Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

SSO OIDC - Unknown State in Response Error - [Frequently]

Reab
Reab May 3, 2021

 

We are using Jira Software SSO through OIDC and Keycloak. However, we frequently get "We can't log you in right now" after successful login  while actually the user has logged in and able to access the system (false positive) as shown below:

 

Jira erro -sso.PNG

 

The server logs: 

 

 /plugins/servlet/oidc/callback; user: USERNAME ERROR USERNAME /plugins/servlet/oidc/callback [c.a.p.a.i.web.filter.ErrorHandlingFilter] [UUID:  Unknown state in response
com.atlassian.plugins.authentication.impl.web.usercontext.AuthenticationFailedException: Unknown state in response
at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.lambda$doGet$0(OidcConsumerServlet.java:111)
at java.util.Optional.orElseThrow(Optional.java:290)
at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.doGet(OidcConsumerServlet.java:111)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:626)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
at com.atlassian.plugin.servlet.DelegatingPluginServlet.service(DelegatingPluginServlet.java:37)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
at com.atlassian.plugin.servlet.ServletModuleContainerServlet.service(ServletModuleContainerServlet.java:47)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
... 48 filtered

 

I need to investigate this issue where to look?

 

 

Thanks

Answer
Watch
Like Be the first to like this
1094 views

2 answers

0 votes
Elias Brattli Sørensen - Kantega SSO
Elias Brattli Sørensen - Kantega SSO August 22, 2023

Hi guys,

I have been working quite a lot with OIDC, and have some thoughts and hypotheses.
To troubleshoot this, I would hit the F12 button and perform a network capture to see the requests in the browser. From the looks of it, the callback URL was hit again somehow, after the successful login was performed. In that case, the state variable is no longer cached as the server likely received a replay of a completed login. The explanation for such an error could be many, but maybe something in your network stack leads to this replay / hiccup?

Another possibility that might explain such issues sometimes is that this is caused by a faulty sticky session configuration in a multi-node setup or something, or that the shared cache / file system between nodes is out of sync.

Were you able to resolve the issues, both of you? @Joe Red  @Reab 

Regards,
Elias
Kantega SSO

Reply
0 votes
Joe Red
Joe Red November 3, 2022

Anyone have any thoughts on this?

I am receiving the same error with a very similar setup as @Reab 

 

@Reab What did you do to troubleshoot?

View More Comments
Gita Meskauskas
Gita Meskauskas February 16, 2024

I am having similar issue, any suggestions? @Joe Red @Reab 

Like
Elias Brattli Sørensen - Kantega SSO
Elias Brattli Sørensen - Kantega SSO February 21, 2024

Hi @Gita Meskauskas ,

Can you share more about the errors you're experiencing? While I am not familiar with  Atlassian's OIDC plugin, I am familiar with OpenID Connect and Atlassian software, and I'm happy to help you understand the issue.
See my other comment for suggestions and thoughts.

Best,
Elias
Kantega SSO

Like Gita Meskauskas likes this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events