Problem/Motivation

Randomly, when I log into Drupal, I get thrown to a 403 page. I am apparently logged in because I can replace the 403 in the URL with dashboard and get to my dashboard.

Steps to reproduce

Steps:
1. Open the browser that last had drupal.org/dashboard as an open page where has it as one of the homepages.
2. When I am sent to the login screen instead, enter my email address and password and press enter
3. If the login screen re-displays with my username, click the red redo login button and enter my password and press enter

Expected result and sometimes actual result: My dashboard page displays
Sometimes actual result: drupal.org/403 displays

Attempted workaround:

4. Edit the 403 in the location bar to read dashboard

Hoped-for result and actual result: My dashboard page displays

Browser info

This last happened in Firefox 151.0.3, macOS 26.5.1, with security set to strict.

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Comments

charles belov created an issue. See original summary.

fjgarlin’s picture

fjgarlin commented
Status: Active » Postponed (maintainer needs more info)

Could you provide full URLs and a screen recording of this?

charles belov’s picture

charles belov
he/him
Primary language English
Location San Francisco, CA, US
commented

I can try. Since it's an intermittent issue I have to wait for it to happen. It happened today, unfortunately before I saw your request. Please leave as Postponed (maintainer needs more info) until I can comply with your request.

drumm’s picture

drumm
he/him
Location NY, US
commented

I suspect this might be due to

3. If the login screen re-displays with my username, click the red redo login button and enter my password and press enter

As a security measure, the Keycloak-powered login form has a short expiration time. I see in the Drupal logs, your user session opens when it redirects back to https://www.drupal.org/openid-connect/keycloak?state=…

Then https://www.drupal.org/openid-connect/keycloak?state=... with different query arguments is requested, and that 403s. Probably something along the lines of either already being logged in at that point and/or Drupal’s tracking of the state mismatches what’s expected.

The logs provide information needed, so no need for a screen recording. It would be interesting to know if the expired and restarted login form is indeed the cause.

This is likely a bug or something to be improved in the openid_connect module. Since this is intermittent, and on the old codebase we are migrating away from, while this is annoying, it isn’t something we can dedicate time to fixing. If this also happens on new.drupal.org, that will be something to fix.