Skip to content

Missing OAuthConvertCookieValue when converting owner accounts to OIDC #9057

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
pratheekrebala opened this issue Aug 11, 2023 · 1 comment · Fixed by #9129
Closed

Missing OAuthConvertCookieValue when converting owner accounts to OIDC #9057

pratheekrebala opened this issue Aug 11, 2023 · 1 comment · Fixed by #9129
Assignees
@Emyrk

Comments

@pratheekrebala
Copy link

pratheekrebala commented Aug 11, 2023
edited
Loading

Issue

I am trying to convert the owner account on my Coder instance to an OIDC user. However, I am receiving the following error message:

Convert to oauth cookie not found. Missing signed jwt to authorize this action. Please try again.

Background

Looking through the requests, it seems like the cookie is set correctly in the browser. However, the response from the call to api/v2/users/oidc/callback?state=convert-XXX after completing the OIDC login doesn't include this cookie. This might be triggering the error from here in userauth.go

coder/coderd/userauth.go

Lines 1508 to 1515 in d2a9049

jwtCookie, err := r.Cookie(OAuthConvertCookieValue)
if err != nil {
return database.User{}, httpError{
code: http.StatusBadRequest,
msg: fmt.Sprintf("Convert to oauth cookie not found. Missing signed jwt to authorize this action. " +
"Please try again."),
}
}

I haven't spend too much time looking through the source here and I was unable to understand the flow of this request but I was wondering if this could be because of the call to clearOAuthConvertCookie before the call to convertUserToOauth could be causing this?

coder/coderd/userauth.go

Lines 1224 to 1234 in d2a9049

if isMergeStateString(params.State.StateString) {
// Always clear this cookie. If it succeeds, we no longer need it.
// If it fails, we no longer care about it.
cookies = append(cookies, clearOAuthConvertCookie())
user, err = api.convertUserToOauth(ctx, r, tx, params)
if err != nil {
return err
}
params.User = user
isConvertLoginType = true
}

Additional Information

I am using Google Workspace OAuth as my OIDC provider and the audit logs show a missing value in the diff for the old "user_id" is blank for this operation. Again, I am not entirely sure if this is relevant information the response is attached here:

JSON Response Object from Audit Logs 
{
      "id": "[redacted]",
      "request_id": "[redacted]",
      "time": "[redacted]",
      "organization_id": "00000000-0000-0000-0000-000000000000",
      "ip": "[redacted]",
      "user_agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0",
      "resource_type": "convert_login",
      "resource_id": "[redacted]",
      "resource_target": "oidc",
      "resource_icon": "",
      "action": "create",
      "diff": {
        "created_at": {
          "old": "0001-01-01T00:00:00Z",
          "new": "2023-08-11T20:12:39Z",
          "secret": false
        },
        "expires_at": {
          "old": "0001-01-01T00:00:00Z",
          "new": "2023-08-11T20:17:39Z",
          "secret": false
        },
        "from_login_type": {
          "old": "",
          "new": "password",
          "secret": false
        },
        "to_login_type": {
          "old": "",
          "new": "oidc",
          "secret": false
        },
        "user_id": {
          "old": "",
          "new": "[redacted]",
          "secret": false
        }
      },
      "status_code": 201,
      "additional_fields": {},
      "description": "{user} created login type conversion to {target}",
      "resource_link": "",
      "is_deleted": false,
      "user": {
        "id": "[redacted]",
        "username": "prebala",
        "email": "prebala@publicintegrity.org",
        "created_at": "2023-01-09T20:21:02.770961Z",
        "last_seen_at": "0001-01-01T00:00:00Z",
        "status": "active",
        "organization_ids": null,
        "roles": [
          {
            "name": "owner",
            "display_name": "Owner"
          }
        ],
        "avatar_url": "",
        "login_type": ""
      }
    }
@cdr-bot cdr-bot bot added the bug label Aug 11, 2023
@Emyrk Emyrk mentioned this issue Aug 16, 2023
Merged
@Emyrk
Copy link
Member

Emyrk commented Aug 16, 2023

Thank you for the issue. I was debugging the wrong path since I do a lot of hosting on localhost which handles cookies differently.

The issue was the cookie was being set as SameSite=Strict, which made the cookie unavailable in a redirect.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Emyrk Emyrk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: change oauth convert oidc cookie to SameSite=Lax coder/coder
2 participants
@pratheekrebala @Emyrk