Trap requests to the OIDC callback endpoint that are missing the cookie that identifies the session

[ElJocko]

The Issue

Requests sent to the GET /api/authn/oidc/callback endpoint must include the cookie which identifies the server-side session for the user. Currently, requests that are missing this cookie result in a 500 Internal Error response. The server log shows the message:

[ERROR] catch all: Error: did not find expected authorization request details in session, req.session["oidc:localhost"] is undefined

This error occurs because the OIDC library expects to find the server-side session data that had been created during the initial call to start the OIDC log in process (GET /api/authn/oidc/login). The server-side session is identified by a cookie sent with the request and when the cookie is absent in the call the the callback endpoint, the REST API creates a new session, instead of accessing the one from the initial request.

The missing cookie can occur if the server can be accessed using two different domain names, and the client accesses the Workbench app using the first domain name, but the OIDC configuration includes the second domain name in the OIDC configuration (configured using the AUTHN_OIDC_REDIRECT_ORIGIN environment variable). This would result in the browser storing the cookie using the first domain name and sending it with any requests to a host with that domain name. But not sending it in requests to hosts with the second domain name.

The Fix

1. The REST API should identify requests to the OIDC callback endpoint that do not include the session identifier and send a suitable response, instead of a 500 Internal Error response
2. The documentation for configuring OIDC should be updated to emphasize the importance of using the same domain name as when accessing the Workbench app