C3 AI Documentation Home

Troubleshoot Authentication Issues

If you cannot access your application or if you experience login loops or authentication failures, follow these troubleshooting steps to identify and resolve the issue.

You must have at least the C3.AppAdmin role to perform most of the following troubleshooting steps.

Database corruption

All single node environments (SNEs) use an embedded PostgreSQL database by default. If your application is inaccessible or if you experience login loops, your PostgreSQL database might be corrupted.

Here's how to check for database corruption:

  1. Check OpenSearch for your specific application to see if the database is corrupted. See Troubleshoot C3 AI Applications with Server Logs using OpenSearch.
  2. Search for "File Corrupted" in the logs.

If your database is corrupted, you must start a new SNE.

User session out of sync

If you are experiencing login loops or authentication failure, your user session might be out of sync. Fetch the user session sequence to troubleshoot. The user session sequence tracks the state of a user's authentication session. The sequence is helpful to investigate login loops, authentication failures, and sesison sync issues.

Here's how to check for user session sync issues:

  1. Run the following command in your application C3 AI Console:

    JavaScript
    User.userSessionSequence(<user_id>)

  2. Compare the output to the c3auth cookie in your browser. Find the c3auth cookie from your browser interface. The session sequence in the c3auth cookie should be strictly greater than the database value.

  3. If the session sequence in the c3auth cookie is not greater than the database value, remove the affected user from the database. Run the following commands from any application C3 AI Console to remove the affected user from the database:

    • If you are experiencing login issues, run User.myUser().remove().
    • If another user is experiencing issues, run User.forId(<USER_ID>).remove()

If you still cannot log into the application after removing the user, the session was not out of sync and your database is likely corrupted. See the previous section, Database corruption, to troubleshoot a corrupted database.

Additional commands for session issues

You can also run the following commands to check for session issues:

JavaScript
C3.app().nodes().each(n => console.log(n.callJson("User", "clearCacheLocalOnlyAllApps")))
C3.app().nodes().each(n => console.log(n.callJson("User", "userSessionSequence", null, [User.forId('<user_id>').id])))

This code does the following:

  • Clears user cache across all nodes in the application and displays the output from each node.
  • Checks user session sequence for specific user across all nodes, retrieves the session sequence number for the specified user, and checks each node to see if session sequences are consistent.

Session token signed by incorrect app key

If you cannot access your application or if you experience a login loop, check if the application is caching the incorrect keys. Incorrect keys can cause token signing issues.

Validate keys

Check if the private and public key values match:

  1. Run the following code in the application C3 AI Console to fetch the keys:

    JavaScript
    App.PublicKey.make(<app_id>).getConfig() 
App.PrivateKey.make(<app_id>).getSecret()

  2. Navigate to JSON Web Token (JWT) Debugger and do the following:

    1. Select the RS512 algorithm.
    2. Paste the key values from the previous step. Remove the \n values.
    3. Verify the signature.

  3. Repeat the previous steps for keys from the c3/c3 application.

If the signature is invalid, the keys do not match and you must regenerate them. There are two ways you can regenerate the keys:

  • Run App#SetupKeys from the C3 AI Console of the application.
  • Manually generate the keys and change the value in the config store. The key pair should be RSA512 with 2048 bit key length. Append -----BEGIN PUBLIC KEY-----\n and \n-----END PUBLIC KEY----- to both keys. For example:
Text
-----BEGIN PUBLIC KEY-----
<public_key>
----END PUBLIC KEY-----

After you update the keys, clear the cached value from all apps in the cluster.

Clear cached keys

Cached keys can lead to issues during authentication and authorization. Follow these steps to clear the cache:

  1. Run the following code in the application C3 AI Console to clear the public and private key cache:

    JavaScript
    App.PublicKey.clearCacheLocalOnlyAllApps()
App.PrivateKey.clearCacheLocalOnlyAllApps()

  2. If you are unable to directly access the app, use an application C3 AI Console from a higher level.

    For example if the app you want to login to is <env>/<app>, then navigate to <env>/c3 and run the following:

    JavaScript
    App.forId("env-app").callJson("App.PublicKey", "clearCacheLocalOnlyAllApps", null, null)
App.forId("env-app").callJson("App.PrivateKey", "clearCacheLocalOnlyAllApps", null, null)

  3. If the previous commands do not resolve your issue, restart the server:

    JavaScript
    Server.restart()

    Or, delete the pod to clear cached values.

  4. If the previous commands still do not resolve your issue, clear the cache on all servers in a cluster:

JavaScript
Cluster.apps().forEach((app) => {
    app.nodes.forEach((node) => {
        node.call("App.PublicKey", "clearCacheLocalOnlyAllApps", null, null);
        node.call("App.PrivateKey", "clearCacheLocalOnlyAllApps", null, null);
    });
});

Unauthorized action during app communication

Incorrect keys or insufficient permissions for the application might cause an authorization error. Try the following troubleshooting steps:

  • Verify the application keys. See the previous section Validate keys to learn how to verify the keys.
  • Run Role#allPermissions in the application to check permissions.
  • Run Role.forId(<AppIdentity_role>) to check if the provided role is valid.

Browser caching stale cookies

If you notice multiple c3auth cookies in requests and responses and experience persistent login issues, your browser might be caching stale cookies.

Try to access the app in incognito mode. If you can access it successfully, your browser cookie cache is incorrect.

Clear the cookies from your browser for the application.

OpenID Connect authentication error

If you receive the Unauthorized! null/c3/c3/oidc/login error message, there is likely an OpenID Connect (OIDC) authentication failure on the redirect aplication. The redirect application is c3/c3 unless configured otherwise.

  1. Check OpenSearch for logs prefixed with Error during OIDC login:. See Troubleshoot C3 AI Applications with Server Logs using OpenSearch.

  2. Complete the following troubleshooting steps depending on the error:

    • Invalid IdToken: Use JSON Web Token (JWT) Debugger to validate the OIDC token. Get the OIDC token from the network section of your IdP request.
    • Run Authenticator.idpConfig(<app_url>) (Authenticator#idpConfig) and check the following fields:
      • Invalid StateToken: Ensure that the keys for the app that signed the state token are up to date on c3/c3.
      • Invalid Audience: Ensure the configuration has the correct audience in the audiences field.
      • Invalid Issuer: Ensure the configuration has the correct issuer.

See also

Was this page helpful?