Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

StrictRedirectUriValidatorAppAuth does not seem to work for mvc.code #3974

Open
VictorioBerra opened this issue Jan 8, 2020 · 10 comments
Open

StrictRedirectUriValidatorAppAuth does not seem to work for mvc.code #3974

VictorioBerra opened this issue Jan 8, 2020 · 10 comments

Comments

@VictorioBerra
Copy link
Contributor

@VictorioBerra VictorioBerra commented Jan 8, 2020

We can only help you if you are on the latest version. Either use the latest 2.x or 3.x

Please only use the issue tracker for bug reports and/or feature requests. For general security questions, or free or commercial support options do not use the issue tracker and instead see here for more details.

For bug reports, include the relevant log files related to your issue. See here how to enable logging. Delete this line once you have.

Finally, please keep the issue concise and to the point. If you paste in more code than the text for the issue you are reporting then we will most likely not read it.

Issue / Steps to reproduce the problem

  • Clone IS4 Repo
  • build.ps1
  • Start IS4 Host
  • Edit mvc.code launchsettings to bind to http://127.0.0.1:whatever instead of http://localhost:44392
  • Start mvc.code client
  • Login fails.

Relevant parts of the log file

[11:35:14 Information] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler
idsrv was not authenticated. Failure message: Unprotect ticket failed

[11:35:14 Debug] IdentityServer4.Endpoints.AuthorizeEndpoint
No user present in authorize request

[11:35:14 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Start authorize request protocol validation

[11:35:14 Debug] IdentityServer4.Stores.ValidatingClientStore
client configuration validation for client mvc.code succeeded.

[11:35:15 Error] IdentityServer4.Validation.AuthorizeRequestValidator
Invalid redirect_uri: http://127.0.0.1:44392/signin-oidc
{"ClientId": "mvc.code", "ClientName": "MVC Code Flow", "RedirectUri": null, "AllowedRedirectUris": ["https://localhost:44392/signin-oidc"], "SubjectId": "anonymous", "ResponseType": null, "ResponseMode": null, "GrantType": null, "RequestedScopes": "", "State": null, "UiLocales": null, "Nonce": null, "AuthenticationContextReferenceClasses": null, "DisplayMode": null, "PromptMode": null, "MaxAge": null, "LoginHint": null, "SessionId": null, "Raw": {"client_id": "mvc.code", "redirect_uri": "http://127.0.0.1:44392/signin-oidc", "response_type": "code", "scope": "openid profile email api1 offline_access", "code_challenge": "75o1z9neuTbRnajrbelP_L4vnwTj2oFEV9qfJYXkAQs", "code_challenge_method": "S256", "response_mode": "form_post", "nonce": "637141017148289049.NDMxODIwZmItNjI3MS00NmQ3LWFmOGEtOGFlOWZjM2VkOThjNDBlY2EzNzEtYTRmOS00NTUzLThkNzUtNDEzYmEwNDYzNTgy", "state": "CfDJ8Li6NyFeAl1CoW7SuCNduCMk4wyZUn4ZtYuDrIt3HSMbITkAY6LVufAInJxkFCGHn9TJmmfxKUVttaaemedUAudSz1LLhBCXtBB1zcPjUow0tV862h97LGRKtkB54i3PcMCSiuWNx_TgvflOWV6LrGKZIKf6EWZSGTaYQ6mNCdd6bk0Vl6N2BJhFy76vjdU_w_6i3x04qhQiOrvgdbkYwqpVfn32SFdZHswTIXOwymNALmKFWcxmHWUqZ1tXi4t_amCnAp3l_GL-StLwq0ktFhPM7NewYt-UnlWjag-Al6IGe0FE0qH6r-ZwV9jJMtMu1-AMT2gukrJxSDF-Spt3mziSwwXvunzClK9xX9G6RlF-aTPX5gBFDTvL-DXHwmSoFQ", "x-client-SKU": "ID_NETSTANDARD2_0", "x-client-ver": "5.5.0.0"}, "$type": "AuthorizeRequestValidationLog"}

[11:35:15 Error] IdentityServer4.Endpoints.AuthorizeEndpoint
Request validation failed

