[Bug 33675] New: OAuth should support state parameter
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Bug ID: 33675 Summary: OAuth should support state parameter Change sponsored?: --- Product: Koha Version: 22.11 Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Authentication Assignee: koha-bugs@lists.koha-community.org Reporter: nick@bywatersolutions.com QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org Some Authentication solutions require a 'state' parameter to be passed during authentication to verify the sources on either end, it is supported by Mojolicious: https://metacpan.org/pod/Mojolicious::Plugin::OAuth2 We should add this to Koha -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |tomascohen@gmail.com |ity.org | Version|22.11 |master -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tomascohen@gmail.com Status|NEW |ASSIGNED -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- URL| |https://www.oauth.com/oauth | |2-servers/accessing-data/au | |thorization-request/ -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |agustinmoyano@theke.io, | |dcook@prosentient.com.au --- Comment #1 from Tomás Cohen Arazi <tomascohen@gmail.com> --- This is a recommended openid-connect parameter [1] and OAuth2 integrations seem to require it [2], but I'm not sure if it should be enforced. Basically because I don't know all the IdPs around. [1] https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest [2] https://www.oauth.com/oauth2-servers/accessing-data/authorization-request/ -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff Patch complexity|--- |Small patch -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 --- Comment #2 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 151019 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=151019&action=edit Bug 33675: Add CSRF protection to OAuth/OIDC authentication This patch makes the OAuth/OIDC client pass a `state` parameter with a CSRF protection token, to be validated back when the flow returns to Koha. Ideally, the Mojolicious::Plugin::OAuth2 library should deal with this implicitly, probably making use of JWT. But as of now, this is the best way to implement it. To test: 1. Have a working SSO solution (ktd --sso) 2. Click to login using SSO => SUCCESS: Notice a 'state' parameter on the URL, looks like a random thing 3. When you login, no error is reported -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|OAuth should support state |Add CSRF protection to |parameter |OAuth/OIDC authentication -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 --- Comment #3 from David Cook <dcook@prosentient.com.au> --- (In reply to Tomás Cohen Arazi from comment #1)
This is a recommended openid-connect parameter [1] and OAuth2 integrations seem to require it [2], but I'm not sure if it should be enforced. Basically because I don't know all the IdPs around.
It looks like OAuth2 also only recommends it: https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1 However, the specs do say that the "state" parameter is required in the Authorization Response if it was included in the Authorization Request: https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2 I suspect that most IdPs should support "state" if they want to be spec compliant, although I suppose there's no guarantee. I've certainly dealt with 1 non-compliant IdP in the past, although that was nearly 10 years ago now. If we are worried, I think we could make using "state" optional in terms of whether or not to send it, but... I think it should be all right. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |33708 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 --- Comment #4 from David Cook <dcook@prosentient.com.au> --- Hmm I got an error the first time I tried it and then when I clicked the "Login" button a second time it worked. The error might be residue from previous work I suppose. Going to see if I can reproduce it... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 --- Comment #5 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #4)
Hmm I got an error the first time I tried it and then when I clicked the "Login" button a second time it worked. The error might be residue from previous work I suppose. Going to see if I can reproduce it...
Can't reproduce so yeah probably not a problem. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #151019|0 |1 is obsolete| | --- Comment #6 from David Cook <dcook@prosentient.com.au> --- Created attachment 151036 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=151036&action=edit Bug 33675: Add CSRF protection to OAuth/OIDC authentication This patch makes the OAuth/OIDC client pass a `state` parameter with a CSRF protection token, to be validated back when the flow returns to Koha. Ideally, the Mojolicious::Plugin::OAuth2 library should deal with this implicitly, probably making use of JWT. But as of now, this is the best way to implement it. To test: 1. Have a working SSO solution (ktd --sso) 2. Click to login using SSO => SUCCESS: Notice a 'state' parameter on the URL, looks like a random thing 3. When you login, no error is reported Signed-off-by: David Cook <dcook@prosentient.com.au> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Jonathan Druart <jonathan.druart+koha@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart+koha@gmail. | |com --- Comment #7 from Jonathan Druart <jonathan.druart+koha@gmail.com> --- First time trying this, and I failed to test. I am getting """ test We are sorry... Invalid parameter: redirect_uri """ After I clicked "login with test" The generated URL is http://sso:8082/auth/realms/test/protocol/openid-connect/auth?response_type=code&client_id=kohaoidc&redirect_uri=http%3A%2F%2Fkohadev-intra.myDNSname.org%3A8081%2Fapi%2Fv1%2Foauth%2Flogin%2Ftest%2Fstaff&scope=openid+email&state=873f7839ab38384730c0635c3b260564297de884%2Ca443349be07f4216b95089525be35eeb96b74452%2C1683794690 I guess I made an error in the config somewhere but I have double-checked everything :-/ -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 --- Comment #8 from Tomás Cohen Arazi <tomascohen@gmail.com> --- (In reply to Jonathan Druart from comment #7)
First time trying this, and I failed to test.
