-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
improve: Also pass along a state (nonce) paramater. #1135
base: master
Are you sure you want to change the base?
Conversation
bug: getodk#1134 It's not needed for CSRF protection because code_challenge does this, but the Authentik IDP will return &state= in the query string. This will trigger node-openid-client to fail a check.
06763fe
to
6776bab
Compare
Thanks for digging into this and figuring out a solution, @openbrian! I've left one small suggestion. @alxndrsn could you please do a deeper review? |
@@ -102,15 +103,22 @@ module.exports = (service, endpoint) => { | |||
const client = await getClient(); | |||
const code_verifier = generators.codeVerifier(); // eslint-disable-line camelcase | |||
|
|||
// State is not strictly required because PKCS (code_challenge) protects us from CSRF attacks. | |||
// See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-countermeasures-4 | |||
// We create a nonce (state) anyway because some IDPs (e.g. Authentik) will send the nonce |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nonce
is the name of a different value which can be used at various points in OAuth/OIDC. I think avoiding that word here would reduce chance of confusion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@openbrian just in case you missed this 🙂
Thanks for the PR! I think this is a bug in Authentik's implementation; they seem to be open source (https://github.com/goauthentik/authentik?) so perhaps it can be fixed on their side. That said, |
I've opened a potential PR at goauthentik/authentik#9735 |
Related: panva/openid-client#703 |
bug: #1134
It's not needed for CSRF protection because code_challenge does this, but the Authentik IDP will return &state= in the query string. This will trigger node-openid-client to fail a check.
Closes #1134
What has been done to verify that this works as intended?
Why is this the best possible solution? Were any other approaches considered?
How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?
Does this change require updates to the API documentation? If so, please update docs/api.yaml as part of this PR.
Before submitting this PR, please make sure you have:
make test
and confirmed all checks still pass OR confirm CircleCI build passesTesting the oidc way failed for me. I mean the tests would not kick off.