[11:35:15 Information] IdentityServer4.Endpoints.AuthorizeEndpoint
{"ClientId": "mvc.code", "ClientName": "MVC Code Flow", "RedirectUri": null, "AllowedRedirectUris": ["https://localhost:44392/signin-oidc"], "SubjectId": "anonymous", "ResponseType": null, "ResponseMode": null, "GrantType": null, "RequestedScopes": "", "State": null, "UiLocales": null, "Nonce": null, "AuthenticationContextReferenceClasses": null, "DisplayMode": null, "PromptMode": null, "MaxAge": null, "LoginHint": null, "SessionId": null, "Raw": {"client_id": "mvc.code", "redirect_uri": "http://127.0.0.1:44392/signin-oidc", "response_type": "code", "scope": "openid profile email api1 offline_access", "code_challenge": "75o1z9neuTbRnajrbelP_L4vnwTj2oFEV9qfJYXkAQs", "code_challenge_method": "S256", "response_mode": "form_post", "nonce": "637141017148289049.NDMxODIwZmItNjI3MS00NmQ3LWFmOGEtOGFlOWZjM2VkOThjNDBlY2EzNzEtYTRmOS00NTUzLThkNzUtNDEzYmEwNDYzNTgy", "state": "CfDJ8Li6NyFeAl1CoW7SuCNduCMk4wyZUn4ZtYuDrIt3HSMbITkAY6LVufAInJxkFCGHn9TJmmfxKUVttaaemedUAudSz1LLhBCXtBB1zcPjUow0tV862h97LGRKtkB54i3PcMCSiuWNx_TgvflOWV6LrGKZIKf6EWZSGTaYQ6mNCdd6bk0Vl6N2BJhFy76vjdU_w_6i3x04qhQiOrvgdbkYwqpVfn32SFdZHswTIXOwymNALmKFWcxmHWUqZ1tXi4t_amCnAp3l_GL-StLwq0ktFhPM7NewYt-UnlWjag-Al6IGe0FE0qH6r-ZwV9jJMtMu1-AMT2gukrJxSDF-Spt3mziSwwXvunzClK9xX9G6RlF-aTPX5gBFDTvL-DXHwmSoFQ", "x-client-SKU": "ID_NETSTANDARD2_0", "x-client-ver": "5.5.0.0"}, "$type": "AuthorizeRequestValidationLog"}

[11:35:15 Information] IdentityServer4.Events.DefaultEventService
{"ClientId": "mvc.code", "ClientName": "MVC Code Flow", "RedirectUri": null, "Endpoint": "Authorize", "SubjectId": null, "Scopes": "", "GrantType": null, "Error": "unauthorized_client", "ErrorDescription": "Invalid redirect_uri", "Category": "Token", "Name": "Token Issued Failure", "EventType": "Failure", "Id": 2001, "Message": null, "ActivityId": "0HLSKC4C8AHL2:00000004", "TimeStamp": "2020-01-08T17:35:15.0000000Z", "ProcessId": 72664, "LocalIpAddress": "::1:5000", "RemoteIpAddress": "::1", "$type": "TokenIssuedFailureEvent"}

[11:35:15 Information] Serilog.AspNetCore.RequestLoggingMiddleware
HTTP GET /connect/authorize?client_id=mvc.code&redirect_uri=http%3A%2F%2F127.0.0.1%3A44392%2Fsignin-oidc&response_type=code&scope=openid%20profile%20email%20api1%20offline_access&code_challenge=75o1z9neuTbRnajrbelP_L4vnwTj2oFEV9qfJYXkAQs&code_challenge_method=S256&response_mode=form_post&nonce=637141017148289049.NDMxODIwZmItNjI3MS00NmQ3LWFmOGEtOGFlOWZjM2VkOThjNDBlY2EzNzEtYTRmOS00NTUzLThkNzUtNDEzYmEwNDYzNTgy&state=CfDJ8Li6NyFeAl1CoW7SuCNduCMk4wyZUn4ZtYuDrIt3HSMbITkAY6LVufAInJxkFCGHn9TJmmfxKUVttaaemedUAudSz1LLhBCXtBB1zcPjUow0tV862h97LGRKtkB54i3PcMCSiuWNx_TgvflOWV6LrGKZIKf6EWZSGTaYQ6mNCdd6bk0Vl6N2BJhFy76vjdU_w_6i3x04qhQiOrvgdbkYwqpVfn32SFdZHswTIXOwymNALmKFWcxmHWUqZ1tXi4t_amCnAp3l_GL-StLwq0ktFhPM7NewYt-UnlWjag-Al6IGe0FE0qH6r-ZwV9jJMtMu1-AMT2gukrJxSDF-Spt3mziSwwXvunzClK9xX9G6RlF-aTPX5gBFDTvL-DXHwmSoFQ&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0 responded 302 in 349.6802 ms

