question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[chrome bug] CSRF Warning! State not equal in request and response.

See original GitHub issue

Describe the bug

When logging in via OIDC, an error occurs, CSRF Warning! State not equal in request and response.. This only happens on chrome/chromium. It does not happen on firefox.

Specifically, chrome 89.0.4389.114, firefox 78.8.0esr, and chromium 88.0.4324.182. And on mac/linux.

Error Stacks

Something bad has happened.
Please consider letting us know by creating a bug report using GitHub.
Python version: 3.8.6
Airflow version: 2.0.1
Node: airflow-5cfb6496fd-zkjm2
-------------------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/abc/.local/lib/python3.8/site-packages/flask/app.py", line 2447, in wsgi_app
    response = self.full_dispatch_request()
  File "/home/abc/.local/lib/python3.8/site-packages/flask/app.py", line 1952, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/home/abc/.local/lib/python3.8/site-packages/flask/app.py", line 1821, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/home/abc/.local/lib/python3.8/site-packages/flask/_compat.py", line 39, in reraise
    raise value
  File "/home/abc/.local/lib/python3.8/site-packages/flask/app.py", line 1950, in full_dispatch_request
    rv = self.dispatch_request()
  File "/home/abc/.local/lib/python3.8/site-packages/flask/app.py", line 1936, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/home/abc/.local/lib/python3.8/site-packages/flask_appbuilder/security/views.py", line 681, in oauth_authorized
    resp = self.appbuilder.sm.oauth_remotes[provider].authorize_access_token()
  File "/usr/local/lib/python3.8/site-packages/authlib/integrations/flask_client/remote_app.py", line 74, in authorize_access_token
    params = self.retrieve_access_token_params(flask_req, request_token)
  File "/usr/local/lib/python3.8/site-packages/authlib/integrations/base_client/base_app.py", line 145, in retrieve_access_token_params
    params = self._retrieve_oauth2_access_token_params(request, params)
  File "/usr/local/lib/python3.8/site-packages/authlib/integrations/base_client/base_app.py", line 126, in _retrieve_oauth2_access_token_params
    raise MismatchingStateError()
authlib.integrations.base_client.errors.MismatchingStateError: mismatching_state: CSRF Warning! State not equal in request and response.

To Reproduce

We are using Keycloak to login via OIDC with Airflow, which apparently uses flask/authlib.

Expected behavior

A clear and concise description of what you expected to happen.

Environment:

Docker

  • OS: debian bullseye slim
  • Python Version: 3.8
  • Authlib Version: 0.15.3

Additional context

Add any other context about the problem here.

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
lepturecommented, Mar 18, 2022

fixed in 1.0.0

0reactions
dnskrcommented, Aug 19, 2021
Read more comments on GitHub >

github_iconTop Results From Across the Web

(mismatching_state) CSRF Warning! State not equal in ...
Everything was working perfectly on my local machine but as soon as i put it on production i got an error ((mismatching_state) CSRF...
Read more >
How to fix the “CSRF token mismatch error” message
The “Invalid or missing CSRF token” message means that your browser couldn't create a secure cookie or couldn't access that cookie to authorize...
Read more >
CSRF token error messages - Help | Todoist
This error message means that your browser couldn't create a secure cookie, or couldn't access that cookie to authorize your login. This can...
Read more >
Fix Missing CSRF Token Issues with Flask - Nick Janetakis
Learn how to fix bad request / CSRF token missing errors with Flask that stem from bugs with webkit based browsers.
Read more >
Using OAuth 2.0 for Web Server Applications | Authorization
Web server applications frequently also use service accounts to authorize API requests, particularly when calling Cloud APIs to access ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found