C3 AI Documentation Home

Authentication FAQ

The Authentication Runbook provides guidelines for troubleshooting common authentication issues, particularly during app access and login processes. It includes checks for corrupted databases, session synchronization, stale cookies, and OpenID Connect (OIDC) configuration.

Common authentication issues and resolutions

  1. App Access Looping Back to Login Page

    • Possible Cause: H2 Database Corruption (for versions 8.0 - 8.5)
    • Solution:
      • Check for database corruption by searching for "File Corrupted" in OpenSearch logs. (Refer to Image 1)
      • If corruption is confirmed, start a new SNE as recovery is not possible for corrupted H2 databases.

  2. User Session Out of Sync (for versions 8.4 - 8.5)

    • Solution:

      • Check the user session sequence by comparing User.userSessionSequence(<USER_ID>) to the c3auth cookie value. The session sequence in the c3auth cookie should be strictly greater.

      • Remove the problematic user session using:

        JavaScript
        User.forId(<user id>).remove();

      • If login is still unsuccessful, H2 corruption might be the issue.

  3. Session Token Signed by Incorrect App Key (for versions 8.3 - 8.4)

    • Solution:
      • Follow the instructions in the App to App Communication Runbook to ensure tokens are signed by the correct app.
      • If browser caching is suspected, use Incognito mode to bypass cache. If successful, clear cookies to remove stale cache. (Refer to Image 3)

  4. Unauthorized OIDC Login (all versions)

    • Common Error: "Unauthorized! null/c3/c3/oidc/login"
    • Solution:
      • Inspect OpenSearch logs for errors prefixed with "Error during OIDC login:".
      • Troubleshoot based on the specific cause:
        • Invalid IdToken: Use Oidc#validateIdToken to diagnose.
        • Invalid StateToken: Confirm app keys are up to date for c3/c3.
        • Invalid Audience: Check that the correct audience is configured in the audience field.
        • Invalid Issuer: Ensure the correct issuer is specified in the config. (Refer to Image 2)

  5. Lost Access Post-Logout

    • Possible Cause: User session out of sync.
    • Solution: Follow steps under "User Session Out of Sync" to verify and correct session sequence.

Frequently asked questions (FAQ)

Q: Why is my application looping back to the IDP login page repeatedly?
A: This may be due to H2 database corruption. Check the OpenSearch logs for "File Corrupted" to confirm. If corrupted, you need to start a new SNE.

Q: How can I verify if a user session is out of sync?
A: Compare the session sequence using User.userSessionSequence(<USER_ID>) with the c3auth cookie value. If out of sync, remove the session using the appropriate User.remove() command.

Q: My session token is invalid due to an incorrect app key. What should I do?
A: Ensure that the session token is signed by the correct app key. If using cached cookies, try Incognito mode or clear cookies if needed.

Q: I received an 'Invalid Audience' error during OIDC login. How do I resolve this?
A: Ensure the correct audience is configured in the application's audience field.

Q: I'm unable to log in due to an 'Invalid Issuer' error. What does this mean?
A: The issue likely stems from an incorrect issuer configuration. Verify and update the issuer field in the app's configuration settings.

Was this page helpful?