external-auth-server: OIDC with userinfo (via Okta IdP) flow random 403 on authorization callback

Hello,

im testing OIDC flow with userinfo (Okta as IdP) and get random 403 on authorization calback:

https://environment.us-west-2.elasticbeanstalk.com/?__eas_oauth_handler__=authorization_callback&code=HAB1KauD-dpZAodWLkEMGj_WBoHiLR0YpgGoXwjoz4s&state=196362e85cceeb...

The interesting is that sometimes it works, sometimes not (403 on request above), and the overall request handling is slow.

Also i have compared “bad” and “good” responses, and the bad one does not set “eas_localhost_session” cookie.

The request before failed request is success with 302:

https://environment.us-west-2.elasticbeanstalk.com/oauth/callback?code=HAB1KauD-dpZAodWLkEMGj_WBoHiLR0YpgGoXwjoz4s&state=196362e85cceeb...

If i disable userinfo (fetch_userinfo: false) all works without issues. The Oauth2 flow with userinfo disabled works without issues.

Config----------------------------------------------------------------:

const jwt = require("jsonwebtoken");
const utils = require("../src/utils");

const config_token_sign_secret =
  process.env.EAS_CONFIG_TOKEN_SIGN_SECRET ||
  utils.exit_failure("missing EAS_CONFIG_TOKEN_SIGN_SECRET env variable");
const config_token_encrypt_secret =
  process.env.EAS_CONFIG_TOKEN_ENCRYPT_SECRET ||
  utils.exit_failure("missing EAS_CONFIG_TOKEN_ENCRYPT_SECRET env variable");

let config_token = {
  eas: {
    plugins: [
      {
        type: "oidc",
        issuer: {
          //discover_url: "https://zztop.oktapreview.com/oauth2/blablablabla/.well-known/oauth-authorization-server"
          issuer: 'https://zztop.oktapreview.com/oauth2/blablablabla',
          userinfo_endpoint: 'https://zztop.oktapreview.com/oauth2/blablablabla/v1/userinfo',
          jwks_uri: 'https://zztop.oktapreview.com/oauth2/blablablabla/v1/keys',
          authorization_endpoint: 'https://zztop.oktapreview.com/oauth2/blablablabla/v1/authorize',
          token_endpoint: "https://zztop.oktapreview.com/oauth2/blablablabla/v1/token",
          introspection_endpoint: "https://zztop.oktapreview.com/oauth2/blablablabla/v1/introspect",
          revocation_endpoint: 'https://zztop.oktapreview.com/oauth2/blablablabla/v1/revoke'
        },
        client: {
          client_id: "blablablabla",
          client_secret: "blablablablablablablablablablablabla"
        },
        scopes: ["openid", "email", "profile", "user", "offline_access"],
        redirect_uri: "https://environment.us-west-2.elasticbeanstalk.com/oauth/callback",
        custom_authorization_parameters: {},
        features: {
            cookie_expiry: 3600,
            userinfo_expiry: true,
            session_expiry: 3600,
            session_expiry_refresh_window: 3600,
            session_retain_id: true,
            refresh_access_token: true,
            fetch_userinfo: true,
            introspect_access_token: true,
            introspect_expiry: 0,
            authorization_token: "access_token",
            logout: {
              revoke_tokens_on_logout: ["refresh_token", "access_token", "id_token"]
            }
        },
        assertions: {
            exp: true,
            //nbf: true,
            //iss: true
        },
        cookie: {
          name: "_eas_localhost_session_",
          //domain: "environment.us-west-2.elasticbeanstalk.com",
          //path: "/"
        }
      }
    ],
  }
};

config_token = jwt.sign(config_token, config_token_sign_secret);
const config_token_encrypted = utils.encrypt(
  config_token_encrypt_secret,
  config_token
);

console.log("encrypted token (for server-side usage): %s", config_token_encrypted);
console.log("");

console.log(
  "URL safe config_token: %s",
  encodeURIComponent(config_token_encrypted)
);
console.log("");

EAS log----------------------------------------------------------------:

