Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

improve: Also pass along a state (nonce) paramater. #1135

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

improve: Also pass along a state (nonce) paramater. #1135

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6776bab
improve: Also pass along a state (nonce) paramater.
openbrian May 1, 2024
1e416c1
Explain why the nonce (state) is sent.
openbrian May 2, 2024
4cfd3ec
PKCS -> PKCE
openbrian May 4, 2024
5ecc86d
Use default generated nonce length of 32.
openbrian May 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
12 changes: 11 additions & 1 deletion lib/resources/oidc.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ const ONE_HOUR = 60 * 60 * 1000;
// * https://bugs.chromium.org/p/chromium/issues/detail?id=1056543
const CODE_VERIFIER_COOKIE = (HTTPS_ENABLED ? '__Secure-' : '') + 'ocv';
const NEXT_COOKIE = (HTTPS_ENABLED ? '__Secure-' : '') + 'next'; // eslint-disable-line no-multi-spaces
const STATE_COOKIE = (HTTPS_ENABLED ? '__Secure-' : '') + 'oidcstate';
const callbackCookieProps = {
httpOnly: true,
secure: HTTPS_ENABLED,
Expand Down Expand Up @@ -102,15 +103,22 @@ module.exports = (service, endpoint) => {
const client = await getClient();
const code_verifier = generators.codeVerifier(); // eslint-disable-line camelcase

// State is not strictly required because PKCE (code_challenge) protects us from CSRF attacks.
// See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-countermeasures-4
// We create a nonce (state) anyway because some IDPs (e.g. Authentik) will send the nonce
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nonce is the name of a different value which can be used at various points in OAuth/OIDC. I think avoiding that word here would reduce chance of confusion.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@openbrian just in case you missed this 🙂

// back to us. If it doesn't explicitly get one, it sends back an empty string.
const state = generators.state();
const code_challenge = generators.codeChallenge(code_verifier); // eslint-disable-line camelcase

const authUrl = client.authorizationUrl({
scope: SCOPES.join(' '),
resource: `${envDomain}/v1`,
state,
code_challenge,
code_challenge_method: CODE_CHALLENGE_METHOD,
});

res.cookie(STATE_COOKIE, state, { ...callbackCookieProps, maxAge: ONE_HOUR });
res.cookie(CODE_VERIFIER_COOKIE, code_verifier, { ...callbackCookieProps, maxAge: ONE_HOUR });

const { next } = req.query;
Expand All @@ -129,15 +137,17 @@ module.exports = (service, endpoint) => {

service.get('/oidc/callback', endpoint.html(async (container, _, req, res) => {
try {
const state = req.cookies[STATE_COOKIE];
const code_verifier = req.cookies[CODE_VERIFIER_COOKIE]; // eslint-disable-line camelcase
const next = req.cookies[NEXT_COOKIE]; // eslint-disable-line no-multi-spaces
res.clearCookie(STATE_COOKIE, callbackCookieProps);
res.clearCookie(CODE_VERIFIER_COOKIE, callbackCookieProps);
res.clearCookie(NEXT_COOKIE, callbackCookieProps); // eslint-disable-line no-multi-spaces

const client = await getClient();

const params = client.callbackParams(req);
const tokenSet = await client.callback(getRedirectUri(), params, { code_verifier });
const tokenSet = await client.callback(getRedirectUri(), params, { state, code_verifier });

const { access_token } = tokenSet;

Expand Down