Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Missing OAuthConvertCookieValue when converting owner accounts to OIDC #9057

New issue
New issue
Closed
#9129
Closed
Missing OAuthConvertCookieValue when converting owner accounts to OIDC#9057
#9129
Assignees
Emyrk
@pratheekrebala

Description

@pratheekrebala
pratheekrebala
opened on Aug 11, 2023

Issue

I am trying to convert the owner account on my Coder instance to an OIDC user. However, I am receiving the following error message:

Convert to oauth cookie not found. Missing signed jwt to authorize this action. Please try again.

Background

Looking through the requests, it seems like the cookie is set correctly in the browser. However, the response from the call to api/v2/users/oidc/callback?state=convert-XXX after completing the OIDC login doesn't include this cookie. This might be triggering the error from here in userauth.go

coder/coderd/userauth.go

Lines 1508 to 1515 in d2a9049

jwtCookie, err := r.Cookie(OAuthConvertCookieValue)
if err != nil {
return database.User{}, httpError{
code: http.StatusBadRequest,
msg: fmt.Sprintf("Convert to oauth cookie not found. Missing signed jwt to authorize this action. " +
"Please try again."),
}
}

I haven't spend too much time looking through the source here and I was unable to understand the flow of this request but I was wondering if this could be because of the call to clearOAuthConvertCookie before the call to convertUserToOauth could be causing this?

coder/coderd/userauth.go

Lines 1224 to 1234 in d2a9049

if isMergeStateString(params.State.StateString) {
// Always clear this cookie. If it succeeds, we no longer need it.
// If it fails, we no longer care about it.
cookies = append(cookies, clearOAuthConvertCookie())
user, err = api.convertUserToOauth(ctx, r, tx, params)
if err != nil {
return err
}
params.User = user
isConvertLoginType = true
}

Additional Information

I am using Google Workspace OAuth as my OIDC provider and the audit logs show a missing value in the diff for the old "user_id" is blank for this operation. Again, I am not entirely sure if this is relevant information the response is attached here:

JSON Response Object from Audit Logs 
{
      "id": "[redacted]",
      "request_id": "[redacted]",
      "time": "[redacted]",
      "organization_id": "00000000-0000-0000-0000-000000000000",
      "ip": "[redacted]",
      "user_agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0",
      "resource_type": "convert_login",
      "resource_id": "[redacted]",
      "resource_target": "oidc",
      "resource_icon": "",
      "action": "create",
      "diff": {
        "created_at": {
          "old": "0001-01-01T00:00:00Z",
          "new": "2023-08-11T20:12:39Z",
          "secret": false
        },
        "expires_at": {
          "old": "0001-01-01T00:00:00Z",
          "new": "2023-08-11T20:17:39Z",
          "secret": false
        },
        "from_login_type": {
          "old": "",
          "new": "password",
          "secret": false
        },
        "to_login_type": {
          "old": "",
          "new": "oidc",
          "secret": false
        },
        "user_id": {
          "old": "",
          "new": "[redacted]",
          "secret": false
        }
      },
      "status_code": 201,
      "additional_fields": {},
      "description": "{user} created login type conversion to {target}",
      "resource_link": "",
      "is_deleted": false,
      "user": {
        "id": "[redacted]",
        "username": "prebala",
        "email": "[email protected]",
        "created_at": "2023-01-09T20:21:02.770961Z",
        "last_seen_at": "0001-01-01T00:00:00Z",
        "status": "active",
        "organization_ids": null,
        "roles": [
          {
            "name": "owner",
            "display_name": "Owner"
          }
        ],
        "avatar_url": "",
        "login_type": ""
      }
    }

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions