[chrome bug] CSRF Warning! State not equal in request and response.
See original GitHub issueDescribe the bug
When logging in via OIDC, an error occurs, CSRF Warning! State not equal in request and response.
. This only happens on chrome/chromium. It does not happen on firefox.
Specifically, chrome 89.0.4389.114
, firefox 78.8.0esr
, and chromium 88.0.4324.182
. And on mac/linux.
Error Stacks
Something bad has happened.
Please consider letting us know by creating a bug report using GitHub.
Python version: 3.8.6
Airflow version: 2.0.1
Node: airflow-5cfb6496fd-zkjm2
-------------------------------------------------------------------------------
Traceback (most recent call last):
File "/home/abc/.local/lib/python3.8/site-packages/flask/app.py", line 2447, in wsgi_app
response = self.full_dispatch_request()
File "/home/abc/.local/lib/python3.8/site-packages/flask/app.py", line 1952, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/home/abc/.local/lib/python3.8/site-packages/flask/app.py", line 1821, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/home/abc/.local/lib/python3.8/site-packages/flask/_compat.py", line 39, in reraise
raise value
File "/home/abc/.local/lib/python3.8/site-packages/flask/app.py", line 1950, in full_dispatch_request
rv = self.dispatch_request()
File "/home/abc/.local/lib/python3.8/site-packages/flask/app.py", line 1936, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/home/abc/.local/lib/python3.8/site-packages/flask_appbuilder/security/views.py", line 681, in oauth_authorized
resp = self.appbuilder.sm.oauth_remotes[provider].authorize_access_token()
File "/usr/local/lib/python3.8/site-packages/authlib/integrations/flask_client/remote_app.py", line 74, in authorize_access_token
params = self.retrieve_access_token_params(flask_req, request_token)
File "/usr/local/lib/python3.8/site-packages/authlib/integrations/base_client/base_app.py", line 145, in retrieve_access_token_params
params = self._retrieve_oauth2_access_token_params(request, params)
File "/usr/local/lib/python3.8/site-packages/authlib/integrations/base_client/base_app.py", line 126, in _retrieve_oauth2_access_token_params
raise MismatchingStateError()
authlib.integrations.base_client.errors.MismatchingStateError: mismatching_state: CSRF Warning! State not equal in request and response.
To Reproduce
We are using Keycloak to login via OIDC with Airflow, which apparently uses flask/authlib.
Expected behavior
A clear and concise description of what you expected to happen.
Environment:
Docker
- OS:
debian bullseye slim
- Python Version:
3.8
- Authlib Version:
0.15.3
Additional context
Add any other context about the problem here.
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
(mismatching_state) CSRF Warning! State not equal in ...
Everything was working perfectly on my local machine but as soon as i put it on production i got an error ((mismatching_state) CSRF...
Read more >How to fix the “CSRF token mismatch error” message
The “Invalid or missing CSRF token” message means that your browser couldn't create a secure cookie or couldn't access that cookie to authorize...
Read more >CSRF token error messages - Help | Todoist
This error message means that your browser couldn't create a secure cookie, or couldn't access that cookie to authorize your login. This can...
Read more >Fix Missing CSRF Token Issues with Flask - Nick Janetakis
Learn how to fix bad request / CSRF token missing errors with Flask that stem from bugs with webkit based browsers.
Read more >Using OAuth 2.0 for Web Server Applications | Authorization
Web server applications frequently also use service accounts to authorize API requests, particularly when calling Cloud APIs to access ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
fixed in 1.0.0
I reproduced the issue with Authlib 1.0.0a2 https://github.com/lepture/authlib/issues/376#issuecomment-902186146