silly: verify request details: {"url":"/envoy/verify-params-header/","params":{"0":"/","1":""},"query":{},"http_method":"GET","http_version":"1.1","headers":{"host":"environment.us-west-2.elasticbeanstalk.com","content-length":"0","x-forwarded-proto":"https","x-eas-verify-params":"{\"config_token\":\"tsUdAn/pNXvl58Uon2IzBS/ZdbKZnQzXMlgba9f6ZbDAmxRRJqXLfftXN9bJze27bk347fsFpW4EKiOaEHjM+FpJ3zTS/Dh93jTqGsRCBv2A1h+0Q7ieEfaWIHeDwpWAfwiFMZJpbtAT06jsMM0TFcvZwHw3eGFedKFBLgzLKfILqGJdZFIZ2ZABOvVpyGTrihSBbOX2R/60J6dPd+HXG7+xEH+sPNboHTjT5bPg/7ltgy7fHZVrkJM/mpmg4knexsRGSOLw6jvuPFKQft4GoIc/GYHhw6faP0ZsuBIuWYgUletePNMdN0zk1wIWRk8FDJ7U2EZUXnS3YuCW7pPgZHFk7GA5/9CXDujLAUy2+EZIrC/NaR9AuO9qWPJvvffU1xpiSDpzhWF4IbW546G+F4QEQrhsd+ocMb2MjNvFvTwq2+oH8ahYVVp1NWr+5mkDvSU6/AfrcWq+3GK2hK6S+NFdonTnR/XVsSpMPPUoH80sV6J1bpF7DbMQg9Oid1w+UQlDMcI750Al5xCpes6/YdNH8jFE6HVuWMKXj11wq16CDqpI5TlZVcgkhWZ5V1xyC8/FCYXnfsBkfuPWzHc4da60N+sM9AYjj7BSecIk/Z6fTysUPFLY6q2o5TmliK0FnkMvDE9NbDMuGp6HvJglLLehsL6oKrd6mBjspob4m0nsWApNgntBKSRjqsgRmpuAmGL2Ou6lKVyTOItaPNVnDgGdPLUnACrqyGculWVASeiX7uwh3/W7EgSds0ptCSUKbFS/8Fp168LhP6tzqba4lqyh0QJtQRUvboAUUkFg6St8hPV+8Fa8y0GarpOEw01avjNczrGvzW/Dnel2HDFz7X1DS4+MyM5C0XUDJAkvJ+5grMjDEdtw8C4DkfN8aThPgk5kADEDDD7uLashfoocjYJhL0KN07MldA1RnA1Pc3D7zpG7hGtAapwg3Fhfbz+26JST5QQfUGKuO6yyjoWto+uwmaS1cyilMeWwz0bF5zreYOeg5SA3EMFRwcIcHX/ZHp4TTfOeo93sGiPBPQyL05OoOROysDXDnwa1y/Hi5VJr2decoDDpiSnTxuBv7PIqknGhotlfl3e/5AuzEOv7CvejJ/bHEAVH3XLrXXSgXlQPNHmREMKLG4elK9kP6Qq/mBulOU2LgyTRou8JYuBJ40fwviqdHThbTxZ8LUoR18RMGk4MtMq8h01iOqtdEt7MuI+OWreofy8PSsvXWCTjaByR0DtqUzPUnl9De7ApgrBG4gTZOlIwpLGLEA+ohND+MiLJ4ibf4dZTkgsfSYw22QEikq4cXKRm7649PkMJc1ZuepIdyBqQB/ZQ7dJzDMq2VIoCzuASOEef0gJ29g0EislbFKRRQi7APZRJGhtWX7ngmZVhtiYjACWfhlJbzyBGfLmasHYLsBmT7t99PnwSHYW0RROjT/HPMg7CWquwzmNfxA4LWfwLbHegKl9c+2drNmSValXRlWXc3GYEVYyuR5kheSb9G+yyZ2zP3flgthvhFe4Yn6Ocq4fSz2DaaEsa22Qc6rbVn3ZRMbjfbyFHDEo2Kw7M83X9W/mo5znGeUGE0eMklQpcN7oYDWMGOGEe3sej0mBNz79K+XZdKgbdH0M6yvWKLLVWPmGtosVATsSCsD9g2czjmuyA33nU60CXHQQqFLxKsUJdgkdQGussVxXVhc40PNg8Oi1d0X362/yoyjgrDElmUzj/ayJLVu2Vmm5240zIM3b2bCfKDAJOIsbr8LGKhvB6XuyI6WOOUDYwwRpiEmHtxuIdEcKUplhTHb6IQHtEyb/WP174ilfKWp2Q9XxWneScHrgGymu4nMrxcJDxXit9UUKMPzvi8eDuhO+6SOJDhCJ6/kAAdqUj1ftBKvMv7GqrfMgqbAMtlgESf51uOzgidknulMx8RZzAMAwgVc7//uVpqeaRckcltPl4yHDghYua3fWNW0OTH5FOeMA5/Hv1Ks3d4CD/4gMqogoGLV5wmYPANPCNJEESCzZjrLV0bnkmxXbAtodawwNSCC8MUe02A5voiKILZIHRoK1Ef+H7bOpK0c2978q1k7uYKU//MnQKVYc6fn9cltz+Dvkci0cC+nNcn8yvjOKursB2LuC9ruWq/3qbZZQO4lLYKNB0Uy9GtCkEgSs0BgBUUQta7fHvym4aRkNNYLN4EuXiXz/eec/TqHhy459tTwMHqM1wlGuEYW+llr4H1k8A//+fW4r9z9cMLLw6xROf9VVr8J0fMPDhx0GpKDSCVhiWpwconUdgztTZCuADuAOeiBr3sOP2SKZpCMfHgiNm1QBTs6pQlf4SxFrqp6/4vGAe5Js20p5/p/w3bF4lqdX5MlG9/rcTwNmAtKhBVzc1sen/I9aVKpSg4/ylonBou6ixZwA19vwiqvoRqfv8vu6TXw+d5pkfPg6RbC4ovAfs59nRQZqDMZYZFtOwbCoZfsrkKfe32bicRUC2Fkwu6KepJ6+m46DOzLSVCg7zCyErywfivqUIUAbWyfwAEmk/Af+owRN/uHUWALWdot7yDrjHkKSjusaTB4tbzZEJbN58VZoKq85H1YqRhSzZtdDI9SoK6d+9uJC8w2nUF+B/aW7v4ACZbZ46kQnPSslvqhgt\"}","x-b3-traceid":"492fd663e00fad84","x-b3-spanid":"1b44e186c0383e5c","x-b3-parentspanid":"492fd663e00fad84","x-b3-sampled":"1","x-envoy-internal":"true","x-forwarded-for":"172.18.0.10","x-envoy-expected-rq-timeout-ms":"2250","x-forwarded-uri":"/","x-forwarded-method":"GET"},"body":{}}
info: starting verify pipeline
silly: verify params: {"config_token":"tsUdAn/pNXvl58Uon2IzBS/ZdbKZnQzXMlgba9f6ZbDAmxRRJqXLfftXN9bJze27bk347fsFpW4EKiOaEHjM+FpJ3zTS/Dh93jTqGsRCBv2A1h+0Q7ieEfaWIHeDwpWAfwiFMZJpbtAT06jsMM0TFcvZwHw3eGFedKFBLgzLKfILqGJdZFIZ2ZABOvVpyGTrihSBbOX2R/60J6dPd+HXG7+xEH+sPNboHTjT5bPg/7ltgy7fHZVrkJM/mpmg4knexsRGSOLw6jvuPFKQft4GoIc/GYHhw6faP0ZsuBIuWYgUletePNMdN0zk1wIWRk8FDJ7U2EZUXnS3YuCW7pPgZHFk7GA5/9CXDujLAUy2+EZIrC/NaR9AuO9qWPJvvffU1xpiSDpzhWF4IbW546G+F4QEQrhsd+ocMb2MjNvFvTwq2+oH8ahYVVp1NWr+5mkDvSU6/AfrcWq+3GK2hK6S+NFdonTnR/XVsSpMPPUoH80sV6J1bpF7DbMQg9Oid1w+UQlDMcI750Al5xCpes6/YdNH8jFE6HVuWMKXj11wq16CDqpI5TlZVcgkhWZ5V1xyC8/FCYXnfsBkfuPWzHc4da60N+sM9AYjj7BSecIk/Z6fTysUPFLY6q2o5TmliK0FnkMvDE9NbDMuGp6HvJglLLehsL6oKrd6mBjspob4m0nsWApNgntBKSRjqsgRmpuAmGL2Ou6lKVyTOItaPNVnDgGdPLUnACrqyGculWVASeiX7uwh3/W7EgSds0ptCSUKbFS/8Fp168LhP6tzqba4lqyh0QJtQRUvboAUUkFg6St8hPV+8Fa8y0GarpOEw01avjNczrGvzW/Dnel2HDFz7X1DS4+MyM5C0XUDJAkvJ+5grMjDEdtw8C4DkfN8aThPgk5kADEDDD7uLashfoocjYJhL0KN07MldA1RnA1Pc3D7zpG7hGtAapwg3Fhfbz+26JST5QQfUGKuO6yyjoWto+uwmaS1cyilMeWwz0bF5zreYOeg5SA3EMFRwcIcHX/ZHp4TTfOeo93sGiPBPQyL05OoOROysDXDnwa1y/Hi5VJr2decoDDpiSnTxuBv7PIqknGhotlfl3e/5AuzEOv7CvejJ/bHEAVH3XLrXXSgXlQPNHmREMKLG4elK9kP6Qq/mBulOU2LgyTRou8JYuBJ40fwviqdHThbTxZ8LUoR18RMGk4MtMq8h01iOqtdEt7MuI+OWreofy8PSsvXWCTjaByR0DtqUzPUnl9De7ApgrBG4gTZOlIwpLGLEA+ohND+MiLJ4ibf4dZTkgsfSYw22QEikq4cXKRm7649PkMJc1ZuepIdyBqQB/ZQ7dJzDMq2VIoCzuASOEef0gJ29g0EislbFKRRQi7APZRJGhtWX7ngmZVhtiYjACWfhlJbzyBGfLmasHYLsBmT7t99PnwSHYW0RROjT/HPMg7CWquwzmNfxA4LWfwLbHegKl9c+2drNmSValXRlWXc3GYEVYyuR5kheSb9G+yyZ2zP3flgthvhFe4Yn6Ocq4fSz2DaaEsa22Qc6rbVn3ZRMbjfbyFHDEo2Kw7M83X9W/mo5znGeUGE0eMklQpcN7oYDWMGOGEe3sej0mBNz79K+XZdKgbdH0M6yvWKLLVWPmGtosVATsSCsD9g2czjmuyA33nU60CXHQQqFLxKsUJdgkdQGussVxXVhc40PNg8Oi1d0X362/yoyjgrDElmUzj/ayJLVu2Vmm5240zIM3b2bCfKDAJOIsbr8LGKhvB6XuyI6WOOUDYwwRpiEmHtxuIdEcKUplhTHb6IQHtEyb/WP174ilfKWp2Q9XxWneScHrgGymu4nMrxcJDxXit9UUKMPzvi8eDuhO+6SOJDhCJ6/kAAdqUj1ftBKvMv7GqrfMgqbAMtlgESf51uOzgidknulMx8RZzAMAwgVc7//uVpqeaRckcltPl4yHDghYua3fWNW0OTH5FOeMA5/Hv1Ks3d4CD/4gMqogoGLV5wmYPANPCNJEESCzZjrLV0bnkmxXbAtodawwNSCC8MUe02A5voiKILZIHRoK1Ef+H7bOpK0c2978q1k7uYKU//MnQKVYc6fn9cltz+Dvkci0cC+nNcn8yvjOKursB2LuC9ruWq/3qbZZQO4lLYKNB0Uy9GtCkEgSs0BgBUUQta7fHvym4aRkNNYLN4EuXiXz/eec/TqHhy459tTwMHqM1wlGuEYW+llr4H1k8A//+fW4r9z9cMLLw6xROf9VVr8J0fMPDhx0GpKDSCVhiWpwconUdgztTZCuADuAOeiBr3sOP2SKZpCMfHgiNm1QBTs6pQlf4SxFrqp6/4vGAe5Js20p5/p/w3bF4lqdX5MlG9/rcTwNmAtKhBVzc1sen/I9aVKpSg4/ylonBou6ixZwA19vwiqvoRqfv8vu6TXw+d5pkfPg6RbC4ovAfs59nRQZqDMZYZFtOwbCoZfsrkKfe32bicRUC2Fkwu6KepJ6+m46DOzLSVCg7zCyErywfivqUIUAbWyfwAEmk/Af+owRN/uHUWALWdot7yDrjHkKSjusaTB4tbzZEJbN58VZoKq85H1YqRhSzZtdDI9SoK6d+9uJC8w2nUF+B/aW7v4ACZbZ46kQnPSslvqhgt"}
debug: config token: {"eas":{"plugins":[{"type":"oidc","issuer":{"issuer":"https://zztop.oktapreview.com/oauth2/blablablabla","userinfo_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/userinfo","jwks_uri":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/keys","authorization_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/authorize","token_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/token","introspection_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/introspect","revocation_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/revoke"},"client":{"client_id":"blablablabla","client_secret":"blablablablablablablablablablablabla"},"scopes":["openid","email","profile","user","offline_access"],"redirect_uri":"https://environment.us-west-2.elasticbeanstalk.com/oauth/callback","custom_authorization_parameters":{},"features":{"cookie_expiry":3600,"userinfo_expiry":true,"session_expiry":3600,"session_expiry_refresh_window":3600,"session_retain_id":true,"refresh_access_token":true,"fetch_userinfo":true,"introspect_access_token":true,"introspect_expiry":0,"authorization_token":"access_token","logout":{"revoke_tokens_on_logout":["refresh_token","access_token","id_token"]}},"assertions":{"exp":true},"cookie":{"name":"_eas_localhost_session_"}}]},"iat":1627048766,"audMD5":"1d0eab91e8b3f6b6152142fda1ed8237"}
info: starting verify for plugin: oidc
(node:18) [DEP0106] DeprecationWarning: crypto.createDecipher is deprecated.
verbose: parent request info: {"uri":"https://environment.us-west-2.elasticbeanstalk.com/","parsedUri":{"scheme":"https","host":"environment.us-west-2.elasticbeanstalk.com","path":"/","reference":"absolute"},"parsedQuery":{},"method":"GET"}
verbose: audMD5: 1d0eab91e8b3f6b6152142fda1ed8237
verbose: cookie name: _eas_localhost_session_
verbose: redirect_uri: https://environment.us-west-2.elasticbeanstalk.com/oauth/callback
