host IP: 10.0.0.1 Request protocol: HTTP/1.1 Request was secure:
    true Authentication type: null]

    [01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b]
    [TokenConsumer.java][doGet][Query String:
    state=cd3e6e92-4a04bb0e-a9201c13-52995150-a27b9842-a28&code=4/9rBUfkZ0-Xiuso7mkYuTA
    niTokXMqLhTiup0uUcQz0E]

    [01/30/2017][19:34:26][8116][9900][][agentcommon][]
    [Requesting data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf
    and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

    [01/30/2017][19:34:26][8116][9900][][agentcommon][]
    [Administration Manager is returning data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf
    and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

    [01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b]
    [FWSBase.java][getDisambiguationID]
    [Retrieving the disambiguation ID from the requested URI /affwebservices/public/oauthtokenconsumer/myGoogle]

    [01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b]
    [FWSBase.java][getDisambiguationID][serviceURL=/public/oauthtokenconsumer]

    [01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b]
    [FWSBase.java][getDisambiguationID][DisambiguationID = myGoogle]

    [01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b]
    [TokenConsumer.java][processRequest][Beginning request processing]

    [01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b]
    [OAuthUtils.java][getStateDataCookieValue][Retrieving State Data Cookie values]

    [01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b]
    [OAuthUtils.java][getStateDataCookie][No cookies found]

    [01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b]
    [OAuthUtils.java][getStateDataCookieValue][State data cookie does not exist.]

    [01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b]
    [TokenConsumer.java][processOAuthLogin]
    [Authorization Server ID = null|||myGoogle]

    [01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b]
    [TokenConsumer.java][retrieveAuthzServerInfo]
    [Retrieving the Authorization Server runtime configuration]

    [01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b]
    [OAuthUtils.java][retrieveAuthzServerFromCache]
    [Could not find Authorization Server information for ID: null|||myGoogle in the cache.]

    [01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b]
    [OAuthTunnelClient][getAuthzServerByID][Retrieving the authorization server runtime configuration.]

    [01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b]
    [OAuthUtils.java][retrieveAuthzServerFromPolicyServer]
    [Could not find AuthzServer information from Policy Server: null|||myGoogle.]

    [01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b]
    [TokenConsumer.java][retrieveAuthzServerInfo][Failed to retrieve the Authorization Server information.]

Cause

 

It happened because the browser didn't send the OAuthstatedatacookie
while redirecting to Siteminder after successful authentication from
Google.

cookiedomain=.xyz.com was set under Agent Configuration Object (ACO).
Hence while processing the request, FWS set the OAuthstatedatacookie
cookie to ".xyz.com" while redirecting to google for getting
authorization response code.

But OAuth url is having ".ca.com" domain. Hence browser didn't sent
the OAuthstatedatacookie while redirecting back to Siteminder after
successful authentication from Google which caused the issue.

 

Environment

 

Policy Server: R12.52 SP2;
SPS r12.52 SP1 CR02;

 

Resolution

 

- Make sure to set the CookieDomain parameter properly.

  When having multiple domains (multiple virtual hosts) for federation
  applications, it is better to comment this parameter (CookieDomain)
  under ACO;