Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: harmonise cookies and redirects for interactive and non-interactive auth mechanisms #28247

Open
FroMage opened this issue Sep 28, 2022 · 1 comment
Open

Security: harmonise cookies and redirects for interactive and non-interactive auth mechanisms #28247

FroMage opened this issue Sep 28, 2022 · 1 comment
Labels
area/security kind/enhancement New feature or request

Comments

@FroMage
Copy link
Member

FroMage commented Sep 28, 2022

Description

We have several auth mechanisms that can coexist and fall into two categories:

  • Basic Auth (non-interactive: header-based, on all endpoints)
  • JWT Auth (non-interactive: header or cookie based, on all endpoints)
  • OIDC Web (interactive: cookie-based, handles redirects)
  • WebAuthn (interactive: cookie-based, handles redirects, special action on some endpoints)
  • Form Auth (interactive: cookie-based, handles redirects, special action on some endpoints)

Basic and JWT fall into the same category IMO, because they both look at headers and if not present return a 401. This is meant for non-interactive REST APIs where you're authenticated or you're not.

OIDC, WebAuthn and Form fall into a second category, because they are meant for interactive web sites where attempting to access a protected resource without credentials should redirect you to a login page, and after the login is done, they store the user identity in a cookie so that login doesn't need to be redone on subsequente requests.

It's often the case that web applications will want more than one mechanism in place for logins, and so Basic is already special-cased so that it doesn't issue a 401 challenge if Form is enabled, because Form will trigger a wanted redirect.

In my application I have OIDC, WebAuthn and JWT coexisting: I decided to store both OIDC and WebAuthn logins into a JWT cookie, but the JWT challenge prevents me from getting a 302 redirect because it is evaluated before the WebAuthn authentication mechanism challenge. So I get a 401 which is not what I want.

At the moment, OIDC and Form both store the original uri to redirect to after login is done inside their own separate cookie. WebAuthn lacks that, but it should support it.

Form and WebAuthn both support a login redirect but they're configured separately. They also store the logged-in identity in separate cookies.

IMO all this should be harmonised:

  • JWT auth should not trigger a 401 if another auth mechanism is interactive (like Basic+Form)
  • Form and WebAuthn should store the original uri to redirect to after login inside the same cookie, to be configured by a shared config key
  • Form, WebAuthn and JWT should perhaps store the logged in user in the same cookie, perhaps with a discriminant as to which auth mechanism stored it there?

Implementation ideas

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security kind/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@FroMage