verbose: callback redirect_uri: https://zztop.oktapreview.com/oauth2/blablablabla/v1/authorize?client_id=blablablabla&scope=openid%20email%20profile%20user%20offline_access&response_type=code&redirect_uri=https%3A%2F%2Fenvironment.us-west-2.elasticbeanstalk.com%2Foauth%2Fcallback&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e0c848b22a2bd61ae166c0b72433eebe430a8f6fa4a2f96b984acf9b35e4b6f31d24bc4035ced07ce0c340fbec5b07da6183c7cfc15ace6f3a21ca056b783c4cae6f589c6fa04fa418b8cdffabaaa4bfc13694f752602ffb45046a1b8fe8aa5c24a667cee604212bb1d4c2a5947d158b09d5dbe4cfec35048cab359dec8f7d046f82b20b92a6a7e8f2aa3ed05fbfefaf15b85c22f14fc879181586d7d5b41305cf03e703dc35b1dbf2e70e522be8d907cd29cdf766bbc5e4152561266f47f7a7e62450bb5f49e7dd9d1c82bef95f3749a08dc69653ff9779439fdf547cdb449f10097a2f70d1e8a2c215fa1b403b4acb959ccad14145ebb79b25406fe58b22914df20b1e2bc5662c2126fe17bf189e329ac627df0777694faf244e596f7285fafdd96093d11ba41084bb7b902f304f69892c5ed27da3d69852ba20359bdcf8597a691c85b01ffeb66ac8632f6edf409bc
debug: plugin response {"statusCode":302,"statusMessage":"","body":"","cookies":[["_eas_oauth_csrf","9902vOzQajb0qL2X0GCtwsCNjnxWrlPHVfItfzNr1cT0zmeFxsHYrNf19sCuAJsk",{"expires":"2021-07-26T18:40:52.351Z","domain":null,"path":"/","httpOnly":true,"secure":false,"sameSite":"lax","signed":true}]],"clearCookies":[],"headers":{"Location":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/authorize?client_id=blablablabla&scope=openid%20email%20profile%20user%20offline_access&response_type=code&redirect_uri=https%3A%2F%2Fenvironment.us-west-2.elasticbeanstalk.com%2Foauth%2Fcallback&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e0c848b22a2bd61ae166c0b72433eebe430a8f6fa4a2f96b984acf9b35e4b6f31d24bc4035ced07ce0c340fbec5b07da6183c7cfc15ace6f3a21ca056b783c4cae6f589c6fa04fa418b8cdffabaaa4bfc13694f752602ffb45046a1b8fe8aa5c24a667cee604212bb1d4c2a5947d158b09d5dbe4cfec35048cab359dec8f7d046f82b20b92a6a7e8f2aa3ed05fbfefaf15b85c22f14fc879181586d7d5b41305cf03e703dc35b1dbf2e70e522be8d907cd29cdf766bbc5e4152561266f47f7a7e62450bb5f49e7dd9d1c82bef95f3749a08dc69653ff9779439fdf547cdb449f10097a2f70d1e8a2c215fa1b403b4acb959ccad14145ebb79b25406fe58b22914df20b1e2bc5662c2126fe17bf189e329ac627df0777694faf244e596f7285fafdd96093d11ba41084bb7b902f304f69892c5ed27da3d69852ba20359bdcf8597a691c85b01ffeb66ac8632f6edf409bc"},"authenticationData":{},"plugin":{"server":{},"config":{"type":"oidc","issuer":{"issuer":"https://zztop.oktapreview.com/oauth2/blablablabla","userinfo_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/userinfo","jwks_uri":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/keys","authorization_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/authorize","token_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/token","introspection_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/introspect","revocation_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/revoke"},"client":{"client_id":"blablablabla","client_secret":"blablablablablablablablablablablabla"},"scopes":["openid","email","profile","user","offline_access"],"redirect_uri":"https://environment.us-west-2.elasticbeanstalk.com/oauth/callback","custom_authorization_parameters":{},"features":{"cookie_expiry":3600,"userinfo_expiry":true,"session_expiry":3600,"session_expiry_refresh_window":3600,"session_retain_id":true,"refresh_access_token":true,"fetch_userinfo":true,"introspect_access_token":true,"introspect_expiry":0,"authorization_token":"access_token","logout":{"revoke_tokens_on_logout":["refresh_token","access_token","id_token"],"end_provider_session":{},"backchannel":{}},"filtered_service_headers":[]},"assertions":{"exp":true,"nbf":true,"iss":true},"cookie":{"name":"_eas_localhost_session_","domain":null,"path":"/","secure":false,"httpOnly":true,"sameSite":"lax"},"pcb":{},"custom_authorization_code_parameters":{},"custom_refresh_parameters":{},"custom_revoke_parameters":{},"csrf_cookie":{"enabled":true,"domain":null,"path":"/","secure":false,"httpOnly":true,"sameSite":"lax"},"xhr":{}}}}
info: end verify pipeline with status: 302
silly: {"headers":{"host":"environment.us-west-2.elasticbeanstalk.com","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","dnt":"1","cookie":"_eas_oauth_csrf=s%3A9902vOzQajb0qL2X0GCtwsCNjnxWrlPHVfItfzNr1cT0zmeFxsHYrNf19sCuAJsk.BVSCJyuUkIZJ1qFRJK1GgvJxAbho6YvOdY6gO1L3YOA","upgrade-insecure-requests":"1","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"none","sec-fetch-user":"?1","x-forwarded-for":"195.14.188.2","x-forwarded-proto":"https","x-envoy-downstream-service-cluster":"envoy-okta-front","x-envoy-downstream-service-node":"envoy-okta-front","x-envoy-external-address":"195.14.188.2","x-request-id":"0f31b57b-96e2-97df-9a61-8fa0a0d4a65a","x-envoy-expected-rq-timeout-ms":"15000","x-b3-traceid":"150ca6a8f51a5ef9","x-b3-spanid":"150ca6a8f51a5ef9","x-b3-sampled":"1"},"body":{}}
verbose: parsed state redirect uri: {"scheme":"https","host":"environment.us-west-2.elasticbeanstalk.com","path":"/","reference":"absolute"}
verbose: parsed request uri: {"path":"/oauth/callback","query":"code=HAB1KauD-dpZAodWLkEMGj_WBoHiLR0YpgGoXwjoz4s&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e0c848b22a2bd61ae166c0b72433eebe430a8f6fa4a2f96b984acf9b35e4b6f31d24bc4035ced07ce0c340fbec5b07da6183c7cfc15ace6f3a21ca056b783c4cae6f589c6fa04fa418b8cdffabaaa4bfc13694f752602ffb45046a1b8fe8aa5c24a667cee604212bb1d4c2a5947d158b09d5dbe4cfec35048cab359dec8f7d046f82b20b92a6a7e8f2aa3ed05fbfefaf15b85c22f14fc879181586d7d5b41305cf03e703dc35b1dbf2e70e522be8d907cd29cdf766bbc5e4152561266f47f7a7e62450bb5f49e7dd9d1c82bef95f3749a08dc69653ff9779439fdf547cdb449f10097a2f70d1e8a2c215fa1b403b4acb959ccad14145ebb79b25406fe58b22914df20b1e2bc5662c2126fe17bf189e329ac627df0777694faf244e596f7285fafdd96093d11ba41084bb7b902f304f69892c5ed27da3d69852ba20359bdcf8597a691c85b01ffeb66ac8632f6edf409bc","reference":"relative"}
verbose: parsed redirect uri: {"scheme":"https","host":"environment.us-west-2.elasticbeanstalk.com","path":"/","query":"__eas_oauth_handler__=authorization_callback&code=HAB1KauD-dpZAodWLkEMGj_WBoHiLR0YpgGoXwjoz4s&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e0c848b22a2bd61ae166c0b72433eebe430a8f6fa4a2f96b984acf9b35e4b6f31d24bc4035ced07ce0c340fbec5b07da6183c7cfc15ace6f3a21ca056b783c4cae6f589c6fa04fa418b8cdffabaaa4bfc13694f752602ffb45046a1b8fe8aa5c24a667cee604212bb1d4c2a5947d158b09d5dbe4cfec35048cab359dec8f7d046f82b20b92a6a7e8f2aa3ed05fbfefaf15b85c22f14fc879181586d7d5b41305cf03e703dc35b1dbf2e70e522be8d907cd29cdf766bbc5e4152561266f47f7a7e62450bb5f49e7dd9d1c82bef95f3749a08dc69653ff9779439fdf547cdb449f10097a2f70d1e8a2c215fa1b403b4acb959ccad14145ebb79b25406fe58b22914df20b1e2bc5662c2126fe17bf189e329ac627df0777694faf244e596f7285fafdd96093d11ba41084bb7b902f304f69892c5ed27da3d69852ba20359bdcf8597a691c85b01ffeb66ac8632f6edf409bc","reference":"absolute"}
info: redirecting browser to: "https://environment.us-west-2.elasticbeanstalk.com/?__eas_oauth_handler__=authorization_callback&code=HAB1KauD-dpZAodWLkEMGj_WBoHiLR0YpgGoXwjoz4s&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e0c848b22a2bd61ae166c0b72433eebe430a8f6fa4a2f96b984acf9b35e4b6f31d24bc4035ced07ce0c340fbec5b07da6183c7cfc15ace6f3a21ca056b783c4cae6f589c6fa04fa418b8cdffabaaa4bfc13694f752602ffb45046a1b8fe8aa5c24a667cee604212bb1d4c2a5947d158b09d5dbe4cfec35048cab359dec8f7d046f82b20b92a6a7e8f2aa3ed05fbfefaf15b85c22f14fc879181586d7d5b41305cf03e703dc35b1dbf2e70e522be8d907cd29cdf766bbc5e4152561266f47f7a7e62450bb5f49e7dd9d1c82bef95f3749a08dc69653ff9779439fdf547cdb449f10097a2f70d1e8a2c215fa1b403b4acb959ccad14145ebb79b25406fe58b22914df20b1e2bc5662c2126fe17bf189e329ac627df0777694faf244e596f7285fafdd96093d11ba41084bb7b902f304f69892c5ed27da3d69852ba20359bdcf8597a691c85b01ffeb66ac8632f6edf409bc"
