SSO throwing OnLoadErrors with ERR_SSL_CLIENT_AUTH_CERT_NEEDED

Issue #3200 resolved
B Choksi created an issue

  • We're seeing an issue where redirects during SSO sign-on flows are throwing OnLoadErrors with ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
  • Issue happens only during redirects
  • Not seen on CEF 81, seen on CEF 91 and above based on my testing

Related: https://www.magpcss.org/ceforum/viewtopic.php?f=6&t=18693

Steps to reproduce:

  1. Download the CefSharp example here https://github.com/cefsharp/CefSharp.MinimalExample
  2. Build it and open an SSO URL (for example, login.microsoft.com for your organization account)
  3. Observe the failure to redirect to the SSO sign-in page correctly

Comments (23)

  1. Thomas Treutlein

    There is no need to use the CefSharp example. It is also reproducible with cefclient to exclude the .NET wrapper as root cause of the problem
    I can confirm that the page load error occurs with cefclient.exe (94.4.10+g38a7995+chromium-94.0.4606.81) and I also used my Microsoft account via login.microsoft.com (thanks for that public example).
    I also can confirm that this error starts with CEF version 90.*
    A workaround is to use cefclient.exe --disable-request-handling-for-testing.

  2. Ahcene Bouguezouli

    Hello, we have the same problem with our customers and cannot update to a newer version. If needed, we can provide verbose mode logging.

  3. Marshall Greenblatt

    I’m not able to reproduce this error accessing login.microsoft.com SSO using the cefclient sample app on Windows 10 (tested with version 94.4.11 and newer) and organizational accounts that I currently have access to. If someone can provide login credentials for Microsoft (or a different website) that reproduces the error then I can take another look. Credentials can be sent via email or PM on the CEF Forum. Thanks!

  4. Marshall Greenblatt

    M95 and newer builds with the above trial fix should be available tomorrow (Wed, Nov 10). Please try that build and report back whether the problem is resolved or still reproduces for you.

  5. Thomas Treutlein

    I tried with the latest cefclient from today (Nov 10 cef_binary_95.7.18+g0d6005e+chromium-95.0.4638.69_windows64_client), but the error still occurs when using my company Microsoft account.
    With Fiddler I can see that there is a redirect from the MS server to my local company ADFS server, which might be the difference to your accounts. Exactly this response (from the company adfs server) is not handled correctly in CEF (throws SSO Error although response is valid and has HTTP Status 200 in Fiddler). It looks like the cross domain request is the root cause…
    Unfortunately I cannot provide my company credentials….maybe someone else can help ?

  6. Marshall Greenblatt

    OK, thanks for testing. Any further debugging on my end is currently blocked on a way to reproduce the issue. Someone who is able to reproduce this issue may need to debug it further. Something more may be required with CorsPreflightRequest.

  7. Simone Galleni

    Same problem here: one of our clients is using our application (which uses CEF+CefSharp) for SAML login and the versions which are OK are using:

    CEF# {85.3.130.0} CEF {r85.3.13+gcd6cbe0+chromium-85.0.4183.121} Chromium {85.0.4183.121}
    CEF# {89.0.170.0} CEF {r89.0.17+ge7bbb1d+chromium-89.0.4389.114} Chromium {89.0.4389.114}

    The first non working version is:

    CEF# {91.1.230.0} CEF {r91.1.23+g04c8d56+chromium-91.0.4472.164} Chromium {91.0.4472.164}

    As library users what we see is that the OnSelectClientCertificate is not called and we immediately get a ERR_SSL_CLIENT_AUTH_CERT_NEEDED error.

    Edit: just to add that the SSO contains redirects also in our client use case.

  8. Marshall Greenblatt

    Using the example from issue #3204 and comparing the chrome://net-export output after clicking the Bosch button, we see this for the failed redirect:

