Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

improve: Also pass along a state (nonce) paramater. #1135

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

improve: Also pass along a state (nonce) paramater. #1135

wants to merge 4 commits into from

Conversation

openbrian
Copy link

bug: #1134

It's not needed for CSRF protection because code_challenge does this, but the Authentik IDP will return &state= in the query string. This will trigger node-openid-client to fail a check.

Closes #1134

What has been done to verify that this works as intended?

Why is this the best possible solution? Were any other approaches considered?

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

Does this change require updates to the API documentation? If so, please update docs/api.yaml as part of this PR.

Before submitting this PR, please make sure you have:

  • run make test and confirmed all checks still pass OR confirm CircleCI build passes
  • verified that any code from external sources are properly credited in comments or that everything is internally sourced

Testing the oidc way failed for me. I mean the tests would not kick off.

@openbrian
improve: Also pass along a state (nonce) paramater.
6776bab 
bug: getodk#1134

It's not needed for CSRF protection because code_challenge does this, but the Authentik IDP will return &state= in the query string.  This will trigger node-openid-client to fail a check.
lognaturel
lognaturel reviewed May 1, 2024
View reviewed changes
lib/resources/oidc.js Outdated
@@ -102,15 +103,19 @@ module.exports = (service, endpoint) => {
const client = await getClient();
const code_verifier = generators.codeVerifier(); // eslint-disable-line camelcase

// State is not strictly required because PKCS (code_challenge) protects us from CSRF attacks.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It feels important to then mention why it's there! Maybe just add "but some IDPs always send it"

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@lognaturel
Copy link
Member

Thanks for digging into this and figuring out a solution, @openbrian! I've left one small suggestion. @alxndrsn could you please do a deeper review?

@lognaturel lognaturel requested a review from alxndrsn May 1, 2024 20:50
alxndrsn
alxndrsn reviewed May 3, 2024
View reviewed changes
lib/resources/oidc.js
@@ -102,15 +103,22 @@ module.exports = (service, endpoint) => {
const client = await getClient();
const code_verifier = generators.codeVerifier(); // eslint-disable-line camelcase

// State is not strictly required because PKCS (code_challenge) protects us from CSRF attacks.
// See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-countermeasures-4
// We create a nonce (state) anyway because some IDPs (e.g. Authentik) will send the nonce
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nonce is the name of a different value which can be used at various points in OAuth/OIDC. I think avoiding that word here would reduce chance of confusion.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@openbrian just in case you missed this 🙂

alxndrsn
alxndrsn reviewed May 3, 2024
View reviewed changes
lib/resources/oidc.js Outdated Show resolved Hide resolved
@alxndrsn
Copy link
Contributor

alxndrsn commented May 3, 2024

It's not needed for CSRF protection because code_challenge does this, but the Authentik IDP will return &state= in the query string. This will trigger node-openid-client to fail a check.

Thanks for the PR! I think this is a bug in Authentik's implementation; they seem to be open source (https://github.com/goauthentik/authentik?) so perhaps it can be fixed on their side.

That said, state should be supported by all IdPs (per the spec). Also state reportedly adds some security against generating fake errors. I will dig deeper and test this against some different IdPs.

alxndrsn
alxndrsn reviewed May 3, 2024
View reviewed changes
lib/resources/oidc.js Outdated Show resolved Hide resolved
@alxndrsn alxndrsn mentioned this pull request May 15, 2024
Open
@alxndrsn
Copy link
Contributor

Thanks for the PR! I think this is a bug in Authentik's implementation; they seem to be open source (https://github.com/goauthentik/authentik?) so perhaps it can be fixed on their side.

I've opened a potential PR at goauthentik/authentik#9735

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alxndrsn alxndrsn alxndrsn left review comments

@lognaturel lognaturel lognaturel left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OIDC login fails due to Authentik sending state QS and node-openid-client failing a check
3 participants
@openbrian @lognaturel @alxndrsn