silly: verify request details: {"url":"/envoy/verify-params-header/?__eas_oauth_handler__=authorization_callback&code=HAB1KauD-dpZAodWLkEMGj_WBoHiLR0YpgGoXwjoz4s&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e0c848b22a2bd61ae166c0b72433eebe430a8f6fa4a2f96b984acf9b35e4b6f31d24bc4035ced07ce0c340fbec5b07da6183c7cfc15ace6f3a21ca056b783c4cae6f589c6fa04fa418b8cdffabaaa4bfc13694f752602ffb45046a1b8fe8aa5c24a667cee604212bb1d4c2a5947d158b09d5dbe4cfec35048cab359dec8f7d046f82b20b92a6a7e8f2aa3ed05fbfefaf15b85c22f14fc879181586d7d5b41305cf03e703dc35b1dbf2e70e522be8d907cd29cdf766bbc5e4152561266f47f7a7e62450bb5f49e7dd9d1c82bef95f3749a08dc69653ff9779439fdf547cdb449f10097a2f70d1e8a2c215fa1b403b4acb959ccad14145ebb79b25406fe58b22914df20b1e2bc5662c2126fe17bf189e329ac627df0777694faf244e596f7285fafdd96093d11ba41084bb7b902f304f69892c5ed27da3d69852ba20359bdcf8597a691c85b01ffeb66ac8632f6edf409bc","params":{"0":"/","1":""},"query":{"__eas_oauth_handler__":"authorization_callback","code":"HAB1KauD-dpZAodWLkEMGj_WBoHiLR0YpgGoXwjoz4s","state":"196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e0c848b22a2bd61ae166c0b72433eebe430a8f6fa4a2f96b984acf9b35e4b6f31d24bc4035ced07ce0c340fbec5b07da6183c7cfc15ace6f3a21ca056b783c4cae6f589c6fa04fa418b8cdffabaaa4bfc13694f752602ffb45046a1b8fe8aa5c24a667cee604212bb1d4c2a5947d158b09d5dbe4cfec35048cab359dec8f7d046f82b20b92a6a7e8f2aa3ed05fbfefaf15b85c22f14fc879181586d7d5b41305cf03e703dc35b1dbf2e70e522be8d907cd29cdf766bbc5e4152561266f47f7a7e62450bb5f49e7dd9d1c82bef95f3749a08dc69653ff9779439fdf547cdb449f10097a2f70d1e8a2c215fa1b403b4acb959ccad14145ebb79b25406fe58b22914df20b1e2bc5662c2126fe17bf189e329ac627df0777694faf244e596f7285fafdd96093d11ba41084bb7b902f304f69892c5ed27da3d69852ba20359bdcf8597a691c85b01ffeb66ac8632f6edf409bc"},"http_method":"GET","http_version":"1.1","headers":{"host":"environment.us-west-2.elasticbeanstalk.com","content-length":"0","cookie":"_eas_oauth_csrf=s%3A9902vOzQajb0qL2X0GCtwsCNjnxWrlPHVfItfzNr1cT0zmeFxsHYrNf19sCuAJsk.BVSCJyuUkIZJ1qFRJK1GgvJxAbho6YvOdY6gO1L3YOA","x-forwarded-proto":"https","x-eas-verify-params":"{\"config_token\":\"tsUdAn/pNXvl58Uon2IzBS/ZdbKZnQzXMlgba9f6ZbDAmxRRJqXLfftXN9bJze27bk347fsFpW4EKiOaEHjM+FpJ3zTS/Dh93jTqGsRCBv2A1h+0Q7ieEfaWIHeDwpWAfwiFMZJpbtAT06jsMM0TFcvZwHw3eGFedKFBLgzLKfILqGJdZFIZ2ZABOvVpyGTrihSBbOX2R/60J6dPd+HXG7+xEH+sPNboHTjT5bPg/7ltgy7fHZVrkJM/mpmg4knexsRGSOLw6jvuPFKQft4GoIc/GYHhw6faP0ZsuBIuWYgUletePNMdN0zk1wIWRk8FDJ7U2EZUXnS3YuCW7pPgZHFk7GA5/9CXDujLAUy2+EZIrC/NaR9AuO9qWPJvvffU1xpiSDpzhWF4IbW546G+F4QEQrhsd+ocMb2MjNvFvTwq2+oH8ahYVVp1NWr+5mkDvSU6/AfrcWq+3GK2hK6S+NFdonTnR/XVsSpMPPUoH80sV6J1bpF7DbMQg9Oid1w+UQlDMcI750Al5xCpes6/YdNH8jFE6HVuWMKXj11wq16CDqpI5TlZVcgkhWZ5V1xyC8/FCYXnfsBkfuPWzHc4da60N+sM9AYjj7BSecIk/Z6fTysUPFLY6q2o5TmliK0FnkMvDE9NbDMuGp6HvJglLLehsL6oKrd6mBjspob4m0nsWApNgntBKSRjqsgRmpuAmGL2Ou6lKVyTOItaPNVnDgGdPLUnACrqyGculWVASeiX7uwh3/W7EgSds0ptCSUKbFS/8Fp168LhP6tzqba4lqyh0QJtQRUvboAUUkFg6St8hPV+8Fa8y0GarpOEw01avjNczrGvzW/Dnel2HDFz7X1DS4+MyM5C0XUDJAkvJ+5grMjDEdtw8C4DkfN8aThPgk5kADEDDD7uLashfoocjYJhL0KN07MldA1RnA1Pc3D7zpG7hGtAapwg3Fhfbz+26JST5QQfUGKuO6yyjoWto+uwmaS1cyilMeWwz0bF5zreYOeg5SA3EMFRwcIcHX/ZHp4TTfOeo93sGiPBPQyL05OoOROysDXDnwa1y/Hi5VJr2decoDDpiSnTxuBv7PIqknGhotlfl3e/5AuzEOv7CvejJ/bHEAVH3XLrXXSgXlQPNHmREMKLG4elK9kP6Qq/mBulOU2LgyTRou8JYuBJ40fwviqdHThbTxZ8LUoR18RMGk4MtMq8h01iOqtdEt7MuI+OWreofy8PSsvXWCTjaByR0DtqUzPUnl9De7ApgrBG4gTZOlIwpLGLEA+ohND+MiLJ4ibf4dZTkgsfSYw22QEikq4cXKRm7649PkMJc1ZuepIdyBqQB/ZQ7dJzDMq2VIoCzuASOEef0gJ29g0EislbFKRRQi7APZRJGhtWX7ngmZVhtiYjACWfhlJbzyBGfLmasHYLsBmT7t99PnwSHYW0RROjT/HPMg7CWquwzmNfxA4LWfwLbHegKl9c+2drNmSValXRlWXc3GYEVYyuR5kheSb9G+yyZ2zP3flgthvhFe4Yn6Ocq4fSz2DaaEsa22Qc6rbVn3ZRMbjfbyFHDEo2Kw7M83X9W/mo5znGeUGE0eMklQpcN7oYDWMGOGEe3sej0mBNz79K+XZdKgbdH0M6yvWKLLVWPmGtosVATsSCsD9g2czjmuyA33nU60CXHQQqFLxKsUJdgkdQGussVxXVhc40PNg8Oi1d0X362/yoyjgrDElmUzj/ayJLVu2Vmm5240zIM3b2bCfKDAJOIsbr8LGKhvB6XuyI6WOOUDYwwRpiEmHtxuIdEcKUplhTHb6IQHtEyb/WP174ilfKWp2Q9XxWneScHrgGymu4nMrxcJDxXit9UUKMPzvi8eDuhO+6SOJDhCJ6/kAAdqUj1ftBKvMv7GqrfMgqbAMtlgESf51uOzgidknulMx8RZzAMAwgVc7//uVpqeaRckcltPl4yHDghYua3fWNW0OTH5FOeMA5/Hv1Ks3d4CD/4gMqogoGLV5wmYPANPCNJEESCzZjrLV0bnkmxXbAtodawwNSCC8MUe02A5voiKILZIHRoK1Ef+H7bOpK0c2978q1k7uYKU//MnQKVYc6fn9cltz+Dvkci0cC+nNcn8yvjOKursB2LuC9ruWq/3qbZZQO4lLYKNB0Uy9GtCkEgSs0BgBUUQta7fHvym4aRkNNYLN4EuXiXz/eec/TqHhy459tTwMHqM1wlGuEYW+llr4H1k8A//+fW4r9z9cMLLw6xROf9VVr8J0fMPDhx0GpKDSCVhiWpwconUdgztTZCuADuAOeiBr3sOP2SKZpCMfHgiNm1QBTs6pQlf4SxFrqp6/4vGAe5Js20p5/p/w3bF4lqdX5MlG9/rcTwNmAtKhBVzc1sen/I9aVKpSg4/ylonBou6ixZwA19vwiqvoRqfv8vu6TXw+d5pkfPg6RbC4ovAfs59nRQZqDMZYZFtOwbCoZfsrkKfe32bicRUC2Fkwu6KepJ6+m46DOzLSVCg7zCyErywfivqUIUAbWyfwAEmk/Af+owRN/uHUWALWdot7yDrjHkKSjusaTB4tbzZEJbN58VZoKq85H1YqRhSzZtdDI9SoK6d+9uJC8w2nUF+B/aW7v4ACZbZ46kQnPSslvqhgt\"}","x-b3-traceid":"242affc42a0b4a05","x-b3-spanid":"bedebdc29a2bb6c8","x-b3-parentspanid":"242affc42a0b4a05","x-b3-sampled":"1","x-envoy-internal":"true","x-forwarded-for":"172.18.0.10","x-envoy-expected-rq-timeout-ms":"2250","x-forwarded-uri":"/?__eas_oauth_handler__=authorization_callback&code=HAB1KauD-dpZAodWLkEMGj_WBoHiLR0YpgGoXwjoz4s&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e0c848b22a2bd61ae166c0b72433eebe430a8f6fa4a2f96b984acf9b35e4b6f31d24bc4035ced07ce0c340fbec5b07da6183c7cfc15ace6f3a21ca056b783c4cae6f589c6fa04fa418b8cdffabaaa4bfc13694f752602ffb45046a1b8fe8aa5c24a667cee604212bb1d4c2a5947d158b09d5dbe4cfec35048cab359dec8f7d046f82b20b92a6a7e8f2aa3ed05fbfefaf15b85c22f14fc879181586d7d5b41305cf03e703dc35b1dbf2e70e522be8d907cd29cdf766bbc5e4152561266f47f7a7e62450bb5f49e7dd9d1c82bef95f3749a08dc69653ff9779439fdf547cdb449f10097a2f70d1e8a2c215fa1b403b4acb959ccad14145ebb79b25406fe58b22914df20b1e2bc5662c2126fe17bf189e329ac627df0777694faf244e596f7285fafdd96093d11ba41084bb7b902f304f69892c5ed27da3d69852ba20359bdcf8597a691c85b01ffeb66ac8632f6edf409bc","x-forwarded-method":"GET"},"body":{}}
info: starting verify pipeline
silly: verify params: {"config_token":"tsUdAn/pNXvl58Uon2IzBS/ZdbKZnQzXMlgba9f6ZbDAmxRRJqXLfftXN9bJze27bk347fsFpW4EKiOaEHjM+FpJ3zTS/Dh93jTqGsRCBv2A1h+0Q7ieEfaWIHeDwpWAfwiFMZJpbtAT06jsMM0TFcvZwHw3eGFedKFBLgzLKfILqGJdZFIZ2ZABOvVpyGTrihSBbOX2R/60J6dPd+HXG7+xEH+sPNboHTjT5bPg/7ltgy7fHZVrkJM/mpmg4knexsRGSOLw6jvuPFKQft4GoIc/GYHhw6faP0ZsuBIuWYgUletePNMdN0zk1wIWRk8FDJ7U2EZUXnS3YuCW7pPgZHFk7GA5/9CXDujLAUy2+EZIrC/NaR9AuO9qWPJvvffU1xpiSDpzhWF4IbW546G+F4QEQrhsd+ocMb2MjNvFvTwq2+oH8ahYVVp1NWr+5mkDvSU6/AfrcWq+3GK2hK6S+NFdonTnR/XVsSpMPPUoH80sV6J1bpF7DbMQg9Oid1w+UQlDMcI750Al5xCpes6/YdNH8jFE6HVuWMKXj11wq16CDqpI5TlZVcgkhWZ5V1xyC8/FCYXnfsBkfuPWzHc4da60N+sM9AYjj7BSecIk/Z6fTysUPFLY6q2o5TmliK0FnkMvDE9NbDMuGp6HvJglLLehsL6oKrd6mBjspob4m0nsWApNgntBKSRjqsgRmpuAmGL2Ou6lKVyTOItaPNVnDgGdPLUnACrqyGculWVASeiX7uwh3/W7EgSds0ptCSUKbFS/8Fp168LhP6tzqba4lqyh0QJtQRUvboAUUkFg6St8hPV+8Fa8y0GarpOEw01avjNczrGvzW/Dnel2HDFz7X1DS4+MyM5C0XUDJAkvJ+5grMjDEdtw8C4DkfN8aThPgk5kADEDDD7uLashfoocjYJhL0KN07MldA1RnA1Pc3D7zpG7hGtAapwg3Fhfbz+26JST5QQfUGKuO6yyjoWto+uwmaS1cyilMeWwz0bF5zreYOeg5SA3EMFRwcIcHX/ZHp4TTfOeo93sGiPBPQyL05OoOROysDXDnwa1y/Hi5VJr2decoDDpiSnTxuBv7PIqknGhotlfl3e/5AuzEOv7CvejJ/bHEAVH3XLrXXSgXlQPNHmREMKLG4elK9kP6Qq/mBulOU2LgyTRou8JYuBJ40fwviqdHThbTxZ8LUoR18RMGk4MtMq8h01iOqtdEt7MuI+OWreofy8PSsvXWCTjaByR0DtqUzPUnl9De7ApgrBG4gTZOlIwpLGLEA+ohND+MiLJ4ibf4dZTkgsfSYw22QEikq4cXKRm7649PkMJc1ZuepIdyBqQB/ZQ7dJzDMq2VIoCzuASOEef0gJ29g0EislbFKRRQi7APZRJGhtWX7ngmZVhtiYjACWfhlJbzyBGfLmasHYLsBmT7t99PnwSHYW0RROjT/HPMg7CWquwzmNfxA4LWfwLbHegKl9c+2drNmSValXRlWXc3GYEVYyuR5kheSb9G+yyZ2zP3flgthvhFe4Yn6Ocq4fSz2DaaEsa22Qc6rbVn3ZRMbjfbyFHDEo2Kw7M83X9W/mo5znGeUGE0eMklQpcN7oYDWMGOGEe3sej0mBNz79K+XZdKgbdH0M6yvWKLLVWPmGtosVATsSCsD9g2czjmuyA33nU60CXHQQqFLxKsUJdgkdQGussVxXVhc40PNg8Oi1d0X362/yoyjgrDElmUzj/ayJLVu2Vmm5240zIM3b2bCfKDAJOIsbr8LGKhvB6XuyI6WOOUDYwwRpiEmHtxuIdEcKUplhTHb6IQHtEyb/WP174ilfKWp2Q9XxWneScHrgGymu4nMrxcJDxXit9UUKMPzvi8eDuhO+6SOJDhCJ6/kAAdqUj1ftBKvMv7GqrfMgqbAMtlgESf51uOzgidknulMx8RZzAMAwgVc7//uVpqeaRckcltPl4yHDghYua3fWNW0OTH5FOeMA5/Hv1Ks3d4CD/4gMqogoGLV5wmYPANPCNJEESCzZjrLV0bnkmxXbAtodawwNSCC8MUe02A5voiKILZIHRoK1Ef+H7bOpK0c2978q1k7uYKU//MnQKVYc6fn9cltz+Dvkci0cC+nNcn8yvjOKursB2LuC9ruWq/3qbZZQO4lLYKNB0Uy9GtCkEgSs0BgBUUQta7fHvym4aRkNNYLN4EuXiXz/eec/TqHhy459tTwMHqM1wlGuEYW+llr4H1k8A//+fW4r9z9cMLLw6xROf9VVr8J0fMPDhx0GpKDSCVhiWpwconUdgztTZCuADuAOeiBr3sOP2SKZpCMfHgiNm1QBTs6pQlf4SxFrqp6/4vGAe5Js20p5/p/w3bF4lqdX5MlG9/rcTwNmAtKhBVzc1sen/I9aVKpSg4/ylonBou6ixZwA19vwiqvoRqfv8vu6TXw+d5pkfPg6RbC4ovAfs59nRQZqDMZYZFtOwbCoZfsrkKfe32bicRUC2Fkwu6KepJ6+m46DOzLSVCg7zCyErywfivqUIUAbWyfwAEmk/Af+owRN/uHUWALWdot7yDrjHkKSjusaTB4tbzZEJbN58VZoKq85H1YqRhSzZtdDI9SoK6d+9uJC8w2nUF+B/aW7v4ACZbZ46kQnPSslvqhgt"}
debug: config token: {"eas":{"plugins":[{"type":"oidc","issuer":{"issuer":"https://zztop.oktapreview.com/oauth2/blablablabla","userinfo_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/userinfo","jwks_uri":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/keys","authorization_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/authorize","token_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/token","introspection_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/introspect","revocation_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/revoke"},"client":{"client_id":"blablablabla","client_secret":"blablablablablablablablablablablabla"},"scopes":["openid","email","profile","user","offline_access"],"redirect_uri":"https://environment.us-west-2.elasticbeanstalk.com/oauth/callback","custom_authorization_parameters":{},"features":{"cookie_expiry":3600,"userinfo_expiry":true,"session_expiry":3600,"session_expiry_refresh_window":3600,"session_retain_id":true,"refresh_access_token":true,"fetch_userinfo":true,"introspect_access_token":true,"introspect_expiry":0,"authorization_token":"access_token","logout":{"revoke_tokens_on_logout":["refresh_token","access_token","id_token"]}},"assertions":{"exp":true},"cookie":{"name":"_eas_localhost_session_"}}]},"iat":1627048766,"audMD5":"1d0eab91e8b3f6b6152142fda1ed8237"}