[11:35:15 Information] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler
idsrv was not authenticated. Failure message: Unprotect ticket failed

[11:35:15 Information] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler
idsrv was not authenticated. Failure message: Unprotect ticket failed

[11:35:15 Information] Serilog.AspNetCore.RequestLoggingMiddleware
HTTP GET /home/error?errorId=CfDJ8Li6NyFeAl1CoW7SuCNduCN7qFJbtqCQg4FSoXtKqITBdyps30rTLsAhpERHdD_mD4AIqbpnm4N4anUsvbUEMSA7_C6piSkuaq68f0Luxz0h2tK0_LHbbL9RMmXiwzKzhsLP7Bl6yjX7tKnnAv3jnql9Jndxitkov3r5sSrbPEJunvs0s-4q8em6295mdlA3BOBEzPxfQVVYbXrB2_qjJefeIbgRkYkHDzgqpqgWKVRORHqrNjiwB2S7yJJ1M4bwdbvf2jFPLD_5KrMAWNJz2MlysLDSf8w6tn9jG7rJe-KTVU-B4bB9TsPxkPxQoIaiWjlMBaouJE7HXSYEiKfzCaY responded 200 in 368.8876 ms

After [11:35:14 Debug] IdentityServer4.Stores.ValidatingClientStore client configuration validation for client mvc.code succeeded. I would expect to see WashuIdentityServer-Local [10:32:21 IdentityServer4.Validation.StrictRedirectUriValidatorAppAuth [Debug] Checking for 127.0.0.1 redirect URI But I never see this.

launch ConsoleHybridWithPkce and it works flawlessly.

Additional Information

https://github.com/IdentityServer/IdentityServer4/blob/master/src/IdentityServer4/src/Validation/Default/StrictRedirectUriValidatorAppAuth.cs#L87-L90

This fails because parts[2] is 12345/oidc-signin so int.TryParse will not succeed. Is this desired? If so, this is not very explicit.

@leastprivilege

This comment has been minimized.

Copy link
Member

@leastprivilege leastprivilege commented Jan 10, 2020

Is this a real problem - or just hypothetical?

@VictorioBerra

This comment has been minimized.

Copy link
Contributor Author

@VictorioBerra VictorioBerra commented Jan 10, 2020

@leastprivilege ? this is a real problem. You do not get the benefit of allowing any 127.0.0.1 redirect urls with a random port if the redirect url has a path like http://127.0.0.1:12345/signin-oidc. So right now this only works for the console app sample.

@leastprivilege

This comment has been minimized.

Copy link
Member

@leastprivilege leastprivilege commented Jan 10, 2020

it's for RFC8252. You can disable it.

@VictorioBerra

This comment has been minimized.

Copy link
Contributor Author

@VictorioBerra VictorioBerra commented Jan 10, 2020

Ideally I would keep it if it worked as I really like the idea of being able to create clients but not have to maintain a list of localhost or 127.0.0.1 redirect urls for developers.

@leastprivilege

This comment has been minimized.

Copy link
Member

@leastprivilege leastprivilege commented Jan 10, 2020

it was built for a different use-case - propose a PR once you understand the above RFC.

@VictorioBerra

This comment has been minimized.

Copy link
Contributor Author

@VictorioBerra VictorioBerra commented Jan 10, 2020

Sounds good. I just read the whole RFC, section 7.3 shows a path is supported. I will try and get a PR together.

@leastprivilege

This comment has been minimized.

Copy link
Member

@leastprivilege leastprivilege commented Jan 10, 2020

Why don't you create your own validator for your use case?

@VictorioBerra

This comment has been minimized.

Copy link
Contributor Author

@VictorioBerra VictorioBerra commented Jan 10, 2020

I saw that could be easily done but I figured this was a shortcoming of the provided StrictRedirectUriValidatorAppAuth and other people would benefit from the fix of allowing paths in the redirect URI. I still may do that, I wanted to also research and make sure I wasn't opening any security holes for my use case of not wanting to maintain developer localhost redirect URIs.

@stale

This comment has been minimized.

Copy link

@stale stale bot commented Jan 25, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Questions are community supported only and the authors/maintainers may or may not have time to reply. If you or your company would like commercial support, please see here for more information.

@stale stale bot added the wontfix label Jan 25, 2020
@VictorioBerra

This comment has been minimized.

Copy link
Contributor Author

@VictorioBerra VictorioBerra commented Jan 25, 2020

Bumping to keep open. There is an open pull request associated with this issue.

@stale stale bot removed the wontfix label Jan 25, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.