-
-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support nonce and acr with OIDC + Tests #883
base: main
Are you sure you want to change the base?
Support nonce and acr with OIDC + Tests #883
Conversation
e78e2f3
to
8b90c90
Compare
Opening the PR for checking whether the tests work in the CI |
56706b3
to
1bf114a
Compare
bb81a2a
to
d83df2e
Compare
@SleepyLeslie I sent you in private everything you need to try my PR using Agent Connect. Please keep me informed otherwise. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @fflorent for the updates and Agent Connect info. I'm waiting for an approval to sign up for Agent Connect. I'll get back to you as soon as I finish testing. Otherwise this looks good to me now, and should be able to get merged soon!
@SleepyLeslie Hmm, I have given the env variables to use, but using your own email won't work. I suggest we take some time to take a look at that together if you want to, that will be probably simpler and faster. It may take 10 / 15 minutes in case testing is just what you need, or more if you have questions regarding my developments. I send you an email to see what slot we could find. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fflorent Thanks for working with me on testing. I ran your PR successfully against Agent Connect locally. Found a small issue when running with my Authentik server and left a comment. Otherwise this PR looks good to me.
Please disregard my previous comment (deleted). I messed up. Everything seems in good shape now.
|
||
// The callback function will compare the state present in the params and the one we retrieved from the session. | ||
// If they don't match, it will throw an error. | ||
const tokenSet = await this._client.callback( | ||
this._redirectUrl, | ||
params, | ||
{ state, code_verifier: codeVerifier } | ||
); | ||
const tokenSet = await this._client.callback(this._redirectUrl, params, checks); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
During my test against my own Authentik server, excluding STATE
from GRIST_OIDC_IDP_ENABLED_PROTECTIONS
caused login to fail. This was because Authentik sent an empty state
while Grist expected it to not exist at all. Could you handle this and similar situations? I could imagine stripping empty fields from params
before calling this._client.callback
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your feedback! I'll take a look at this next week (I am not working for the ANCT today).
The last time I took a look at Authentik, I failed to setup an instance (at least, it seemed to me it's not that easy). I'll take a look and see if a free account on their SAAS offer would be enough.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great! Adds a lot of features to OIDC support, and it's great to see a comprehensive test! Sorry for having lots of comments -- but most are superficial. Overall it looks very solid, thank you!
client_secret: clientSecret, | ||
redirect_uris: [this._redirectUrl], | ||
response_types: ['code'], | ||
...extraMetadata, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This allows GRIST_OIDC_IDP_EXTRA_CLIENT_METADATA
to override the values set earlier. Is that intentional? If so, maybe that's worth mentioning in the description of that variable?
|
||
const CALLBACK_URL = '/oauth2/callback'; | ||
|
||
function formatTokenForLogs(token: TokenSet) { | ||
return _.chain(token) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Total nitpick, but after being a heavy lodash user myself, I've since found that it makes things a bit harder to understand (e.g. I'd have to refer to docs often), and native JS is more readable and almost as concise. E.g. I think this would be equivalent:
const showValueInClear = ['token_type', 'expires_in', 'expires_at', 'scope'];
const result = {};
for (const [key, value] of Object.entries(token)) {
if (typeof value !== 'function') {
result[key] = showValueInClear.includes(key) ? value : 'REDACTED';
}
}
return result;
import { SessionObj } from './BrowserSession'; | ||
import { SendAppPage } from './sendAppPage'; | ||
|
||
enum ENABLED_PROTECTIONS { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have a handy StringUnion
class in app/common/StringUnion
, which is great for things like this. More convenient than an enum, I think. It does typings, and has a method checkAll
to check a list of values easily.
"Something went wrong while logging, please try again or contact your administrator if the problem persists"; | ||
|
||
class ErrorWithUserFriendlyMessage extends Error { | ||
constructor(errMessage: string, public readonly userFriendlyMessage: string = DEFAULT_USER_FRIENDLY_MESSAGE) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am confused by the purpose of this default message. When would you want to omit the second argument?
const issuer = await Issuer.discover(issuerUrl); | ||
const extraMetadata: Partial<ClientMetadata> = JSON.parse(section.flag('extraClientMetadata').readString({ | ||
envVar: 'GRIST_OIDC_IDP_EXTRA_CLIENT_METADATA', | ||
defaultValue: '{}' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I recall correctly, the default won't come into play if the variable is set but is an empty string. I think it's easy to handle that case with JSON.parse(section.flag(...).readString(....) || "{}")
?
env, | ||
env: { | ||
...env, | ||
...(process.env.SERVER_NODE_OPTIONS ? {NODE_OPTIONS: process.env.SERVER_NODE_OPTIONS} : {}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see SERVER_NODE_OPTIONS
here and NODE_SERVER_OPTIONS
in develop.md
documentation.
@@ -74,6 +74,8 @@ export interface SessionObj { | |||
codeVerifier?: string; | |||
state?: string; | |||
targetUrl?: string; | |||
nonce?: string; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add a brief explanation of the oidc
state (currently only codeVerifier is explained). E.g. I know, after reading the code, that some of state, codeVerifier, and nonce (depending on GRIST_OIDC_IDP_ENABLED_PROTECTIONS) will be set as protections during OIDC authentication, and it would be a helpful reminder to anyone else reading this code.
targetUrl | ||
}; | ||
if (this.supportsProtection('PKCE')) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have no problem with this code, but would just like to share an idea. Each protection implements the same interface, so you could organize the code so that the configuration is translated to an array of checks that you can then scan through without re-checking the configuration each time. Something like this:
for (const protection of enabledProtections) {
this._protections.push(Protections[protection])
}
const Protections: {[key: EnabledProtection]: ...} = {
NONCE: {
setProtection(sessionInfo, urlParams) {
sessionInfo.nonce = urlParams.nonce = generator.nonce();
},
checkProtection(sessionInfo, checks) {
if (!sessionInfo.nonce) { throw new Error("Login is stale"); }
checks.nonce = sessionInfo.nonce;
}
}, ...
}
end_session_endpoint: undefined, | ||
} | ||
].forEach((ctx) => { | ||
it(ctx.itMsg, async () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My recommendation for repetitive tests is to factor out the common part into a function, but keep tests as individual manually written blocks. E.g.
it('should reject when ...', async () => {
await assert.isRejected(doEndSessionTest({end_session_endpoint: undefined}),
/...please set.../)
});
It's not too important (so ok not to refactor if you prefer to keep as is), but my reason for suggesting this is past experience when a bug crept into some logic that generated test cases, and then no one noticed for a while that some tests weren't running at all.
|
||
it('should successfully accept an empty string', async function () { | ||
setEnvVars(); | ||
process.env.GRIST_OIDC_IDP_ENABLED_PROTECTIONS = ''; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the case that worries me. Do we not want this to default to the recommended options in this case? Maybe if we need to support "no checks" mode, we should require the user to set this variable to "UNPROTECTED", so they can't miss the danger?
@dsagal Thanks a lot for your thorough review! I'll take a look next week (working for another client than the French administration today) |
Context
Proposed solution
GRIST_OIDC_IDP_ENABLED_PROTECTIONS
variable who can contain comma-separated values with either:STATE
,NONCE
andPKCE
, and defaults toSTATE,PKCE
;GRIST_OIDC_IDP_ACR_VALUES
variable with space separated values;