diff --git a/lib/resources/oidc.js b/lib/resources/oidc.js index 5c9f9b1cc..06835e1f2 100644 --- a/lib/resources/oidc.js +++ b/lib/resources/oidc.js @@ -44,6 +44,7 @@ const ONE_HOUR = 60 * 60 * 1000; // * https://bugs.chromium.org/p/chromium/issues/detail?id=1056543 const CODE_VERIFIER_COOKIE = (HTTPS_ENABLED ? '__Secure-' : '') + 'ocv'; const NEXT_COOKIE = (HTTPS_ENABLED ? '__Secure-' : '') + 'next'; // eslint-disable-line no-multi-spaces +const STATE_COOKIE = (HTTPS_ENABLED ? '__Secure-' : '') + 'oidcstate'; const callbackCookieProps = { httpOnly: true, secure: HTTPS_ENABLED, @@ -103,15 +104,22 @@ module.exports = (service, endpoint) => { const client = await getClient(); const code_verifier = generators.codeVerifier(); // eslint-disable-line camelcase + // State is not strictly required because PKCE (code_challenge) protects us from CSRF attacks. + // See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-countermeasures-4 + // We create a nonce (state) anyway because some IDPs (e.g. Authentik) will send the nonce + // back to us. If it doesn't explicitly get one, it sends back an empty string. + const state = generators.state(); const code_challenge = generators.codeChallenge(code_verifier); // eslint-disable-line camelcase const authUrl = client.authorizationUrl({ scope: SCOPES.join(' '), resource: `${envDomain}/v1`, + state, code_challenge, code_challenge_method: CODE_CHALLENGE_METHOD, }); + res.cookie(STATE_COOKIE, state, { ...callbackCookieProps, maxAge: ONE_HOUR }); res.cookie(CODE_VERIFIER_COOKIE, code_verifier, { ...callbackCookieProps, maxAge: ONE_HOUR }); const { next } = req.query; @@ -130,8 +138,10 @@ module.exports = (service, endpoint) => { service.get('/oidc/callback', endpoint.html(async (container, _, req, res) => { try { + const state = req.cookies[STATE_COOKIE]; const code_verifier = req.cookies[CODE_VERIFIER_COOKIE]; // eslint-disable-line camelcase const next = req.cookies[NEXT_COOKIE]; // eslint-disable-line no-multi-spaces + res.clearCookie(STATE_COOKIE, callbackCookieProps); res.clearCookie(CODE_VERIFIER_COOKIE, callbackCookieProps); res.clearCookie(NEXT_COOKIE, callbackCookieProps); // eslint-disable-line no-multi-spaces @@ -139,7 +149,7 @@ module.exports = (service, endpoint) => { const params = client.callbackParams(req); - const tokenSet = await client.callback(getRedirectUri(), params, { response_type: RESPONSE_TYPE, code_verifier }); + const tokenSet = await client.callback(getRedirectUri(), params, { response_type: RESPONSE_TYPE, code_verifier, state }); const { access_token } = tokenSet;