Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WASReqURLOidc cookie encodes the request url but doesn't decoded it upon successful redirection #15023

Closed
KingMackle opened this issue Nov 18, 2020 · 2 comments · Fixed by #16746
Closed

WASReqURLOidc cookie encodes the request url but doesn't decoded it upon successful redirection #15023

KingMackle opened this issue Nov 18, 2020 · 2 comments · Fixed by #16746
Assignees
@teddyjtorres @ayoho
Labels
bug This bug is not present in a released version of Open Liberty release bug This bug is present in a released version of Open Liberty release:21006 team:Security SSO
Projects
Security SSO

Comments

@KingMackle
Copy link

Describe the bug
We are calling a protected URL including some query params like
/protected/resource/?name=aaaaaaaa%20aaaaaaa&description=bbbbbbb%20bbbbbbbbbb&type=CHECKLIST
The server uses OIDC. The URL in the WASReqURL cookie appears to be incorrectly encoded:
WASReqURLOidcn1674482248=https://server.com/protected/resource/?name=aaaaaaaa%252520aaaaaaa&description=bbbbbbb%252520bbbbbbbbbb&type=CHECKLIST; Expires=Mon, 16 Nov 2020 21:25:46 GMT; Path=/; Secure; HttpOnly
Note that %20 become %252520

Steps to Reproduce
Accesse a protected resource on a WLP server that uses OIDC
Request 1:
GET /protected/resource/?name=aaaaaaaa%20aaaaaaa&description=bbbbbbb%20bbbbbbbbbb&type=CHECKLIST HTTP/1.1

Response 1:
HTTP/1.1 302 Found
Location: https://server.com/oidc/endpoint/ums/authorize?response_type=code&client_id=client&state=001605561526461ZdjsBdS3i&redirect_uri=https%3A%2F%2Fserver.com%3A9443%2Foidcclient%2Fredirect%2FumsClient&scope=openid+profile+email
Set-Cookie:
WASReqURLOidcn1674482248=https://server.com/protected/resource/?name=aaaaaaaa%252520aaaaaaa&description=bbbbbbb%252520bbbbbbbbbb&type=CHECKLIST; Expires=Mon, 16 Nov 2020 21:25:46 GMT; Path=/; Secure; HttpOnly

Request 2:
GET
https://server.com/oidc/endpoint/ums/authorize?response_type=code&client_id=client&state=001605561526461ZdjsBdS3i&redirect_uri=https%3A%2F%2Fserver.com%3A9443%2Foidcclient%2Fredirect%2FumsClient&scope=openid+profile+email

Response 2:
HTTP/1.1 302
Location:
https://server.com/oidcclient/redirect/umsClient?session_state=8QI1st1xwaqMMD4HexvAblXcVxxAZBQKhAbY2TBTwBE%3D.656677c4b074&code=CIxsvDu7RGVNYNHufIlB28r5vVFkZt&state=001605561526461ZdjsBdS3i

Request 3:
GET /oidcclient/redirect/umsClient?session_state=8QI1st1xwaqMMD4HexvAblXcVxxAZBQKhAbY2TBTwBE%3D.656677c4b074&code=CIxsvDu7RGVNYNHufIlB28r5vVFkZt&state=001605561526461ZdjsBd

Response 3:
HTTP/1.1 302 Found
Location: https://server.com/protected/resource/?name=aaaaaaaa%252520aaaaaaa&description=bbbbbbb%252520bbbbbbbbbb&type=CHECKLIST

Request 4:
GET /protected/resource/?name=aaaaaaaa%252520aaaaaaa&description=bbbbbbb%252520bbbbbbbbbb&type=CHECKLIST HTTP/1.1

Expected behavior
Expect the URL query params to be decoded upon successful redirection

Diagnostic information:

  • OpenLiberty Version: WLP 20.0.0.9.
  • Java Version:
java version "1.8.0_231"
Java(TM) SE Runtime Environment (build 8.0.6.0 - pwa6480sr6-20191107_01(SR6))
IBM J9 VM (build 2.9, JRE 1.8.0 Windows 10 amd64-64-Bit Compressed References 20191106_432135 (JIT enabled, AOT enabled)
OpenJ9   - f0b6be7
OMR      - 18d8f94
IBM      - 233dfb5)
JCL - 20191016_01 based on Oracle jdk8u231-b1
@KingMackle KingMackle added the bug This bug is not present in a released version of Open Liberty label Nov 18, 2020
@teddyjtorres
Copy link
Contributor

We agree it is a bug. Accepting it into our backlog.

@teddyjtorres teddyjtorres added this to Backlog in Security SSO Nov 18, 2020
@teddyjtorres
Copy link
Contributor

teddyjtorres commented Dec 8, 2020
edited
Loading

Please determine if you can use

<openidConnectClient isClientSideRedirectSupported="true" />

to have the cookie created at the browser side as a work around for that scenario.

@ayoho ayoho moved this from Backlog to On Deck in Security SSO Mar 15, 2021
@ayoho ayoho added the release bug This bug is present in a released version of Open Liberty label Apr 23, 2021
@ayoho ayoho mentioned this issue Apr 23, 2021
Merged
@ayoho ayoho moved this from Current Iteration to In Progress in Security SSO Apr 26, 2021
@c00crane c00crane mentioned this issue Apr 29, 2021
Merged
ayoho added a commit to ayoho/open-liberty that referenced this issue May 18, 2021
@ayoho
Issue 15023: Fix WASReqURLOidc encoding problem
06538d9 
Fixes OpenLiberty#15023

Instead of encoding the query string in the original request URL, we'll leave it as-is. That should ensure we ultimately use the "real" value of the query string. During the creation of the WASReqURLOidc cookie, the cookie value is encoded anyway to mitigate against malformed and potentially malicious cookie values. The `OidcRedirectServlet` code is also updated to use slightly different code to read the cookie so that the respective decoding is done.

15023: working
Security SSO automation moved this from In Progress to Done May 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@teddyjtorres teddyjtorres

@ayoho ayoho

Labels
bug This bug is not present in a released version of Open Liberty release bug This bug is present in a released version of Open Liberty release:21006 team:Security SSO
Projects
Security SSO
Status: Done
Security SSO
  
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

PR for Issue 15023: Fix WASReqURLOidc encoding problem ayoho/open-liberty
4 participants
@KingMackle @teddyjtorres @ayoho @LibbyBot