improve: Also pass along a state (nonce) paramater. #1135

openbrian · 2024-05-01T20:07:20Z

It's not needed for CSRF protection because code_challenge does this, but the Authentik IDP will return &state= in the query string. This will trigger node-openid-client to fail a check.

Closes #1134

What has been done to verify that this works as intended?

Why is this the best possible solution? Were any other approaches considered?

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

Does this change require updates to the API documentation? If so, please update docs/api.yaml as part of this PR.

Before submitting this PR, please make sure you have:

run make test and confirmed all checks still pass OR confirm CircleCI build passes
verified that any code from external sources are properly credited in comments or that everything is internally sourced

Testing the oidc way failed for me. I mean the tests would not kick off.

bug: getodk#1134 It's not needed for CSRF protection because code_challenge does this, but the Authentik IDP will return &state= in the query string. This will trigger node-openid-client to fail a check.

lib/resources/oidc.js

lognaturel · 2024-05-01T20:50:47Z

Thanks for digging into this and figuring out a solution, @openbrian! I've left one small suggestion. @alxndrsn could you please do a deeper review?

alxndrsn · 2024-05-03T08:11:40Z

lib/resources/oidc.js

@@ -102,15 +103,22 @@ module.exports = (service, endpoint) => {
      const client = await getClient();
      const code_verifier = generators.codeVerifier(); // eslint-disable-line camelcase

+      // State is not strictly required because PKCS (code_challenge) protects us from CSRF attacks.
+      // See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-countermeasures-4
+      // We create a nonce (state) anyway because some IDPs (e.g. Authentik) will send the nonce


nonce is the name of a different value which can be used at various points in OAuth/OIDC. I think avoiding that word here would reduce chance of confusion.

@openbrian just in case you missed this 🙂

lib/resources/oidc.js

alxndrsn · 2024-05-03T12:36:02Z

It's not needed for CSRF protection because code_challenge does this, but the Authentik IDP will return &state= in the query string. This will trigger node-openid-client to fail a check.

Thanks for the PR! I think this is a bug in Authentik's implementation; they seem to be open source (https://github.com/goauthentik/authentik?) so perhaps it can be fixed on their side.

That said, state should be supported by all IdPs (per the spec). Also state reportedly adds some security against generating fake errors. I will dig deeper and test this against some different IdPs.

lib/resources/oidc.js

alxndrsn · 2024-05-15T08:47:55Z

Thanks for the PR! I think this is a bug in Authentik's implementation; they seem to be open source (https://github.com/goauthentik/authentik?) so perhaps it can be fixed on their side.

I've opened a potential PR at goauthentik/authentik#9735

alxndrsn · 2024-10-16T08:20:53Z

Related: panva/openid-client#703

improve: Also pass along a state (nonce) paramater.

6776bab

bug: getodk#1134 It's not needed for CSRF protection because code_challenge does this, but the Authentik IDP will return &state= in the query string. This will trigger node-openid-client to fail a check.

openbrian force-pushed the oidc-state-parameter branch from 06763fe to 6776bab Compare May 1, 2024 20:09

lognaturel reviewed May 1, 2024

View reviewed changes

lib/resources/oidc.js Outdated Show resolved Hide resolved

lognaturel requested a review from alxndrsn May 1, 2024 20:50

Explain why the nonce (state) is sent.

1e416c1

alxndrsn reviewed May 3, 2024

View reviewed changes

lib/resources/oidc.js Outdated Show resolved Hide resolved

alxndrsn reviewed May 3, 2024

View reviewed changes

lib/resources/oidc.js Outdated Show resolved Hide resolved

openbrian added 2 commits May 4, 2024 11:40

PKCS -> PKCE

4cfd3ec

Use default generated nonce length of 32.

5ecc86d

alxndrsn mentioned this pull request May 15, 2024

core/oauth2: don't set state in responses if not supplied goauthentik/authentik#9735

Open

alxndrsn mentioned this pull request Oct 16, 2024

openid-client: update to v6? #1230

Open

alxndrsn self-assigned this Oct 16, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

improve: Also pass along a state (nonce) paramater. #1135

improve: Also pass along a state (nonce) paramater. #1135

openbrian commented May 1, 2024

lognaturel commented May 1, 2024

alxndrsn May 3, 2024

alxndrsn May 15, 2024

alxndrsn commented May 3, 2024

alxndrsn commented May 15, 2024

alxndrsn commented Oct 16, 2024

improve: Also pass along a state (nonce) paramater. #1135

Are you sure you want to change the base?

improve: Also pass along a state (nonce) paramater. #1135

Conversation

openbrian commented May 1, 2024

What has been done to verify that this works as intended?

Why is this the best possible solution? Were any other approaches considered?

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

Does this change require updates to the API documentation? If so, please update docs/api.yaml as part of this PR.

Before submitting this PR, please make sure you have:

lognaturel commented May 1, 2024

alxndrsn May 3, 2024

Choose a reason for hiding this comment

alxndrsn May 15, 2024

Choose a reason for hiding this comment

alxndrsn commented May 3, 2024

alxndrsn commented May 15, 2024

alxndrsn commented Oct 16, 2024