Google OAuth integration failing with State data cookie does not exist error

Document ID : KB000005316
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We have configured OAuth Federation Partnership But failing with below error while receiving an OAuth Authorization response code from Google.

 

1. We hit the below URL.

https://abc.ca.com/affwebservices/public/oauthtokenconsumer/google687896921825?AuthzServerID=Google

2. After verifying the Authorization Server Info, FWS creates and set the OauthStateDataCookie in the browser and It redirects to Google Login page.

3. User enters the credentials

4. After Successful Authentication from Google, Request redirects to Siteminder along with Oauth Authorization response code but failing with below errors.

[01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b][FWSBase.java][doRequestLog][Requesting Host: 172.25.6.78 Requesting Host IP: 172.25.6.78 Request protocol: HTTP/1.1 Request was secure: true Authentication type: null]

[01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b][TokenConsumer.java][doGet][Query String: state=cd3e6e92-4a04bb0e-a9201c13-52995150-a27b9842-a28&code=4/9rBUfkZ0-Xiuso7mkYuTAniTokXMqLhTiup0uUcQz0E]

[01/30/2017][19:34:26][8116][9900][][agentcommon][][Requesting data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

[01/30/2017][19:34:26][8116][9900][][agentcommon][][Administration Manager is returning data for ConfigManager ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf and SmAgentConfig ID C:\Program Files (x86)\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf]

[01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b][FWSBase.java][getDisambiguationID][Retrieving the disambiguation ID from the requested URI /affwebservices/public/oauthtokenconsumer/google687896921825]

[01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b][FWSBase.java][getDisambiguationID][serviceURL=/public/oauthtokenconsumer]

[01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b][FWSBase.java][getDisambiguationID][DisambiguationID = google687896921825]

[01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b][TokenConsumer.java][processRequest][Beginning request processing]

[01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b][OAuthUtils.java][getStateDataCookieValue][Retrieving State Data Cookie values]

[01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b][OAuthUtils.java][getStateDataCookie][No cookies found]

[01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b][OAuthUtils.java][getStateDataCookieValue][State data cookie does not exist.]

[01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b][TokenConsumer.java][processOAuthLogin][Authorization Server ID = null|||google687896921825]

[01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b][TokenConsumer.java][retrieveAuthzServerInfo][Retrieving the Authorization Server runtime configuration]

[01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b][OAuthUtils.java][retrieveAuthzServerFromCache][Could not find Authorization Server information for ID: null|||google687896921825 in the cache.]

[01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b][OAuthTunnelClient][getAuthzServerByID][Retrieving the authorization server runtime configuration.]

[01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b][OAuthUtils.java][retrieveAuthzServerFromPolicyServer][Could not find AuthzServer information from Policy Server: null|||google687896921825.]

[01/30/2017][19:34:26][8116][9900][45bdc46a-4853d385-3fed9d7f-10a95152-066797e2-1b][TokenConsumer.java][retrieveAuthzServerInfo][Failed to retrieve the Authorization Server information.]

Environment:
Policy Server: R12.52 SP2, SPS r12.52 SP1 CR02
Cause:

It happened because the browser didnt send the OAuthstatedatacookie while redirecting to siteminder after successful authentication from Google.

cookiedomain=.xyz.com was set under Agent configuration object, Hence while processing the request, FWS set the OAuthstatedatacookie cookie to ".xyz.com" while redirecting to google for getting authorization response code.

But OAuth url is having ".ca.com" domain, Hence browser didnt sent the OAuthstatedatacookie while redirecting back to siteminder after successful authentication from google which caused the issue.

Resolution:

Please make sure to set the CookieDomain parameter properly.

If you are having multiple domains (multiple virtual hosts) for federation applications, it is better to comment this parameter(CookieDomain) under ACO.