Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support nonce and acr with OIDC + Tests #883

Open
wants to merge 42 commits into
base: main
Choose a base branch
from
Open

Support nonce and acr with OIDC + Tests #883

wants to merge 42 commits into from

Conversation

fflorent
Copy link
Collaborator

@fflorent fflorent commented Mar 6, 2024
edited
Loading

Context

  • Some Identity provider don't support PKCE and instead impose Nonce;
  • They also may impose passing some ACR values;
  • And require to pass the state and the idToken in the logout

Proposed solution

  • Introduce the GRIST_OIDC_IDP_ENABLED_PROTECTIONS variable who can contain comma-separated values with either: STATE, NONCE and PKCE, and defaults to STATE,PKCE;
  • Introduce the GRIST_OIDC_IDP_ACR_VALUES variable with space separated values;
  • Once logged in (after the callback), store the state and the idToken for the logout, and clear any other values;
  • Introduce unit tests with mocks;
  • Also redirect to the error page when something went wrong while signing in;

@fflorent fflorent force-pushed the support-nonce-and-acr-with-oidc branch 3 times, most recently from e78e2f3 to 8b90c90 Compare March 7, 2024 10:59
@fflorent
Copy link
Collaborator Author

Opening the PR for checking whether the tests work in the CI

@fflorent fflorent marked this pull request as ready for review March 19, 2024 11:23
@fflorent fflorent changed the title Support nonce and acr with OIDC + Tests [Draft] Support nonce and acr with OIDC + Tests Mar 19, 2024
@fflorent fflorent force-pushed the support-nonce-and-acr-with-oidc branch 21 times, most recently from 56706b3 to 1bf114a Compare March 21, 2024 06:49
@fflorent fflorent changed the title [Draft] Support nonce and acr with OIDC + Tests Support nonce and acr with OIDC + Tests Mar 21, 2024
@fflorent
Fix CI?
b2bba75
@fflorent
Tests with keycloak are not in test:server
92e25ec
@fflorent
Fix CI ? + Skip in LoginWithOIDC
f0f606f
@fflorent
Remove health-checks for keycloak, curl being not avaible in container
f03bba1
@fflorent
Attempt fix using docker-run-action
6c59ea9
@fflorent
Remove integration tests (for now)
b859801
@fflorent
Add friendly page for login failure
40d0047
@fflorent
Fix bad indentation
2a807ba
@fflorent
PR remark
3c9be93
@fflorent
Fix after rebase
f2457ef
@fflorent
PR remarks
6ba47c4
@fflorent
Adapt comment
0a0ec36
@fflorent
Smarter way to test whether an info log has been called
2050772
@fflorent
Fix typo in documentation
3a5403b
@fflorent
Remove underscore from implementation
1e6b8dd
@fflorent
Don't accept empty string for GRIST_OIDC_IDP_ENABLED_PROTECTIONS
ac44010
@fflorent
Raise a warning when protections are disabled.
bd99800
@fflorent
Introduce ProtectionManager and clear state from session after login
707653f
@fflorent
Various remarks
74ecd38
@fflorent
PR remarks
9c51d15
@fflorent
Improve session management in callback and translate error message
5c2135e
@fflorent
Comment what is idToken + reuse "sign in" button
35f76cc
@fflorent
Document VERBOSE=1 tip when running the tests
3607a61
@fflorent
Improve formatTokenForLogs
093f0e2
@fflorent
Dmitri's remarks
bb6445b
@fflorent fflorent force-pushed the support-nonce-and-acr-with-oidc branch from 3603767 to bb6445b Compare July 25, 2024 07:25
fflorent
fflorent commented Jul 25, 2024
View reviewed changes
Copy link
Collaborator Author

@fflorent fflorent left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @dsagal for your review! 🙏

I made the changes requested.

app/server/lib/OIDCConfig.ts
@@ -167,33 +224,43 @@ export class OIDCConfig {
profile,
}));

delete mreq.session.oidc;
mreq.session.oidc = {
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is what I wrote good to you?

app/server/lib/OIDCConfig.ts Outdated
res.redirect(targetUrl ?? '/');
} catch (err) {
log.error(`OIDC callback failed: ${err.stack}`);
// Delete the session data even if the login failed.
if (Object.prototype.hasOwnProperty.call(err, 'response')) {
log.error(`Response received: ${err.response?.body ?? err.response}`);
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I realized that the error may be multiple things (especially the body may be a buffer).

I made some changes, with the hope it will be fine for you. If that's too tricky or you feel a bit uncomfortable, I may remove this log and reintroduce it a bit later or in a separate PR.

@fflorent fflorent force-pushed the support-nonce-and-acr-with-oidc branch from 561dc45 to 15732bc Compare July 25, 2024 12:39
@fflorent fflorent requested a review from dsagal July 25, 2024 13:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CamilleLegeron CamilleLegeron CamilleLegeron left review comments

@SleepyLeslie SleepyLeslie Awaiting requested review from SleepyLeslie

@dsagal dsagal Awaiting requested review from dsagal

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
anct
Projects
French administration Board
Status: In Progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@fflorent @CamilleLegeron @paulfitz @SleepyLeslie @dsagal