For those of you using
mod_auth_openidc for OOD behind keycloak (or other IDP/Broker), have you run into users bumping into the max of 7 valid state cookies? This would come in the form of a 400 Bad Request or 503 error code.
You would see this in your httpd error logs:
[Tue Jan 14 08:39:54.515213 2020] [auth_openidc:warn] [pid 11985] [client IPADDRESS:54521] oidc_authorization_request_set_cookie: the number of existing, valid state cookies (8) has exceeded the limit (7), no additional authorization request + state cookie can be generated, aborting the request, referer: https://OOD_URL/node/NODE_NAME.inband/4636/lab?
There was an addition to
mod_auth_openidc for a setting called
OIDCStateMaxNumberOfCookies, see https://github.com/zmartzone/mod_auth_openidc/issues/331 and also: https://github.com/zmartzone/mod_auth_openidc/issues/399
This addition allows more control of how
mod_auth_openidc handles the cookies.
I have set this to:
OIDCStateMaxNumberOfCookies 10 true for now.
Has anyone else bumped into this? Have suggestions? Is my setting logical?