info: starting verify for plugin: oidc
verbose: parent request info: {"uri":"https://environment.us-west-2.elasticbeanstalk.com/?__eas_oauth_handler__=authorization_callback&code=HAB1KauD-dpZAodWLkEMGj_WBoHiLR0YpgGoXwjoz4s&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e0c848b22a2bd61ae166c0b72433eebe430a8f6fa4a2f96b984acf9b35e4b6f31d24bc4035ced07ce0c340fbec5b07da6183c7cfc15ace6f3a21ca056b783c4cae6f589c6fa04fa418b8cdffabaaa4bfc13694f752602ffb45046a1b8fe8aa5c24a667cee604212bb1d4c2a5947d158b09d5dbe4cfec35048cab359dec8f7d046f82b20b92a6a7e8f2aa3ed05fbfefaf15b85c22f14fc879181586d7d5b41305cf03e703dc35b1dbf2e70e522be8d907cd29cdf766bbc5e4152561266f47f7a7e62450bb5f49e7dd9d1c82bef95f3749a08dc69653ff9779439fdf547cdb449f10097a2f70d1e8a2c215fa1b403b4acb959ccad14145ebb79b25406fe58b22914df20b1e2bc5662c2126fe17bf189e329ac627df0777694faf244e596f7285fafdd96093d11ba41084bb7b902f304f69892c5ed27da3d69852ba20359bdcf8597a691c85b01ffeb66ac8632f6edf409bc","parsedUri":{"scheme":"https","host":"environment.us-west-2.elasticbeanstalk.com","path":"/","query":"__eas_oauth_handler__=authorization_callback&code=HAB1KauD-dpZAodWLkEMGj_WBoHiLR0YpgGoXwjoz4s&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e0c848b22a2bd61ae166c0b72433eebe430a8f6fa4a2f96b984acf9b35e4b6f31d24bc4035ced07ce0c340fbec5b07da6183c7cfc15ace6f3a21ca056b783c4cae6f589c6fa04fa418b8cdffabaaa4bfc13694f752602ffb45046a1b8fe8aa5c24a667cee604212bb1d4c2a5947d158b09d5dbe4cfec35048cab359dec8f7d046f82b20b92a6a7e8f2aa3ed05fbfefaf15b85c22f14fc879181586d7d5b41305cf03e703dc35b1dbf2e70e522be8d907cd29cdf766bbc5e4152561266f47f7a7e62450bb5f49e7dd9d1c82bef95f3749a08dc69653ff9779439fdf547cdb449f10097a2f70d1e8a2c215fa1b403b4acb959ccad14145ebb79b25406fe58b22914df20b1e2bc5662c2126fe17bf189e329ac627df0777694faf244e596f7285fafdd96093d11ba41084bb7b902f304f69892c5ed27da3d69852ba20359bdcf8597a691c85b01ffeb66ac8632f6edf409bc","reference":"absolute"},"parsedQuery":{"__eas_oauth_handler__":"authorization_callback","code":"HAB1KauD-dpZAodWLkEMGj_WBoHiLR0YpgGoXwjoz4s","state":"196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e0c848b22a2bd61ae166c0b72433eebe430a8f6fa4a2f96b984acf9b35e4b6f31d24bc4035ced07ce0c340fbec5b07da6183c7cfc15ace6f3a21ca056b783c4cae6f589c6fa04fa418b8cdffabaaa4bfc13694f752602ffb45046a1b8fe8aa5c24a667cee604212bb1d4c2a5947d158b09d5dbe4cfec35048cab359dec8f7d046f82b20b92a6a7e8f2aa3ed05fbfefaf15b85c22f14fc879181586d7d5b41305cf03e703dc35b1dbf2e70e522be8d907cd29cdf766bbc5e4152561266f47f7a7e62450bb5f49e7dd9d1c82bef95f3749a08dc69653ff9779439fdf547cdb449f10097a2f70d1e8a2c215fa1b403b4acb959ccad14145ebb79b25406fe58b22914df20b1e2bc5662c2126fe17bf189e329ac627df0777694faf244e596f7285fafdd96093d11ba41084bb7b902f304f69892c5ed27da3d69852ba20359bdcf8597a691c85b01ffeb66ac8632f6edf409bc"},"method":"GET"}
verbose: audMD5: 1d0eab91e8b3f6b6152142fda1ed8237
verbose: cookie name: _eas_localhost_session_
verbose: decoded state: {"request_uri":"https://environment.us-west-2.elasticbeanstalk.com/","aud":"1d0eab91e8b3f6b6152142fda1ed8237","csrf":"54c9a3d8-886f-4f41-ad16-6088bfb6308b","req":{"headers":{}},"request_is_xhr":false,"iat":1627281652}
verbose: audMD5: 1d0eab91e8b3f6b6152142fda1ed8237
verbose: cookie name: _eas_localhost_session_
verbose: begin token fetch with authorization code
verbose: compare_redirect_uri: https://environment.us-west-2.elasticbeanstalk.com/oauth/callback
verbose: received and validated tokens
debug: refresh_token "bHzXPWR5FvLWmioWye7wcHMH20QHvTpyVZ8VlZh9hyw"
debug: refresh_token decoded null
debug: access_token "eyJraWQiOiUXXiePCrLXzSSU5lD1ZZxXc1FjLW5yemxUbzR2akxCUHB5QTJRVU9ZIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULlI2NVFpTm1mcHBVQjJQV3NzTWJyRjdSdGh6UThKRlYzTE1XRGtuOHVka3Mub2FyMmI5cGlxTzZOUDdrWGgweDYiLCJpc3MiOiJodHRwczovL3ZpbnRlZC5va3RhcHJldmlldy5jb20vb2F1dGgyL2F1czFudDJ0bXVMSDl5OW1YMHg3IiwiYXVkIjoiMG9hMW50MnY4eTdFOTJ4RGkweDciLCJpYXQiOjE2MjcyODE2NTksImV4cCI6MTYyNzI4MTk1OSwiY2lkIjoiMG9hMW50MnY4eTdFOTJ4RGkweDciLCJ1aWQiOiIwMHUxbHV5cWFuTE03cE1ReDB4NyIsInNjcCI6WyJvZmZsaW5lX2FjY2VzcyIsInVzZXIiLCJvcGVuaWQiLCJwcm9maWxlIiwiZW1haWwiXSwic3ViIjoib2xlZ2FzLmJ1ZG5pa0BkZW1vLmZyaWVuZGx5ZmFzaGlvbi5jby51ayIsImdyb3VwcyI6WyJFdmVyeW9uZSJdfQ.d5DEfWEiJFS5U6u329voD6GAFkpuGrMSC5TVKuX-sLOxnlCw9X2FcEPR4SYy55lsAfA46RviJlHEP_lv27peIfCSf2AyB0h1fBSICCUcMy7FGplyE7FsWQ6O4SoVSPttIdVhpAM-tVlQZnBN9rdvwl9YFKcjbE6emSijbMM02TIpTE0Z5yVf9jGjOCsagAcJbixE_FnnbcyurSBKYFkfDSBgclKcJqYhaDMXVxTy6pMphxX-ecEMSpnGHW6SYzhIKAwNxIYQfU3Y0XxsJrBIO7GGb2zOaebzlXHQ605H43g8xMwqPE-IXkrLxx8AEbgYHwxc1V1ZYaX_lej-HnhHjA"
debug: access_token decoded {"ver":1,"jti":"AT.R65QiNmfppUB2PWssMbrF7RthzQ8JFV3LMWDkn8udks.oar2b9piqO6NP7kXh0x6","iss":"https://zztop.oktapreview.com/oauth2/blablablabla","aud":"blablablabla","iat":1627281659,"exp":1627281959,"cid":"blablablabla","uid":"00u2liJqanNZ7pPPx0x7","scp":["offline_access","user","openid","profile","email"],"sub":"nonespoken@zztop.kokoko.com","groups":["Everyone"]}
debug: id_token "eyJraWQiOiUXXiePCrLXzSSU5lD1ZZxXc1FjLW5yemxUbzR2akxCUHB5QTJRVU9ZIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUxbHV5cWFuTE03cE1ReDB4NyIsIm5hbWUiOiJvbGVnYXMuYnVkbmlrQGRlbW8uZnJpZW5kbHlmYXNoaW9uLmNvLnVrIiwiZW1haWwiOiJvbGVnYXMuYnVkbmlrQGRlbW8uZnJpZW5kbHlmYXNoaW9uLmNvLnVrIiwidmVyIjoxLCJpc3MiOiJodHRwczovL3ZpbnRlZC5va3RhcHJldmlldy5jb20vb2F1dGgyL2F1czFudDJ0bXVMSDl5OW1YMHg3IiwiYXVkIjoiMG9hMW50MnY4eTdFOTJ4RGkweDciLCJpYXQiOjE2MjcyODE2NTksImV4cCI6MTYyNzI4NTI1OSwianRpIjoiSUQuTDBqc3FZOFNJVFJ6NDRoWTRtMThOTVdwb1E5VnBaVUQ1RXQ0RjQ3Z2JPWSIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvdHh0bml6Q1hlWWdWVUcweDYiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJvbGVnYXMuYnVkbmlrQGRlbW8uZnJpZW5kbHlmYXNoaW9uLmNvLnVrIiwiYXV0aF90aW1lIjoxNjI3MjgxNjU3LCJhdF9oYXNoIjoiVVB2X2RHQjFENHZHc1AzSkV1bTMzZyIsImdyb3VwcyI6WyJFdmVyeW9uZSJdfQ.mV0F8kr2dF7pJHRMHJ8wjhPYjQ2hqlB1gIlTjj00LZTnWiC8cNOpEng02M44uH4_kq6VYCWkT8xs9oFquVkrVHcxV3Dan_yvlIRfvTxMWgPAy3BhSargMjEWnl6U7xvZR6a5RF52sz9Zs5cf6yZegHz0Gb7WzgWkiFO5ZYaIh64j8lJWbS2O6ihQOSmFQgYhSkbZw51h8pk7D3O9TbDRYUSzUxYVZwO0F7yK0Yh_A1AO4NWHlDdSiCMI4MExT9rjhBIJyQRAYkq186lIVKM5VMjupi66K_cSE42VgeOiEjukZz6UIvLX5Y9uCYmjCXlZzjfMVviHVphi_18lnOeiSg"
debug: id_token decoded {"sub":"00u2liJqanNZ7pPPx0x7","name":"nonespoken@zztop.kokoko.com","email":"nonespoken@zztop.kokoko.com","ver":1,"iss":"https://zztop.oktapreview.com/oauth2/blablablabla","aud":"blablablabla","iat":1627281659,"exp":1627285259,"jti":"ID.L0jsqY8SITRz44hY4m18NMWpoQ9VpZUD5Et4F47gbOY","amr":["pwd"],"idp":"00otxtnizCXeYgVUG0x6","preferred_username":"nonespoken@zztop.kokoko.com","auth_time":1627281657,"at_hash":"UPv_dGB1D4vGsP3JEum33g","groups":["Everyone"]}
verbose: token introspect details {"active":true,"scope":"offline_access user openid profile email","username":"nonespoken@zztop.kokoko.com","exp":1627281959,"iat":1627281659,"sub":"nonespoken@zztop.kokoko.com","aud":"blablablabla","iss":"https://zztop.oktapreview.com/oauth2/blablablabla","jti":"AT.R65QiNmfppUB2PWssMbrF7RthzQ8JFV3LMWDkn8udks.oar2b9piqO6NP7kXh0x6","token_type":"Bearer","client_id":"blablablabla","uid":"00u2liJqanNZ7pPPx0x7","groups":["Everyone"]}
