FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    SAML CSRF token issue

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    2
    3
    5
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      joseantonio
      last edited by

      Hi!

      We have a setup in which FusionAuth is acting as SAML Idp, using hosted login pages.

      Now if I try to login to the connected application through the /samlv2/login url in browser, it redirects to /oauth2/authorize. So far so good.

      But, If I keep this browser tab open (tab A), then open a new tab (tab B) and also start the authorization process there, the saml.csrf cookie is now changed for tab A, which I think is the reason why if you try to finish the authorization process in tab A, you get a "OAuth return is missing a valid CSRF token." error.

      Is there a way to avoid this? Or is it a consecuence of the CSRF system?

      Additional information:

      • Tested on Chrome 137.0.7151.120
      • FusionAuth 1.57.0
      mark.robustelliM 1 Reply Last reply Reply Quote 0
      • mark.robustelliM
        mark.robustelli @joseantonio
        last edited by

        @joseantonio said in SAML CSRF token issue:

        also start the authorization process there

        What do you mean by "Also start the authorization process there?" Manually open a new tab (tab B) and paste in the URL " /oauth2/authorize"?

        If you enable debugging on the SAML tab for the Application in FusionAuth, do the logs indicate anything interesting?

        J 1 Reply Last reply Reply Quote 0
        • J
          joseantonio @mark.robustelli
          last edited by

          @mark-robustelli

          Thank you for the quick reply.

          By "Also start the authorization process there?" I mean manually open a new tab for my application and clicking on "Login" which redirects to "/oauth2/authorize". So the same login process initiated twice in different tabs, then introducing login credentials on the first one.

          The debug doesn't shed any light I'm afraid. The problem seems to be the "saml.csrf" cookie changing it's value across tabs.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post