Upgrading from 1.46.0 to 1.47.1 CSRF token issue with IdP

tvdlooy

What i am trying to do
I am trying to step by step update a old fusionauth instance. I have a fully working fusionauth 1.46.0 that i am now trying to get working for 1.47.1.

I have deployed 1.47.1 where previously 1.46.0 was deployed. After the upgrade everything seems to work fine except for our identity provider login (even when trying to login into the fusionauth admin panel itself with identity provider login). I receive the message "The request origin could not be verified. Unable to complete this login request." I can still login normally using the login form.

What i expected to see
I expected to be logged in after using the identity provider login button.

What i have tried already
After reading patch notes i noticed changes regarding origin URL changes and CSRF changes that may break custom themes. Therefore i turned off our custom theme and set it back to the default. I also cleared our origin URLs in the application settings to no avail.

Infrastructure information
Our fusionauth instance is run in AWS Elastic Beanstalk with a RDS PostgreSQL database. Our fusionauth instance consists out of 2 nodes.

The issuer for our identity provider is "https://login.microsoftonline.com".
The scope is set to "openid profile email "https://graph.microsoft.com/user.read".
Client authentication is "HTTP basic authentication (client_secret_basic)". It is Enabled for all our applications.

The identity provider issuer receives the identity provider calls from fusionauth and returns HTTP response code 200.

After trying to login nothing new is shown in the log of node 1 or 2.

Thanks in advance for any support.

mark.robustelli

@tvdlooy Could you try to remove the identity provider login and then add it back? You should not need to, but if that works it could let us know that something else got messed up.

tvdlooy

@mark-robustelli I have now tried removing it and adding it back again. I also tried to make a completely new instance with the same settings and i keep receiving the error, "The request origin could not be verified. Unable to complete this login request. ".

mark.robustelli

@tvdlooy Is there anything in the logs that refers to this issue?

tvdlooy

@mark-robustelli No this is one of the main issues we have with trying to troubleshoot this issue, because nothing new happens in the fusionauth-app.log after this error is triggered.

egli

Similar issue and was able to resolve it by following changes mentioned here:
https://fusionauth.io/docs/release-notes/#version-1-47-0

Alex Patterson

@tvdlooy were you able to resolve this?

eachhabitual

@egli said in Upgrading from 1.46.0 to 1.47.1 CSRF token issue with IdP:

Similar issue and was able to resolve it by following changes mentioned here:
https://fusionauth.io/docs/release-notes/#version-1-47-0 slice master

Can you explain in more detail?