debug: get userinfo with tokenSet: {"token_type":"Bearer","expires_at":1627281959,"access_token":"eyJraWQiOiUXXiePCrLXzSSU5lD1ZZxXc1FjLW5yemxUbzR2akxCUHB5QTJRVU9ZIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULlI2NVFpTm1mcHBVQjJQV3NzTWJyRjdSdGh6UThKRlYzTE1XRGtuOHVka3Mub2FyMmI5cGlxTzZOUDdrWGgweDYiLCJpc3MiOiJodHRwczovL3ZpbnRlZC5va3RhcHJldmlldy5jb20vb2F1dGgyL2F1czFudDJ0bXVMSDl5OW1YMHg3IiwiYXVkIjoiMG9hMW50MnY4eTdFOTJ4RGkweDciLCJpYXQiOjE2MjcyODE2NTksImV4cCI6MTYyNzI4MTk1OSwiY2lkIjoiMG9hMW50MnY4eTdFOTJ4RGkweDciLCJ1aWQiOiIwMHUxbHV5cWFuTE03cE1ReDB4NyIsInNjcCI6WyJvZmZsaW5lX2FjY2VzcyIsInVzZXIiLCJvcGVuaWQiLCJwcm9maWxlIiwiZW1haWwiXSwic3ViIjoib2xlZ2FzLmJ1ZG5pa0BkZW1vLmZyaWVuZGx5ZmFzaGlvbi5jby51ayIsImdyb3VwcyI6WyJFdmVyeW9uZSJdfQ.d5DEfWEiJFS5U6u329voD6GAFkpuGrMSC5TVKuX-sLOxnlCw9X2FcEPR4SYy55lsAfA46RviJlHEP_lv27peIfCSf2AyB0h1fBSICCUcMy7FGplyE7FsWQ6O4SoVSPttIdVhpAM-tVlQZnBN9rdvwl9YFKcjbE6emSijbMM02TIpTE0Z5yVf9jGjOCsagAcJbixE_FnnbcyurSBKYFkfDSBgclKcJqYhaDMXVxTy6pMphxX-ecEMSpnGHW6SYzhIKAwNxIYQfU3Y0XxsJrBIO7GGb2zOaebzlXHQ605H43g8xMwqPE-IXkrLxx8AEbgYHwxc1V1ZYaX_lej-HnhHjA","scope":"offline_access user openid profile email","refresh_token":"bHzXPWR5FvLWmioWye7wcHMH20QHvTpyVZ8VlZh9hyw","id_token":"eyJraWQiOiUXXiePCrLXzSSU5lD1ZZxXc1FjLW5yemxUbzR2akxCUHB5QTJRVU9ZIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUxbHV5cWFuTE03cE1ReDB4NyIsIm5hbWUiOiJvbGVnYXMuYnVkbmlrQGRlbW8uZnJpZW5kbHlmYXNoaW9uLmNvLnVrIiwiZW1haWwiOiJvbGVnYXMuYnVkbmlrQGRlbW8uZnJpZW5kbHlmYXNoaW9uLmNvLnVrIiwidmVyIjoxLCJpc3MiOiJodHRwczovL3ZpbnRlZC5va3RhcHJldmlldy5jb20vb2F1dGgyL2F1czFudDJ0bXVMSDl5OW1YMHg3IiwiYXVkIjoiMG9hMW50MnY4eTdFOTJ4RGkweDciLCJpYXQiOjE2MjcyODE2NTksImV4cCI6MTYyNzI4NTI1OSwianRpIjoiSUQuTDBqc3FZOFNJVFJ6NDRoWTRtMThOTVdwb1E5VnBaVUQ1RXQ0RjQ3Z2JPWSIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvdHh0bml6Q1hlWWdWVUcweDYiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJvbGVnYXMuYnVkbmlrQGRlbW8uZnJpZW5kbHlmYXNoaW9uLmNvLnVrIiwiYXV0aF90aW1lIjoxNjI3MjgxNjU3LCJhdF9oYXNoIjoiVVB2X2RHQjFENHZHc1AzSkV1bTMzZyIsImdyb3VwcyI6WyJFdmVyeW9uZSJdfQ.mV0F8kr2dF7pJHRMHJ8wjhPYjQ2hqlB1gIlTjj00LZTnWiC8cNOpEng02M44uH4_kq6VYCWkT8xs9oFquVkrVHcxV3Dan_yvlIRfvTxMWgPAy3BhSargMjEWnl6U7xvZR6a5RF52sz9Zs5cf6yZegHz0Gb7WzgWkiFO5ZYaIh64j8lJWbS2O6ihQOSmFQgYhSkbZw51h8pk7D3O9TbDRYUSzUxYVZwO0F7yK0Yh_A1AO4NWHlDdSiCMI4MExT9rjhBIJyQRAYkq186lIVKM5VMjupi66K_cSE42VgeOiEjukZz6UIvLX5Y9uCYmjCXlZzjfMVviHVphi_18lnOeiSg"}
silly: verify request details: {"url":"/envoy/verify-params-header/favicon.ico","params":{"0":"/favicon.ico","1":"favicon.ico"},"query":{},"http_method":"GET","http_version":"1.1","headers":{"host":"environment.us-west-2.elasticbeanstalk.com","content-length":"0","x-forwarded-proto":"https","cookie":"_eas_oauth_csrf=s%3A9902vOzQajb0qL2X0GCtwsCNjnxWrlPHVfItfzNr1cT0zmeFxsHYrNf19sCuAJsk.BVSCJyuUkIZJ1qFRJK1GgvJxAbho6YvOdY6gO1L3YOA","x-eas-verify-params":"{\"config_token\":\"tsUdAn/pNXvl58Uon2IzBS/ZdbKZnQzXMlgba9f6ZbDAmxRRJqXLfftXN9bJze27bk347fsFpW4EKiOaEHjM+FpJ3zTS/Dh93jTqGsRCBv2A1h+0Q7ieEfaWIHeDwpWAfwiFMZJpbtAT06jsMM0TFcvZwHw3eGFedKFBLgzLKfILqGJdZFIZ2ZABOvVpyGTrihSBbOX2R/60J6dPd+HXG7+xEH+sPNboHTjT5bPg/7ltgy7fHZVrkJM/mpmg4knexsRGSOLw6jvuPFKQft4GoIc/GYHhw6faP0ZsuBIuWYgUletePNMdN0zk1wIWRk8FDJ7U2EZUXnS3YuCW7pPgZHFk7GA5/9CXDujLAUy2+EZIrC/NaR9AuO9qWPJvvffU1xpiSDpzhWF4IbW546G+F4QEQrhsd+ocMb2MjNvFvTwq2+oH8ahYVVp1NWr+5mkDvSU6/AfrcWq+3GK2hK6S+NFdonTnR/XVsSpMPPUoH80sV6J1bpF7DbMQg9Oid1w+UQlDMcI750Al5xCpes6/YdNH8jFE6HVuWMKXj11wq16CDqpI5TlZVcgkhWZ5V1xyC8/FCYXnfsBkfuPWzHc4da60N+sM9AYjj7BSecIk/Z6fTysUPFLY6q2o5TmliK0FnkMvDE9NbDMuGp6HvJglLLehsL6oKrd6mBjspob4m0nsWApNgntBKSRjqsgRmpuAmGL2Ou6lKVyTOItaPNVnDgGdPLUnACrqyGculWVASeiX7uwh3/W7EgSds0ptCSUKbFS/8Fp168LhP6tzqba4lqyh0QJtQRUvboAUUkFg6St8hPV+8Fa8y0GarpOEw01avjNczrGvzW/Dnel2HDFz7X1DS4+MyM5C0XUDJAkvJ+5grMjDEdtw8C4DkfN8aThPgk5kADEDDD7uLashfoocjYJhL0KN07MldA1RnA1Pc3D7zpG7hGtAapwg3Fhfbz+26JST5QQfUGKuO6yyjoWto+uwmaS1cyilMeWwz0bF5zreYOeg5SA3EMFRwcIcHX/ZHp4TTfOeo93sGiPBPQyL05OoOROysDXDnwa1y/Hi5VJr2decoDDpiSnTxuBv7PIqknGhotlfl3e/5AuzEOv7CvejJ/bHEAVH3XLrXXSgXlQPNHmREMKLG4elK9kP6Qq/mBulOU2LgyTRou8JYuBJ40fwviqdHThbTxZ8LUoR18RMGk4MtMq8h01iOqtdEt7MuI+OWreofy8PSsvXWCTjaByR0DtqUzPUnl9De7ApgrBG4gTZOlIwpLGLEA+ohND+MiLJ4ibf4dZTkgsfSYw22QEikq4cXKRm7649PkMJc1ZuepIdyBqQB/ZQ7dJzDMq2VIoCzuASOEef0gJ29g0EislbFKRRQi7APZRJGhtWX7ngmZVhtiYjACWfhlJbzyBGfLmasHYLsBmT7t99PnwSHYW0RROjT/HPMg7CWquwzmNfxA4LWfwLbHegKl9c+2drNmSValXRlWXc3GYEVYyuR5kheSb9G+yyZ2zP3flgthvhFe4Yn6Ocq4fSz2DaaEsa22Qc6rbVn3ZRMbjfbyFHDEo2Kw7M83X9W/mo5znGeUGE0eMklQpcN7oYDWMGOGEe3sej0mBNz79K+XZdKgbdH0M6yvWKLLVWPmGtosVATsSCsD9g2czjmuyA33nU60CXHQQqFLxKsUJdgkdQGussVxXVhc40PNg8Oi1d0X362/yoyjgrDElmUzj/ayJLVu2Vmm5240zIM3b2bCfKDAJOIsbr8LGKhvB6XuyI6WOOUDYwwRpiEmHtxuIdEcKUplhTHb6IQHtEyb/WP174ilfKWp2Q9XxWneScHrgGymu4nMrxcJDxXit9UUKMPzvi8eDuhO+6SOJDhCJ6/kAAdqUj1ftBKvMv7GqrfMgqbAMtlgESf51uOzgidknulMx8RZzAMAwgVc7//uVpqeaRckcltPl4yHDghYua3fWNW0OTH5FOeMA5/Hv1Ks3d4CD/4gMqogoGLV5wmYPANPCNJEESCzZjrLV0bnkmxXbAtodawwNSCC8MUe02A5voiKILZIHRoK1Ef+H7bOpK0c2978q1k7uYKU//MnQKVYc6fn9cltz+Dvkci0cC+nNcn8yvjOKursB2LuC9ruWq/3qbZZQO4lLYKNB0Uy9GtCkEgSs0BgBUUQta7fHvym4aRkNNYLN4EuXiXz/eec/TqHhy459tTwMHqM1wlGuEYW+llr4H1k8A//+fW4r9z9cMLLw6xROf9VVr8J0fMPDhx0GpKDSCVhiWpwconUdgztTZCuADuAOeiBr3sOP2SKZpCMfHgiNm1QBTs6pQlf4SxFrqp6/4vGAe5Js20p5/p/w3bF4lqdX5MlG9/rcTwNmAtKhBVzc1sen/I9aVKpSg4/ylonBou6ixZwA19vwiqvoRqfv8vu6TXw+d5pkfPg6RbC4ovAfs59nRQZqDMZYZFtOwbCoZfsrkKfe32bicRUC2Fkwu6KepJ6+m46DOzLSVCg7zCyErywfivqUIUAbWyfwAEmk/Af+owRN/uHUWALWdot7yDrjHkKSjusaTB4tbzZEJbN58VZoKq85H1YqRhSzZtdDI9SoK6d+9uJC8w2nUF+B/aW7v4ACZbZ46kQnPSslvqhgt\"}","x-b3-traceid":"4adf063d3f581361","x-b3-spanid":"c42a212cbcf037f7","x-b3-parentspanid":"4adf063d3f581361","x-b3-sampled":"1","x-envoy-internal":"true","x-forwarded-for":"172.18.0.10","x-envoy-expected-rq-timeout-ms":"2250","x-forwarded-uri":"/favicon.ico","x-forwarded-method":"GET"},"body":{}}
info: starting verify pipeline
silly: verify params: {"config_token":"tsUdAn/pNXvl58Uon2IzBS/ZdbKZnQzXMlgba9f6ZbDAmxRRJqXLfftXN9bJze27bk347fsFpW4EKiOaEHjM+FpJ3zTS/Dh93jTqGsRCBv2A1h+0Q7ieEfaWIHeDwpWAfwiFMZJpbtAT06jsMM0TFcvZwHw3eGFedKFBLgzLKfILqGJdZFIZ2ZABOvVpyGTrihSBbOX2R/60J6dPd+HXG7+xEH+sPNboHTjT5bPg/7ltgy7fHZVrkJM/mpmg4knexsRGSOLw6jvuPFKQft4GoIc/GYHhw6faP0ZsuBIuWYgUletePNMdN0zk1wIWRk8FDJ7U2EZUXnS3YuCW7pPgZHFk7GA5/9CXDujLAUy2+EZIrC/NaR9AuO9qWPJvvffU1xpiSDpzhWF4IbW546G+F4QEQrhsd+ocMb2MjNvFvTwq2+oH8ahYVVp1NWr+5mkDvSU6/AfrcWq+3GK2hK6S+NFdonTnR/XVsSpMPPUoH80sV6J1bpF7DbMQg9Oid1w+UQlDMcI750Al5xCpes6/YdNH8jFE6HVuWMKXj11wq16CDqpI5TlZVcgkhWZ5V1xyC8/FCYXnfsBkfuPWzHc4da60N+sM9AYjj7BSecIk/Z6fTysUPFLY6q2o5TmliK0FnkMvDE9NbDMuGp6HvJglLLehsL6oKrd6mBjspob4m0nsWApNgntBKSRjqsgRmpuAmGL2Ou6lKVyTOItaPNVnDgGdPLUnACrqyGculWVASeiX7uwh3/W7EgSds0ptCSUKbFS/8Fp168LhP6tzqba4lqyh0QJtQRUvboAUUkFg6St8hPV+8Fa8y0GarpOEw01avjNczrGvzW/Dnel2HDFz7X1DS4+MyM5C0XUDJAkvJ+5grMjDEdtw8C4DkfN8aThPgk5kADEDDD7uLashfoocjYJhL0KN07MldA1RnA1Pc3D7zpG7hGtAapwg3Fhfbz+26JST5QQfUGKuO6yyjoWto+uwmaS1cyilMeWwz0bF5zreYOeg5SA3EMFRwcIcHX/ZHp4TTfOeo93sGiPBPQyL05OoOROysDXDnwa1y/Hi5VJr2decoDDpiSnTxuBv7PIqknGhotlfl3e/5AuzEOv7CvejJ/bHEAVH3XLrXXSgXlQPNHmREMKLG4elK9kP6Qq/mBulOU2LgyTRou8JYuBJ40fwviqdHThbTxZ8LUoR18RMGk4MtMq8h01iOqtdEt7MuI+OWreofy8PSsvXWCTjaByR0DtqUzPUnl9De7ApgrBG4gTZOlIwpLGLEA+ohND+MiLJ4ibf4dZTkgsfSYw22QEikq4cXKRm7649PkMJc1ZuepIdyBqQB/ZQ7dJzDMq2VIoCzuASOEef0gJ29g0EislbFKRRQi7APZRJGhtWX7ngmZVhtiYjACWfhlJbzyBGfLmasHYLsBmT7t99PnwSHYW0RROjT/HPMg7CWquwzmNfxA4LWfwLbHegKl9c+2drNmSValXRlWXc3GYEVYyuR5kheSb9G+yyZ2zP3flgthvhFe4Yn6Ocq4fSz2DaaEsa22Qc6rbVn3ZRMbjfbyFHDEo2Kw7M83X9W/mo5znGeUGE0eMklQpcN7oYDWMGOGEe3sej0mBNz79K+XZdKgbdH0M6yvWKLLVWPmGtosVATsSCsD9g2czjmuyA33nU60CXHQQqFLxKsUJdgkdQGussVxXVhc40PNg8Oi1d0X362/yoyjgrDElmUzj/ayJLVu2Vmm5240zIM3b2bCfKDAJOIsbr8LGKhvB6XuyI6WOOUDYwwRpiEmHtxuIdEcKUplhTHb6IQHtEyb/WP174ilfKWp2Q9XxWneScHrgGymu4nMrxcJDxXit9UUKMPzvi8eDuhO+6SOJDhCJ6/kAAdqUj1ftBKvMv7GqrfMgqbAMtlgESf51uOzgidknulMx8RZzAMAwgVc7//uVpqeaRckcltPl4yHDghYua3fWNW0OTH5FOeMA5/Hv1Ks3d4CD/4gMqogoGLV5wmYPANPCNJEESCzZjrLV0bnkmxXbAtodawwNSCC8MUe02A5voiKILZIHRoK1Ef+H7bOpK0c2978q1k7uYKU//MnQKVYc6fn9cltz+Dvkci0cC+nNcn8yvjOKursB2LuC9ruWq/3qbZZQO4lLYKNB0Uy9GtCkEgSs0BgBUUQta7fHvym4aRkNNYLN4EuXiXz/eec/TqHhy459tTwMHqM1wlGuEYW+llr4H1k8A//+fW4r9z9cMLLw6xROf9VVr8J0fMPDhx0GpKDSCVhiWpwconUdgztTZCuADuAOeiBr3sOP2SKZpCMfHgiNm1QBTs6pQlf4SxFrqp6/4vGAe5Js20p5/p/w3bF4lqdX5MlG9/rcTwNmAtKhBVzc1sen/I9aVKpSg4/ylonBou6ixZwA19vwiqvoRqfv8vu6TXw+d5pkfPg6RbC4ovAfs59nRQZqDMZYZFtOwbCoZfsrkKfe32bicRUC2Fkwu6KepJ6+m46DOzLSVCg7zCyErywfivqUIUAbWyfwAEmk/Af+owRN/uHUWALWdot7yDrjHkKSjusaTB4tbzZEJbN58VZoKq85H1YqRhSzZtdDI9SoK6d+9uJC8w2nUF+B/aW7v4ACZbZ46kQnPSslvqhgt"}