I am getting
""" test We are sorry...
Invalid parameter: redirect_uri """ After I clicked "login with test" The generated URL is http://sso:8082/auth/realms/test/protocol/openid-connect/ auth?response_type=code&client_id=kohaoidc&redirect_uri=http%3A%2F%2Fkohadev- intra.myDNSname. org%3A8081%2Fapi%2Fv1%2Foauth%2Flogin%2Ftest%2Fstaff&scope=openid+email&state =873f7839ab38384730c0635c3b260564297de884%2Ca443349be07f4216b95089525be35eeb9 6b74452%2C1683794690
I guess I made an error in the config somewhere but I have double-checked everything :-/
The wiki suggests using localhost:port/* but your URL is using kohadev.myDNSname... because it picks it from the baseURL prefs -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |rel_23_05_candidate -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 --- Comment #9 from Jonathan Druart <jonathan.druart+koha@gmail.com> --- Could we add a test to cover this change? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- URL|https://www.oauth.com/oauth |https://www.oauth.com/oauth |2-servers/accessing-data/au |2-servers/accessing-data/au |thorization-request/ |thorization-request/ | |https://wiki.koha-community | |.org/wiki/Testing_SSO -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- URL|https://www.oauth.com/oauth |https://www.oauth.com/oauth |2-servers/accessing-data/au |2-servers/accessing-data/au |thorization-request/ |thorization-request/ |https://wiki.koha-community | |.org/wiki/Testing_SSO | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=33768 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #151036|0 |1 is obsolete| | --- Comment #10 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 151436 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=151436&action=edit Bug 33675: Add CSRF protection to OAuth/OIDC authentication This patch makes the OAuth/OIDC client pass a `state` parameter with a CSRF protection token, to be validated back when the flow returns to Koha. Ideally, the Mojolicious::Plugin::OAuth2 library should deal with this implicitly, probably making use of JWT. But as of now, this is the best way to implement it. To test: 1. Have a working SSO solution (ktd --sso) 2. Click to login using SSO => SUCCESS: Notice a 'state' parameter on the URL, looks like a random thing 3. When you login, no error is reported Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |33782 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33782 [Bug 33782] Oauth2/OIDC identity providers code is not covered by unit tests -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to master Version(s)| |23.05.00 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 --- Comment #11 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Pushed to master for 23.05. Nice work everyone, thanks! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|rel_23_05_candidate | Text to go in the| |This development adds release notes| |support for the `state` | |parameter generation and | |delivery when contacting | |IdPs. This is an optional | |but recommended opaque | |value in the OAuth2/OIDC | |specs that helps prevent | |CSRF attacks, but is also a | |requirement on some | |Identity Provider | |solutions. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to master |Pushed to stable Version(s)|23.05.00 |23.05.00,22.11.07 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 --- Comment #12 from Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> --- Nice work everyone! Pushed to stable for 22.11.x -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |34163 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 [Bug 34163] CSRF error if try OAuth2/OIDC after logout -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Michaela Sieber <michaela.sieber@kit.edu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |clemens.tubach@kit.edu, | |lukasz.koszyk@kit.edu, | |michaela.sieber@kit.edu -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |34755 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34755 [Bug 34755] Error authenticating to external OpenID Connect (OIDC) identity provider : wrong_csrf_token -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 --- Comment #13 from Jonathan Druart <jonathan.druart@gmail.com> --- No tests => regression later! bug 36219. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 --- Comment #14 from Tomás Cohen Arazi <tomascohen@gmail.com> --- (In reply to Jonathan Druart from comment #13)
No tests => regression later! bug 36219.
:-( -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Lari Taskula <lari.taskula@hypernova.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |40736 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40736 [Bug 40736] OAuth/OIDC authentication broken when CGISESSID is missing -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |42719 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42719 [Bug 42719] OAuth/OIDC login crashes with 500 when no CGISESSID cookie exists (IdP-initiated flow) -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org