     t=1168 [st=474]       +HTTP_TRANSACTION_SEND_REQUEST  [dt=2]
    t=1169 [st=475]          HTTP_TRANSACTION_SEND_REQUEST_HEADERS
                             --> GET /adfs/oauth2/authorize/?scope=openid&state=2e2-Mx7U1OL6xdZcqKTOU2YBC2veIztucwU2dDJwroo.4fd0YiE3QZ0.gxmCoreDev&response_type=code&client_id=91c477bb-52d5-4e7e-acbf-0782c0229867&redirect_uri=https%3A%2F%2Fcorekcdev.eos-dev.gxm-core.grade-x.com%2Fauth%2Frealms%2Fgxm%2Fbroker%2Fbosch%2Fendpoint&nonce=UGjQXMYlDmSlHCpqTD3qHw HTTP/1.1
                                 Host: stfs.bosch.com
                                 Connection: keep-alive
                                 Upgrade-Insecure-Requests: 1
                                 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
                                 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                 Sec-Fetch-Site: cross-site
                                 Sec-Fetch-Mode: navigate
                                 Sec-Fetch-User: ?1
                                 Sec-Fetch-Dest: document
                                 Accept-Encoding: gzip, deflate, br
                                 Accept-Language: en-US,en;q=0.9
    t=1170 [st=476]       -HTTP_TRANSACTION_SEND_REQUEST
    t=1170 [st=476]       +HTTP_TRANSACTION_READ_HEADERS  [dt=269]
    t=1170 [st=476]          HTTP_STREAM_PARSER_READ_HEADERS  [dt=268]
                             --> net_error = -110 (ERR_SSL_CLIENT_AUTH_CERT_NEEDED)
    t=1439 [st=745]       -HTTP_TRANSACTION_READ_HEADERS
                           --> net_error = -110 (ERR_SSL_CLIENT_AUTH_CERT_NEEDED)
    t=1440 [st=746]        URL_REQUEST_DELEGATE_CERTIFICATE_REQUESTED  [dt=3]
    t=1443 [st=749]        CANCELLED
                           --> net_error = -110 (ERR_SSL_CLIENT_AUTH_CERT_NEEDED)
    

    And this for the successful redirect (with --disable-request-handling-for-testing):

    t= 679 [st= 679]       +HTTP_TRANSACTION_SEND_REQUEST  [dt=2]
    t= 680 [st= 680]          HTTP_TRANSACTION_SEND_REQUEST_HEADERS
                              --> GET /adfs/oauth2/authorize/?scope=openid&state=xkbpd8DItb1RaMhCINYhvliRqT_Wew6_wkBIbYg8ZqA.lx-UsF9Bk7o.gxmCoreDev&response_type=code&client_id=91c477bb-52d5-4e7e-acbf-0782c0229867&redirect_uri=https%3A%2F%2Fcorekcdev.eos-dev.gxm-core.grade-x.com%2Fauth%2Frealms%2Fgxm%2Fbroker%2Fbosch%2Fendpoint&nonce=se5aqhwUtFaxtUcPEOqbug HTTP/1.1
                                  Host: stfs.bosch.com
                                  Connection: keep-alive
                                  Upgrade-Insecure-Requests: 1
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                  Sec-Fetch-Site: cross-site
                                  Sec-Fetch-Mode: navigate
                                  Sec-Fetch-User: ?1
                                  Sec-Fetch-Dest: document
                                  Accept-Encoding: gzip, deflate, br
                                  Accept-Language: en-US,en;q=0.9
    t= 681 [st= 681]       -HTTP_TRANSACTION_SEND_REQUEST
    t= 681 [st= 681]       +HTTP_TRANSACTION_READ_HEADERS  [dt=297]
    t= 681 [st= 681]          HTTP_STREAM_PARSER_READ_HEADERS  [dt=295]
                              --> net_error = -110 (ERR_SSL_CLIENT_AUTH_CERT_NEEDED)
    t= 978 [st= 978]       -HTTP_TRANSACTION_READ_HEADERS
                            --> net_error = -110 (ERR_SSL_CLIENT_AUTH_CERT_NEEDED)
    t= 978 [st= 978]        URL_REQUEST_DELEGATE_CERTIFICATE_REQUESTED  [dt=9]
    t= 988 [st= 988]       +HTTP_STREAM_REQUEST  [dt=466]
    t= 988 [st= 988]          HTTP_STREAM_JOB_CONTROLLER_BOUND
                              --> source_dependency = 311 (HTTP_STREAM_JOB_CONTROLLER)
    t=1454 [st=1454]          HTTP_STREAM_REQUEST_BOUND_TO_JOB
                              --> source_dependency = 312 (HTTP_STREAM_JOB)
    t=1454 [st=1454]       -HTTP_STREAM_REQUEST
    t=1455 [st=1455]       +HTTP_TRANSACTION_SEND_REQUEST  [dt=2]
    t=1455 [st=1455]          HTTP_TRANSACTION_SEND_REQUEST_HEADERS
                              --> GET /adfs/oauth2/authorize/?scope=openid&state=xkbpd8DItb1RaMhCINYhvliRqT_Wew6_wkBIbYg8ZqA.lx-UsF9Bk7o.gxmCoreDev&response_type=code&client_id=91c477bb-52d5-4e7e-acbf-0782c0229867&redirect_uri=https%3A%2F%2Fcorekcdev.eos-dev.gxm-core.grade-x.com%2Fauth%2Frealms%2Fgxm%2Fbroker%2Fbosch%2Fendpoint&nonce=se5aqhwUtFaxtUcPEOqbug HTTP/1.1
                                  Host: stfs.bosch.com
                                  Connection: keep-alive
                                  Upgrade-Insecure-Requests: 1
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                  Sec-Fetch-Site: cross-site
                                  Sec-Fetch-Mode: navigate
                                  Sec-Fetch-User: ?1
                                  Sec-Fetch-Dest: document
                                  Accept-Encoding: gzip, deflate, br
                                  Accept-Language: en-US,en;q=0.9
    t=1457 [st=1457]       -HTTP_TRANSACTION_SEND_REQUEST
    t=1457 [st=1457]       +HTTP_TRANSACTION_READ_HEADERS  [dt=607]
    t=1457 [st=1457]          HTTP_STREAM_PARSER_READ_HEADERS  [dt=607]
    t=2064 [st=2064]          HTTP_TRANSACTION_READ_RESPONSE_HEADERS
                              --> HTTP/1.1 200 OK
                                  Cache-Control: no-cache,no-store
                                  Pragma: no-cache
                                  Content-Length: 43660
                                  Content-Type: text/html; charset=utf-8
                                  Expires: -1
                                  X-Frame-Options: allow-from  https://associate-portal.bosch.com
                                  Date: Thu, 06 Jan 2022 20:33:53 GMT
    t=2064 [st=2064]       -HTTP_TRANSACTION_READ_HEADERS
    t=2065 [st=2065]        HTTP_CACHE_WRITE_INFO  [dt=0]
    t=2065 [st=2065]        NETWORK_DELEGATE_HEADERS_RECEIVED  [dt=0]
    t=2066 [st=2066]     -URL_REQUEST_START_JOB
    