debug: config token: {"eas":{"plugins":[{"type":"oidc","issuer":{"issuer":"https://zztop.oktapreview.com/oauth2/blablablabla","userinfo_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/userinfo","jwks_uri":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/keys","authorization_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/authorize","token_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/token","introspection_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/introspect","revocation_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/revoke"},"client":{"client_id":"blablablabla","client_secret":"blablablablablablablablablablablabla"},"scopes":["openid","email","profile","user","offline_access"],"redirect_uri":"https://environment.us-west-2.elasticbeanstalk.com/oauth/callback","custom_authorization_parameters":{},"features":{"cookie_expiry":3600,"userinfo_expiry":true,"session_expiry":3600,"session_expiry_refresh_window":3600,"session_retain_id":true,"refresh_access_token":true,"fetch_userinfo":true,"introspect_access_token":true,"introspect_expiry":0,"authorization_token":"access_token","logout":{"revoke_tokens_on_logout":["refresh_token","access_token","id_token"]}},"assertions":{"exp":true},"cookie":{"name":"_eas_localhost_session_"}}]},"iat":1627048766,"audMD5":"1d0eab91e8b3f6b6152142fda1ed8237"}
info: starting verify for plugin: oidc
verbose: parent request info: {"uri":"https://environment.us-west-2.elasticbeanstalk.com/favicon.ico","parsedUri":{"scheme":"https","host":"environment.us-west-2.elasticbeanstalk.com","path":"/favicon.ico","reference":"absolute"},"parsedQuery":{},"method":"GET"}
verbose: audMD5: 1d0eab91e8b3f6b6152142fda1ed8237
verbose: cookie name: _eas_localhost_session_
verbose: redirect_uri: https://environment.us-west-2.elasticbeanstalk.com/oauth/callback
verbose: callback redirect_uri: https://zztop.oktapreview.com/oauth2/blablablabla/v1/authorize?client_id=blablablabla&scope=openid%20email%20profile%20user%20offline_access&response_type=code&redirect_uri=https%3A%2F%2Fenvironment.us-west-2.elasticbeanstalk.com%2Foauth%2Fcallback&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e0c848b22a2bd61ae166c0b72433eebe430a8f6fa4a2f96b984acf9b35e4b6f31d24bc4035ced07ce0c340fbec5b07da6183c7cfc15ace6f3a21ca056b783c4cae6f589c6fa04fa418b8cdffabaaa4bfc5e3589e8ea57f929eed3be237f5e34baf176fccd4bebc4663a408a259ba4344ed2ad87897a35e593c439bdbcd74491fbc8f797c2dd557065c8f298f69a38f16debb6f3f80add0e69da8222f43fe15b76881723dbe1286252dd65e427f41da215abd753de19cef19eb3b153ccfb3ce571a530fbbae329a33dfca1d2fd6aa450e7b5ebd542538686fb8c4dad71ec3d4d16ce240908957bd7315808dbb66dfbce11cd7bdfe7ce7c9c76fdb58c9962d33eca43e98f327d434850b2ba88de2a123d138e9f410f7d1352cc48d8fc253f1e949fe28f5e36ac433d6ed6ae52b93aa0d9d743e656890a1e0f6539cb854033be84dcc03a5b4fd7420cf1e294ee6ce0a50110ad858379813af30090bf55f068283ba0
debug: plugin response {"statusCode":302,"statusMessage":"","body":"","cookies":[["_eas_oauth_csrf","2OI+LjkDALf95lATEE9oSCEjcHulGC47bly8CdQGXLqGCMaoWwDdec/Ekh2VXEXZ",{"expires":"2021-07-26T18:41:01.207Z","domain":null,"path":"/","httpOnly":true,"secure":false,"sameSite":"lax","signed":true}]],"clearCookies":[],"headers":{"Location":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/authorize?client_id=blablablabla&scope=openid%20email%20profile%20user%20offline_access&response_type=code&redirect_uri=https%3A%2F%2Fenvironment.us-west-2.elasticbeanstalk.com%2Foauth%2Fcallback&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e0c848b22a2bd61ae166c0b72433eebe430a8f6fa4a2f96b984acf9b35e4b6f31d24bc4035ced07ce0c340fbec5b07da6183c7cfc15ace6f3a21ca056b783c4cae6f589c6fa04fa418b8cdffabaaa4bfc5e3589e8ea57f929eed3be237f5e34baf176fccd4bebc4663a408a259ba4344ed2ad87897a35e593c439bdbcd74491fbc8f797c2dd557065c8f298f69a38f16debb6f3f80add0e69da8222f43fe15b76881723dbe1286252dd65e427f41da215abd753de19cef19eb3b153ccfb3ce571a530fbbae329a33dfca1d2fd6aa450e7b5ebd542538686fb8c4dad71ec3d4d16ce240908957bd7315808dbb66dfbce11cd7bdfe7ce7c9c76fdb58c9962d33eca43e98f327d434850b2ba88de2a123d138e9f410f7d1352cc48d8fc253f1e949fe28f5e36ac433d6ed6ae52b93aa0d9d743e656890a1e0f6539cb854033be84dcc03a5b4fd7420cf1e294ee6ce0a50110ad858379813af30090bf55f068283ba0"},"authenticationData":{},"plugin":{"server":{},"config":{"type":"oidc","issuer":{"issuer":"https://zztop.oktapreview.com/oauth2/blablablabla","userinfo_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/userinfo","jwks_uri":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/keys","authorization_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/authorize","token_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/token","introspection_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/introspect","revocation_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/revoke"},"client":{"client_id":"blablablabla","client_secret":"blablablablablablablablablablablabla"},"scopes":["openid","email","profile","user","offline_access"],"redirect_uri":"https://environment.us-west-2.elasticbeanstalk.com/oauth/callback","custom_authorization_parameters":{},"features":{"cookie_expiry":3600,"userinfo_expiry":true,"session_expiry":3600,"session_expiry_refresh_window":3600,"session_retain_id":true,"refresh_access_token":true,"fetch_userinfo":true,"introspect_access_token":true,"introspect_expiry":0,"authorization_token":"access_token","logout":{"revoke_tokens_on_logout":["refresh_token","access_token","id_token"],"end_provider_session":{},"backchannel":{}},"filtered_service_headers":[]},"assertions":{"exp":true,"nbf":true,"iss":true},"cookie":{"name":"_eas_localhost_session_","domain":null,"path":"/","secure":false,"httpOnly":true,"sameSite":"lax"},"pcb":{},"custom_authorization_code_parameters":{},"custom_refresh_parameters":{},"custom_revoke_parameters":{},"csrf_cookie":{"enabled":true,"domain":null,"path":"/","secure":false,"httpOnly":true,"sameSite":"lax"},"xhr":{}}}}
info: end verify pipeline with status: 302
verbose: userinfo {"iat":1627281661,"data":{"sub":"00u2liJqanNZ7pPPx0x7","name":"nonespoken@zztop.kokoko.com","locale":"en-US","email":"nonespoken@zztop.kokoko.com","preferred_username":"nonespoken@zztop.kokoko.com","given_name":"Jonas","family_name":"Jonaitis","zoneinfo":"America/Los_Angeles","updated_at":1624865314,"email_verified":true,"groups":["Everyone"]}}
verbose: creating new session: bc7fec85-fc79-4964-bf7d-b4eebeb74cf5
info: redirecting to original resource: https://environment.us-west-2.elasticbeanstalk.com/
debug: plugin response {"statusCode":302,"statusMessage":"","body":"","cookies":[["_eas_localhost_session_","bc7fec85-fc79-4964-bf7d-b4eebeb74cf5",{"domain":null,"path":"/","expires":"2021-07-26T07:41:00.818Z","httpOnly":true,"secure":false,"sameSite":"lax","signed":true}]],"clearCookies":[],"headers":{"Location":"https://environment.us-west-2.elasticbeanstalk.com/"},"authenticationData":{},"plugin":{"server":{},"config":{"type":"oidc","issuer":{"issuer":"https://zztop.oktapreview.com/oauth2/blablablabla","userinfo_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/userinfo","jwks_uri":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/keys","authorization_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/authorize","token_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/token","introspection_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/introspect","revocation_endpoint":"https://zztop.oktapreview.com/oauth2/blablablabla/v1/revoke"},"client":{"client_id":"blablablabla","client_secret":"blablablablablablablablablablablabla"},"scopes":["openid","email","profile","user","offline_access"],"redirect_uri":"https://environment.us-west-2.elasticbeanstalk.com/oauth/callback","custom_authorization_parameters":{},"features":{"cookie_expiry":3600,"userinfo_expiry":true,"session_expiry":3600,"session_expiry_refresh_window":3600,"session_retain_id":true,"refresh_access_token":true,"fetch_userinfo":true,"introspect_access_token":true,"introspect_expiry":0,"authorization_token":"access_token","logout":{"revoke_tokens_on_logout":["refresh_token","access_token","id_token"],"end_provider_session":{},"backchannel":{}},"filtered_service_headers":[]},"assertions":{"exp":true,"nbf":true,"iss":true},"cookie":{"name":"_eas_localhost_session_","domain":null,"path":"/","secure":false,"httpOnly":true,"sameSite":"lax"},"pcb":{},"custom_authorization_code_parameters":{},"custom_refresh_parameters":{},"custom_revoke_parameters":{},"csrf_cookie":{"enabled":true,"domain":null,"path":"/","secure":false,"httpOnly":true,"sameSite":"lax"},"xhr":{}}}}
info: end verify pipeline with status: 302

