Unable to process OpenID Connect authentication response: Requested value and approved state do not match
How To articles are not official guidelines or officially
supporteddocumentation. They are community-contributed content and may
not alwaysreflect the latest updates to Liferay DXP. We welcome your
feedback toimprove How to articles!
While we make every effort to ensure this Knowledge Base is accurate,
itmay not always reflect the most recent updates or official
guidelines.We appreciate your understanding and encourage you to reach
out with anyfeedback or concerns.
Legacy Article
You are viewing an article from our legacy
"FastTrack"publication program, made available for
informational purposes. Articlesin this program were published without a
requirement for independentediting or verification and are provided
"as is" withoutguarantee.
Before using any information from this article, independently verify
itssuitability for your situation and project.
Issue
- From time to time, error messages like the following appear in logs:
2024-02-14 13:31:55.099 ERROR [http-nio-8080-exec-120][OpenIdConnectFilter:132] Unable to process OpenID Connect authentication response: Requested value "yIH9jiIpdpuACAYf7NdNERUksBJZvNOoi-knjn7BOo0" and approved state "sLwl_IakL12-dzSYjzD-n8_G1HNDzrWMxQrBlvILUFc" do not match
com.liferay.portal.security.sso.openid.connect.OpenIdConnectServiceException$AuthenticationException: Requested value "yIH9jiIpdpuACAYf7NdNERUksBJZvNOoi-knjn7BOo0" and approved state "sLwl_IakL12-dzSYjzD-n8_G1HNDzrWMxQrBlvILUFc" do not match
at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.validateState(OpenIdConnectServiceHandlerImpl.java:631)
at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.processAuthenticationResponse(OpenIdConnectServiceHandlerImpl.java:155)
at com.liferay.portal.security.sso.openid.connect.internal.service.filter.OpenIdConnectFilter.processAuthenticationResponse(OpenIdConnectFilter.java:109)
at com.liferay.portal.security.sso.openid.connect.internal.service.filter.OpenIdConnectFilter.processFilter(OpenIdConnectFilter.java:151)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
...
Resolution
- This message can appear if this set of steps are executed by a user at the time of logging in via OIDC:
- Log in via OIDC.
- Log out.
- Go to the OpenId Connect Provider's login page, but do not introduce any credential information.
- Duplicate the tab.
- Introduce the credentials in the first tab.
- Log out in the first tab.
- Go to the OpenId Connect Provider's login page, but do not introduce any credential information in the first tab.
- Try to log in via OIDC in the second tab (this attempt to log in will fail).
- Go to the OpenId Connect Provider's login page, but do not introduce any credential information in the second tab.
- Try to log in via OIDC in the first tab (this attempt to log in will also fail making the error message appear in logs).
- This is an expected error message since the user sends no longer valid OIDC tokens.
- This error message could also be obtained with a slightly different order of these steps.
- It can be more frequent to reproduce if the user has bookmarked the login page in their browser.
Did this article resolve your issue ?
