FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Help/Issue with `state` Parameter in Reverse SSO Flow with FusionAuth

    Scheduled Pinned Locked Moved Solved
    Q&A
    2
    7
    95
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cristian
      last edited by

      Context:

      We are implementing Reverse SSO where FusionAuth acts as the IdP, and we are experiencing an issue with the state parameter when completing authentication with an external OIDC-compliant service (ChainPoint).

      Flow Overview:

      1. MemberSuite initiates the login request using Reverse SSO.
      2. Our SSO Bridge intercepts the request and constructs the authentication URL for FusionAuth, ensuring the state parameter is included.
      3. The user is redirected to FusionAuth for authentication.
      4. Upon successful authentication, FusionAuth redirects the user to ChainPoint.
      5. ChainPoint expects the state parameter for security validation, but it appears to be missing or not returned correctly.

      Authentication URL We Construct:

      We generate the following authentication URL from our SSO Bridge:

      https://auth.example.com/oauth2/authorize?client_id=12345678-1234-1234-1234-123456789abc&response_type=code&response_mode=form_post&redirect_uri=https%3A%2F%2Fchainpoint.example.com%2Flogin%2Fsso%2Fresponse%2F98765432&state=randomgeneratedstate12345

      The Problem:

      • We generate the state in our SSO Bridge when constructing the authentication URL.
      • However, when FusionAuth completes authentication and redirects to ChainPoint, the state is not present or correctly returned.
      • Since ChainPoint uses the state for CSRF protection and session validation, the authentication fails.
      • We cannot persist the state in our SSO Bridge because, once redirected to FusionAuth, the SSO Bridge is no longer part of the process.
      • Since FusionAuth is the entity communicating with ChainPoint, we need a way to retain and correctly propagate the state throughout the flow.
      • We cannot modify ChainPoint’s code, nor can we set SameSite=None cookies or manage cross-domain session storage manually.

      Questions & Help Needed:

      1. How can we ensure that FusionAuth retains and correctly returns the state parameter when redirecting to ChainPoint?
      2. Is there a built-in mechanism in FusionAuth to store and return state automatically, or do we need to handle it manually?
      3. Would a Lambda function help ensure that the state is included in the final redirect?

      Any insights or recommendations from the community would be greatly appreciated! I really appreciate any help you can provide.

      Best regards,
      Cristian Acevedo
      Smarterix

      C 1 Reply Last reply Reply Quote 0
      • C
        cristian @cristian
        last edited by

        Debug Log from ChainPoint when we try to login in:

        2025-01-28 14:35:35,806 DEBUG LogMessage - Authorize response: code=cbQVpjY5qeODZ1I4251aT46-MOIqG5CgGbMOWBUgVSs&locale=en&userState=Authenticated
2025-01-28 14:35:36,208 TRACE Trace - ProcessResponseAsync
2025-01-28 14:35:36,218 ERROR LogMessage - Missing state.
2025-01-28 14:35:36,235 WARN  ProcessLoginResponse - Unable to login user, error during login token validation: Missing state. ()
        mark.robustelliM 1 Reply Last reply Reply Quote 0
        • mark.robustelliM
          mark.robustelli @cristian
          last edited by

          @cristian Can you please take a look at https://sptest.iamshowcase.com/instructions#spinit and in particular the Use RelayState to control the color theme section. The are passing a parameter to control the color of the background. This seems to be what you are trying to accomplish. If not, please let me know.

          If you need more details on how to set up the test, please see this blog post.

          1 Reply Last reply Reply Quote 0
          • C
            cristian
            last edited by

            Hi Mark! Thanks for your response!

            However, I believe there is some confusion regarding the protocol we are using. The example you shared refers to RelayState, which is specific to SAML, while we are implementing OIDC (OpenID Connect) with FusionAuth as the IdP.

            Our issue is related to the state parameter in OIDC, which is used for CSRF protection and session validation.

            Our main concern is:

            • FusionAuth is receiving the state parameter from our SSO Bridge.
            • When it redirects to the final service (ChainPoint), the state is not present in the response, causing authentication failure.

            Do you know if there is a way to ensure FusionAuth retains and returns the state parameter in the redirect?

            Thanks again for your help!

            mark.robustelliM 1 Reply Last reply Reply Quote 0
            • mark.robustelliM
              mark.robustelli @cristian
              last edited by

              @cristian Apologies for the confusion, I think I conflated two separate issues I was working on. It is my understanding that FusionAuth should maintain the state parameter as explained in this video. If it is not, then there is a bug. I would like to try and set up a simple example to replicate your issue, but that is going to take me a couple of days. I'll let you know what I find.

              BTW, it does not look like you can access the url from a lambda. There may be some things you can do with logging and turning on debugging in FusionAuth, but I will test that out as well. If you get to it before I do, please let me know.

              Thanks.

              C 1 Reply Last reply Reply Quote 0
              • C
                cristian @mark.robustelli
                last edited by

                Hi @mark-robustelli,

                Thank you very much for looking into this!

                Fortunately, ChainPoint made some adjustments on their end, and we were finally able to log in successfully using OIDC.

                I really appreciate your willingness to investigate the issue.

                Thanks again for your time and help!

                Best,
                Cristian

                mark.robustelliM 1 Reply Last reply Reply Quote 0
                • C cristian has marked this topic as solved
                • mark.robustelliM
                  mark.robustelli @cristian
                  last edited by

                  @cristian Glad you got it rolling.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post