Sporadic "Invalid format of OIDC_STATE cookie" warnings in log file

Problem

We have some of applications running on Wildfly 26.0.1 and being secured by Redhat SSO 7.4. These application have the token store set to "cookie" in their secure-deployment configuration. Overall this setup works well. However, sporadically we find warnings from the elytron OIDC client in the Wildly server logs:

WARN  [org.wildfly.security.http.oidc] (default task-192) Invalid format of OIDC_STATE cookie. Count of tokens: 4, expected 3

These warnings seem to correlate with random log outs from the applications which our users reported.

Analysis/Cause

The OIDC_STATE cookie stores the access token, id token and refresh token. The three tokens are separated by sequences of three underscores (___). The tokens themselves seem to be base64url encoded. The range of characters employed by base64url includes the underscore (RFC 3548, section 4). This means it may be happen that the base64url encoded representation of a token includes sequences of underscores, too. If this happens the value of the OIDC_STATE  cookie cannot be correctly processed any more, resulting in the warning message above and a redirect to the authentication server to aquire a new access token.

Solution

Assuming that the tokens are always base64url encoded, the problem can be solved by using a different sequence of characters to separate the three tokens. For instance, a sequence of three hash characters (###) could be used. The hash does not appear in base64url but is allowed in cookie values (according ot RFC 6265, Section 4.1.1)