Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

improve: Also pass along a state (nonce) paramater. #1135

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

openbrian
Copy link

bug: #1134

It's not needed for CSRF protection because code_challenge does this, but the Authentik IDP will return &state= in the query string. This will trigger node-openid-client to fail a check.

Closes #1134

What has been done to verify that this works as intended?

Why is this the best possible solution? Were any other approaches considered?

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

Does this change require updates to the API documentation? If so, please update docs/api.yaml as part of this PR.

Before submitting this PR, please make sure you have:

  • run make test and confirmed all checks still pass OR confirm CircleCI build passes
  • verified that any code from external sources are properly credited in comments or that everything is internally sourced

Testing the oidc way failed for me. I mean the tests would not kick off.

bug: getodk#1134

It's not needed for CSRF protection because code_challenge does this, but the Authentik IDP will return &state= in the query string.  This will trigger node-openid-client to fail a check.
lib/resources/oidc.js Outdated Show resolved Hide resolved
@lognaturel
Copy link
Member

Thanks for digging into this and figuring out a solution, @openbrian! I've left one small suggestion. @alxndrsn could you please do a deeper review?

@lognaturel lognaturel requested a review from alxndrsn May 1, 2024 20:50
@@ -102,15 +103,22 @@ module.exports = (service, endpoint) => {
const client = await getClient();
const code_verifier = generators.codeVerifier(); // eslint-disable-line camelcase

// State is not strictly required because PKCS (code_challenge) protects us from CSRF attacks.
// See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-countermeasures-4
// We create a nonce (state) anyway because some IDPs (e.g. Authentik) will send the nonce
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nonce is the name of a different value which can be used at various points in OAuth/OIDC. I think avoiding that word here would reduce chance of confusion.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@openbrian just in case you missed this 🙂

lib/resources/oidc.js Outdated Show resolved Hide resolved
@alxndrsn
Copy link
Contributor

alxndrsn commented May 3, 2024

It's not needed for CSRF protection because code_challenge does this, but the Authentik IDP will return &state= in the query string. This will trigger node-openid-client to fail a check.

Thanks for the PR! I think this is a bug in Authentik's implementation; they seem to be open source (https://github.com/goauthentik/authentik?) so perhaps it can be fixed on their side.

That said, state should be supported by all IdPs (per the spec). Also state reportedly adds some security against generating fake errors. I will dig deeper and test this against some different IdPs.

lib/resources/oidc.js Outdated Show resolved Hide resolved
@alxndrsn
Copy link
Contributor

Thanks for the PR! I think this is a bug in Authentik's implementation; they seem to be open source (https://github.com/goauthentik/authentik?) so perhaps it can be fixed on their side.

I've opened a potential PR at goauthentik/authentik#9735

@alxndrsn
Copy link
Contributor

Related: panva/openid-client#703

@alxndrsn alxndrsn self-assigned this Oct 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

OIDC login fails due to Authentik sending state QS and node-openid-client failing a check
3 participants