First authorization request produced by OIDC module fails due to inclusion of sessionid

[travisspencer]

Whenever I access my Relying Party (RP) that is protected by the new OpenID Connect (OIDC) module, I'm immediately redirected to the authorization endpoint of my OpenID Connect Provider (OP). This is perfect and as it should be for my configuration. However, this request contains ;jsessionid=... at the end of the URI. Here's an example:

https://localhost:8443/dev/oauth/authorize;jsessionid=node01as2n4r9s0lby1ixubxa1v8zww2.node0?client_id=jetty%2Dtest&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fj%5Fsecurity%5Fcheck&scope=openid&state=7l6kd92a37la0225rfj5pvedm3&response_type=code

This extra ;jsessionid=... causes 404 in my OP. Repeating the request fixes it. If I clear the session state (cookies, local storage, etc.) by opening a new private browsing session, I ALWAYS get this on the first authorization request. Subsequent requests NEVER include this extra ;jsessionid=... in the URI.

[travisspencer]

This is fixed by a small change:

Index: jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java	(date 1569810226000)
+++ jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java	(date 1571644743691)
@@ -399,7 +399,7 @@
             if (LOG.isDebugEnabled())
                 LOG.debug("challenge {}->{}", session.getId(), challengeUri);
             int redirectCode = (baseRequest.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER);
-            baseResponse.sendRedirect(redirectCode, response.encodeRedirectURL(challengeUri));
+            baseResponse.sendRedirect(redirectCode, challengeUri);
 
             return Authentication.SEND_CONTINUE;
         }

I'm unsure, but thinking that response.encodeRedirectURL(String) is for internal redirects whereas this is an external one. Could that be? Is that change above the one that's needed? Will it break things in a clustered environment? (I didn't test that; only a single-node setup.)

[lachlan-roberts]

This is sending the jsessionid in the URL so it can remember the session if cookies aren't being used.

I tested OpenID with Google and Microsoft and they both do not allow you to authenticate with cookies disabled, and Microsoft gave a 404 response as well for the ;jsessionid=... in the URL.

So yes, I think the best thing to do is remove response.encodeRedirectURL so we don't add this to the redirect URL.