    Both requests begin by failing with ERR_SSL_CLIENT_AUTH_CERT_NEEDED. The successful request is then able to handle that (via URL_REQUEST_DELEGATE_CERTIFICATE_REQUESTED) and re-try the redirect, whereas the failed request just cancels at that point and forwards the error to the client.

    The fix is therefore to figure out how to handle URL_REQUEST_DELEGATE_CERTIFICATE_REQUESTED for intercepted requests.

  9. Marshall Greenblatt

    When running with --disable-request-handling-for-testing we get the call to StoragePartitionImpl::OnCertificateRequested as expected. To fix this for intercepted requests we need to populate network::ResourceRequest::trusted_params::url_loader_network_observer similar to the implementation in CefBrowserURLRequest.

  10. Marshall Greenblatt

    Fix certificate errors with restarted/redirected requests (fixes issue #3200)

    URLLoaderNetworkServiceObserver is used for routing certificate and authentication callbacks from the NetworkService to the associated StoragePartition instance. With request interception enabled this object was previously only assigned for the initial request. This change adds assignment for restarted/redirected requests as well.

    → <<cset 7a5a4c683a41>>

  11. Marshall Greenblatt

    Fix certificate errors with restarted/redirected requests (fixes issue #3200)

    URLLoaderNetworkServiceObserver is used for routing certificate and authentication callbacks from the NetworkService to the associated StoragePartition instance. With request interception enabled this object was previously only assigned for the initial request. This change adds assignment for restarted/redirected requests as well.

    → <<cset 50067f29adcd>>

  12. Marshall Greenblatt

    Fix certificate errors with restarted/redirected requests (fixes issue #3200)

    URLLoaderNetworkServiceObserver is used for routing certificate and authentication callbacks from the NetworkService to the associated StoragePartition instance. With request interception enabled this object was previously only assigned for the initial request. This change adds assignment for restarted/redirected requests as well.

    → <<cset 839fdb211c51>>

  13. Thomas Treutlein

    I can confirm that the problem seems to be fixed with latest version 97.1.1.
    Thank you Marshall for your effort and for solving this 👍

  14. Simone Galleni

    I confirm that 97.1 solves the problem for our clients as well.

    Thank you a ton for your work guys!

    Simo

  15. Log in to comment