Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

improve: Also pass along a state (nonce) paramater. #1135

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 11 additions & 1 deletion lib/resources/oidc.js
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ const ONE_HOUR = 60 * 60 * 1000;
// * https://bugs.chromium.org/p/chromium/issues/detail?id=1056543
const CODE_VERIFIER_COOKIE = (HTTPS_ENABLED ? '__Secure-' : '') + 'ocv';
const NEXT_COOKIE = (HTTPS_ENABLED ? '__Secure-' : '') + 'next'; // eslint-disable-line no-multi-spaces
const STATE_COOKIE = (HTTPS_ENABLED ? '__Secure-' : '') + 'oidcstate';
const callbackCookieProps = {
httpOnly: true,
secure: HTTPS_ENABLED,
Expand Down Expand Up @@ -102,15 +103,22 @@ module.exports = (service, endpoint) => {
const client = await getClient();
const code_verifier = generators.codeVerifier(); // eslint-disable-line camelcase

// State is not strictly required because PKCS (code_challenge) protects us from CSRF attacks.
lognaturel marked this conversation as resolved.
Show resolved Hide resolved
alxndrsn marked this conversation as resolved.
Show resolved Hide resolved
// See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-countermeasures-4
// We create a nonce (state) anyway because some IDPs (e.g. Authentik) will send the nonce
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nonce is the name of a different value which can be used at various points in OAuth/OIDC. I think avoiding that word here would reduce chance of confusion.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@openbrian just in case you missed this 🙂

// back to us. If it doesn't explicitly get one, it sends back an empty string.
const state = generators.state(16);
alxndrsn marked this conversation as resolved.
Show resolved Hide resolved
const code_challenge = generators.codeChallenge(code_verifier); // eslint-disable-line camelcase

const authUrl = client.authorizationUrl({
scope: SCOPES.join(' '),
resource: `${envDomain}/v1`,
state,
code_challenge,
code_challenge_method: CODE_CHALLENGE_METHOD,
});

res.cookie(STATE_COOKIE, state, { ...callbackCookieProps, maxAge: ONE_HOUR });
res.cookie(CODE_VERIFIER_COOKIE, code_verifier, { ...callbackCookieProps, maxAge: ONE_HOUR });

const { next } = req.query;
Expand All @@ -129,15 +137,17 @@ module.exports = (service, endpoint) => {

service.get('/oidc/callback', endpoint.html(async (container, _, req, res) => {
try {
const state = req.cookies[STATE_COOKIE];
const code_verifier = req.cookies[CODE_VERIFIER_COOKIE]; // eslint-disable-line camelcase
const next = req.cookies[NEXT_COOKIE]; // eslint-disable-line no-multi-spaces
res.clearCookie(STATE_COOKIE, callbackCookieProps);
res.clearCookie(CODE_VERIFIER_COOKIE, callbackCookieProps);
res.clearCookie(NEXT_COOKIE, callbackCookieProps); // eslint-disable-line no-multi-spaces

const client = await getClient();

const params = client.callbackParams(req);
const tokenSet = await client.callback(getRedirectUri(), params, { code_verifier });
const tokenSet = await client.callback(getRedirectUri(), params, { state, code_verifier });

const { access_token } = tokenSet;

Expand Down