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 16 (8 by maintainers)

Most upvoted comments

Great! Anything you run into that could use improvements let me know!

3 - Yup, I tried to take care of optimizing as much as I could where possible but you do have the inherent overhead of an http sub request going on during the lifecycle of the main/parent request. I think grpc may lower that overhead by how it handles connections but I could be wrong.

5 - let me know what you have in mind here and how eas would play a role.

6 - I actually do have a miracle solution for this…but only for apps you control (ie: in-house apps). Essentially eas is ‘aware’ of whether a request is ajax or not and can slightly alter behavior based on that knowledge. Instead of returning a 302 you can tell eas to respond with a 401 (ajax requests following a 302 doesn’t do the browser itself much good). This is where app specific logic comes in…you’d ‘catch’ the 401 ajax responses and retrieve the data out of the headers/etc to then forward the browser itself to the endpoint returned from the eas response. However, the redirect_uri sent to the provider (okta) can be set to the referer address so after authenticating you go back to where the browser was vs where the ajax request was sent (ie: the same route). In the PLUGINS.md page just search for xhr. For 3rd party SPA-like apps it’s not the best…but I’ve found a simple refresh of the browser does the trick nicely…and with the expiration windows I use I rarely run into the issue anyway.

+1
travisghansen on Jul 29, 2021

It’s in next…or should be 😃

+1
travisghansen on Jul 29, 2021

OK, I’ve committed a sample config file (be gentle, I fumbled through it without any prior experience) I can use for development/testing now at least which includes samples for both http and grpc configurations.

https://github.com/travisghansen/external-auth-server/blob/next/examples/envoy-conf.yaml

I hope to have all this in a release within the next day or so including the updated charts to support SSL right in the service and the grpc service as well.

+1
travisghansen on Jul 28, 2021

Sure. Im using right now rather complex Envoy config with front and back logical segments with other modules. Perhaps no need of such here (at least for now), so Ill combine it into one and clean up irrelevant stuff, test it and post it here latest tomorrow or today evening.

+1
nonefaken on Jul 26, 2021

Regarding your specific issue here, yeah adding a little time to allow for eas to request userinfo is probably a good thing. Note that there are settings to control how long the userinfo is cached to prevent making those requests every user request and slowing things down dramatically. Your testing is a fantastic approach as with a complex scenario getting things configured just right will pay dividends in the future!

+1
travisghansen on Jul 26, 2021

This is all great info! I’m actually looking at setting up a raw envoy config today to do further testing on the grpc interface.

If you could share a basic template config file to use that would be helpful. Then I’ll have something for testing both the grpc and the http interface locally to help in the long run.

+1
travisghansen on Jul 26, 2021
Read more comments on GitHub
← external-auth-server: Manual definition of issuer:{} as a solution for a blocked connection from RP to OP
external-auth-server: Request-URI Too Long to /authorize endpoint (Okta as IdP) →