Invalid State Param in request after upgrade to UAA 78.1.0 #3589
Description
UAA Version:
Previously working: 77.10.0
Issue observed: 78.1.0
Setup:
- Session storage enabled in the database.
- Created a custom identity zone.
- Configured an external identity provider (Keycloak).
Steps to Reproduce:
- Make an authorization request to UAA in the created identity zone.
- UAA creates a session and stores it in the database.
- UAA generates a state parameter, stores it in the session attributes, and includes it in the authorization call to Keycloak.
- User authenticates with Keycloak.
- Keycloak redirects back to UAA with the authorization code and the same state parameter in the callback URL.
- UAA calls ExternalOAuthAuthenticationFilter.checkRequestStateParameter to validate the state parameter.
Observed Behavior:
- In checkRequestStateParameter, request.getSession() does not return the session stored in the database.
- Because of this, stateInSession is null.
- UAA fails with the error:
Error : Invalid State Param in request
2025-08-14 16:15:04.867 | {"logtimestamp": "2025-08-14 10:45:04.867","class": "org.springframework.security.web.context.SecurityContextPersistenceFilter", "method": "doFilter", "msg": "Cleared SecurityContextHolder to complete request", "thread": "http-nio-8080-exec-4","level": "DEBUG","traceId": " ","spanId": "c7f4f190949a499b","logref": "0988626e-4aaa-42ac-bb46-64dab3a96886","area": "xf-iam","service": "xf-uaa"}
2025-08-14 16:15:04.872 | 14-Aug-2025 10:45:04.871 INFO [http-nio-8080-exec-4] brave.Tracing$LogSpanHandler.end {"traceId":"c7f4f190949a499b","id":"c7f4f190949a499b","kind":"SERVER","name":"GET","timestamp":1755168304856795,"duration":14678,"localEndpoint":{"serviceName":"uaa","ipv4":"172.18.0.5"},"remoteEndpoint":{"ipv4":"172.18.0.10","port":50902},"tags":{"http.method":"GET","http.path":"/uaa_app/login/callback/OIDC10_KEYCLOAK","http.status_code":"500","error":"Invalid State Param in request."}}
2025-08-14 16:15:04.874 | {"logtimestamp": "2025-08-14 10:45:04.872","class": "org.cloudfoundry.identity.uaa.security.web.SecurityFilterChainPostProcessor$UaaLoggingFilter", "method": "doFilter", "msg": "Uncaught Exception:", "thread": "http-nio-8080-exec-4","level": "ERROR","traceId": " ","spanId": "","logref": "a4a5e484-bc45-43d9-9987-27de0f380865","area": "xf-iam","service": "xf-uaa"}
2025-08-14 16:15:04.874 | org.springframework.security.web.csrf.CsrfException: Invalid State Param in request.
2025-08-14 16:15:04.874 | at org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthAuthenticationFilter.checkRequestStateParameter(ExternalOAuthAuthenticationFilter.java:80) ~[cloudfoundry-identity-server-1.0.2.jar:?]
2025-08-14 16:15:04.874 | at org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthAuthenticationFilter.doFilter(ExternalOAuthAuthenticationFilter.java:63) ~[cloudfoundry-identity-server-1.0.2.jar:?]
2025-08-14 16:15:04.874 | at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.5.1.jar:6.5.1]
2025-08-14 16:15:04.874 | at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.5.1.jar:6.5.1]
2025-08-14 16:15:04.875 | at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.5.1.jar:6.5.1]
2025-08-14 16:15:04.875 | at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107) ~[spring-security-web-6.5.1.jar:6.5.1]
2025-08-14 16:15:04.875 | at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) ~[spring-security-web-6.5.1.jar:6.5.1]
2025-08-14 16:15:04.875 | at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.5.1.jar:6.5.1]
2025-08-14 16:15:04.875 | at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.5.1.jar:6.5.1]
2025-08-14 16:15:04.875 | at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.5.1.jar:6.5.1]
2025-08-14 16:15:04.875 | at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-6.5.1.jar:6.5.1]
2025-08-14 16:15:04.875 | at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-6.5.1.jar:6.5.1]
2025-08-14 16:15:04.875 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.8.jar:6.2.8]
please refer the database session and debug screenshot.
