Issue with generic OIDC provider

[shreeharsha-factly]

After adding generic oidc provide as per docs. We are getting an error Unable to complete OpenID Connect flow because the OpenID Provider did not return the state query parameter. Is there any specific config that required for this oidc generic provider that could cause this issue.

[shreeharsha-factly]

I did some debugging on kratos code. Kratos is expecting the state query parameter in the callback to be a base64-encoded string, which contains a string format (UUID:data). Once decoded, it checks the UUID against different flows such as login, registration, and settings. If the UUID in the state query parameter matches the flow UUID generated by Kratos, it proceeds; otherwise, it may reject the request or handle it differently.

This where it is failing - https://github.com/ory/kratos/blob/master/selfservice/strategy/oidc/strategy.go#L255
state query param decoding base64 - https://github.com/ory/kratos/blob/master/selfservice/strategy/oidc/strategy.go#L163
state flow id validated over here - https://github.com/ory/kratos/blob/master/selfservice/strategy/oidc/strategy.go#L255-L288

If the state query parameter is expected to contain the Kratos flow ID, am I missing something?

[jonas-jonas]

This is correct. The reason is, that the state parameter is generated by Kratos and should be treated as an opaque token. If your provider does not return the state parameter, that seems like a security issue on the provider's side, as the state parameter is a vital security mechanism of OIDC. See also https://stackoverflow.com/questions/26132066/what-is-the-purpose-of-the-state-parameter-in-oauth-authorization-request

[shreeharsha-factly]

Thanks @jonas-jonas. There was some mistake on my end I was not initiating OIDC flow (for generic provider) with Kratos. Instead, I directly hit IDP auth endpoint which didn't receive the Kratos-generated state in the first place to return it in callback.