OIDC authentication loop if Cookie Policy sameSite=strict #30625
Comments
|
/cc @pedroigor (oidc), @sberyozkin (oidc) |
yoadey
changed the title
|
@yoadey Thanks, we should update the |
|
Oh you mean |
|
Yes, I meant Gitlab, sorry for the confusion. Just checked for GitHub, they do a 302 redirect and then the Strict cookies are correct send (at least if you have the app already approved). But could also confirm, that a second roundtrip is required in case the app has not been authorized yet. This shouldn't be to much of an issue, but is probably worth mentioning, too. |
|
@yoadey Np at all, you did say clearly in the description it was
That seems to be very much specific to GitLab. By the way, how complex is the quarkus configuration to get OIDC with GitLab supported, we can support |
|
@sberyozkin It was pretty straightforward, working with the basic setting As for us GitLab is a self hosted instance, the |
|
We just hit the same problem with Azure AD here, setting the config |
|
Sure |
|
Thinking more about it, if I confirm that even that the OIDC tests pass, the extra redirect with Keycloak is involved, then I will just fix it by removing a strict for the state and logout cookies. This will need to stay for the session cookie only which is a primary restriction target. |
|
@yoadey @wjglerum I'll be reverting the change related to OIDC state and logout cookies. It does not even work with Keycloak with the browser unless these cookies are same site lax. HtmlUnit has no problems though. |
sberyozkin
added
kind/bug
|
thanks for getting back on this @sberyozkin 👍 And makes sense to me to revert those cookie changes indeed. |
|
thanks lax being the default fixed the issue. |
benkard
added a commit
to benkard/mulkcms2
that referenced
this issue
Apr 2, 2023
This MR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [flow-bin](https://github.com/flowtype/flow-bin) ([changelog](https://github.com/facebook/flow/blob/master/Changelog.md)) | devDependencies | minor | [`^0.198.0` -> `^0.199.0`](https://renovatebot.com/diffs/npm/flow-bin/0.198.0/0.199.0) | | [org.postgresql:postgresql](https://jdbc.postgresql.org) ([source](https://github.com/pgjdbc/pgjdbc)) | build | patch | `42.5.1` -> `42.5.2` | | [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | patch | `2.16.0.Final` -> `2.16.1.Final` | | [io.quarkus:quarkus-universe-bom](https://github.com/quarkusio/quarkus-platform) | import | patch | `2.16.0.Final` -> `2.16.1.Final` | | [org.apache.maven.plugins:maven-enforcer-plugin](https://maven.apache.org/enforcer/) | build | minor | `3.1.0` -> `3.2.1` | --- ### Release Notes <details> <summary>flowtype/flow-bin</summary> ### [`v0.199.0`](flow/flow-bin@0568b6e...05bb4e3) [Compare Source](flow/flow-bin@0568b6e...05bb4e3) ### [`v0.198.2`](flow/flow-bin@0d01841...0568b6e) [Compare Source](flow/flow-bin@0d01841...0568b6e) ### [`v0.198.1`](flow/flow-bin@2b180bb...0d01841) [Compare Source](flow/flow-bin@2b180bb...0d01841) </details> <details> <summary>pgjdbc/pgjdbc</summary> ### [`v42.5.2`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#​4252-2023-01-31-143046--0500) ##### Changed docs: specify that timeouts are in seconds and there is a maximum. Housekeeping on some tests fixes [#Issue 2671](pgjdbc/pgjdbc#2671) [MR #​2686](pgjdbc/pgjdbc#2686) docs: clarify binaryTransfer and add it to README [MR# 2698](pgjdbc/pgjdbc#2698) docs: Document the need to encode reserved characters in the connection URL [MR #​2700](pgjdbc/pgjdbc#2700) feat: Define binary transfer for custom types dynamically/automatically fixes [Issue #​2554](pgjdbc/pgjdbc#2554) [MR #​2556](pgjdbc/pgjdbc#2556) ##### Added fix: added gssResponseTimeout as part of [MR #​2687](pgjdbc/pgjdbc#2687) to make sure we don't wait forever on a GSS RESPONSE ##### Fixed fix: Ensure case of XML tags in Maven snippet is correct [MR #​2682](pgjdbc/pgjdbc#2682) fix: Make sure socket is closed if an exception is thrown in createSocket fixes [Issue #​2684](pgjdbc/pgjdbc#2684) [MR #​2685](pgjdbc/pgjdbc#2685) fix: Apply patch from [Issue #​2683](pgjdbc/pgjdbc#2683) to fix hanging ssl connections [MR #​2687](pgjdbc/pgjdbc#2687) fix - binary conversion of (very) long numeric values (longer than 4 \* 2^15 digits) [MR #​2697](pgjdbc/pgjdbc#2697) fixes [Issue #​2695](pgjdbc/pgjdbc#2695) minor: enhance readability connection of startup params [MR #​2705](pgjdbc/pgjdbc#2785) </details> <details> <summary>quarkusio/quarkus</summary> ### [`v2.16.1.Final`](https://github.com/quarkusio/quarkus/releases/tag/2.16.1.Final) [Compare Source](quarkusio/quarkus@2.16.0.Final...2.16.1.Final) ##### Complete changelog - [#​30729](quarkusio/quarkus#30729) - Bump mariadb-java-client from 3.1.1 to 3.1.2 - [#​30724](quarkusio/quarkus#30724) - Upgrade to Mutiny 1.9.0 - [#​30722](quarkusio/quarkus#30722) - Set SameSite Strict only on OIDC session cookie - [#​30720](quarkusio/quarkus#30720) - Bump picocli.version from 4.7.0 to 4.7.1 - [#​30719](quarkusio/quarkus#30719) - Bump jackson-bom from 2.14.1 to 2.14.2 - [#​30715](quarkusio/quarkus#30715) - PanacheRepositoryResource should implement ReactiveRestDataResource - [#​30713](quarkusio/quarkus#30713) - Use MapProperty instead of Map - [#​30694](quarkusio/quarkus#30694) - Use newer API for creating tmp files in RESTEasy Reactive - [#​30692](quarkusio/quarkus#30692) - Bump htmlunit version to 2.70.0 - [#​30686](quarkusio/quarkus#30686) - Don't fail send when a sse sink has been closed - [#​30681](quarkusio/quarkus#30681) - RESTEasy Reactive: SSE broadcaster fails if a sink has been closed - [#​30680](quarkusio/quarkus#30680) - Mark methods generatred by ASM transformations as synthetic - [#​30659](quarkusio/quarkus#30659) - Drop unused class GradleLogger - [#​30653](quarkusio/quarkus#30653) - Fix opening in IDE when more than IDE is running - [#​30652](quarkusio/quarkus#30652) - Match prometheus export metrics format - [#​30651](quarkusio/quarkus#30651) - ArC - use reflection fallback for PreDestroy callbacks if needed - [#​30649](quarkusio/quarkus#30649) - Document redirect options in RESTEasy Reactive - [#​30644](quarkusio/quarkus#30644) - Adjust source language absent in documentation code blocks - [#​30636](quarkusio/quarkus#30636) - PreDestroy hooks fail depending on method modifiers - [#​30635](quarkusio/quarkus#30635) - Introduce a `minimum-java-version` in the extension descriptor metadata - [#​30625](quarkusio/quarkus#30625) - OIDC authentication loop if Cookie Policy sameSite=strict - [#​30624](quarkusio/quarkus#30624) - Fix NPE obtaining a project map from Maven session - [#​30622](quarkusio/quarkus#30622) - Update invalid package in guide - [#​30612](quarkusio/quarkus#30612) - Fix import file name in redis-reference.adoc - [#​30609](quarkusio/quarkus#30609) - Qute generated resolvers - getters should take precedence over fields - [#​30593](quarkusio/quarkus#30593) - Qute validation - improve hierarchy indexing to fix assignability issues - [#​30591](quarkusio/quarkus#30591) - Resolve correct version when application version is unset - [#​30589](quarkusio/quarkus#30589) - Bump junit-bom from 5.9.1 to 5.9.2 - [#​30585](quarkusio/quarkus#30585) - Bump Microsoft SQL Server JDBC driver to 11.2.3 - [#​30584](quarkusio/quarkus#30584) - Update MS SQL JDBC driver to version 11.2.3 - [#​30576](quarkusio/quarkus#30576) - Use accept header to choose metrics export format - [#​30574](quarkusio/quarkus#30574) - Handle empty source directory for included builds - [#​30569](quarkusio/quarkus#30569) - Add default implementation for REST Data interfaces - [#​30564](quarkusio/quarkus#30564) - Update security-openid-connect-client.adoc - [#​30559](quarkusio/quarkus#30559) - container-image extension running with kubernetes extension - [#​30557](quarkusio/quarkus#30557) - AWT: JniRuntimeAccess: freetypeScaler.c calls sun.font.FontUtilities - [#​30548](quarkusio/quarkus#30548) - Add a blurb about not supporting validation.xml in Quarkus - [#​30526](quarkusio/quarkus#30526) - RESTEasy classic servlets - add RoutingContext to active request context - [#​30515](quarkusio/quarkus#30515) - Native build fails with hibernate-orm-rest-data-panache + elytron-security-properties-file - [#​30513](quarkusio/quarkus#30513) - Limit application.properties lookup to main source set - [#​30510](quarkusio/quarkus#30510) - Simplify logic in create-app.adoc and allow to define stream - [#​30501](quarkusio/quarkus#30501) - Fix HibernateOrmCodestart - [#​30500](quarkusio/quarkus#30500) - Place extension with an unknown category in the uncategorized category - [#​30496](quarkusio/quarkus#30496) - Update documentation - [#​30490](quarkusio/quarkus#30490) - Avoid adding the exception itself as a suppressed exception - [#​30488](quarkusio/quarkus#30488) - Updates to Infinispan 14.0.6.Final - [#​30485](quarkusio/quarkus#30485) - Verify code flow access token first if no UserInfo precondition exists - [#​30479](quarkusio/quarkus#30479) - Define defaultValueDocumentation for builderImage - [#​30474](quarkusio/quarkus#30474) - Docs - default value of `quarkus.native.builder-image` is not shown - [#​30470](quarkusio/quarkus#30470) - Revert --enable-monitoring with no arguments support - [#​30460](quarkusio/quarkus#30460) - Bump kafka3.version from 3.3.1 to 3.3.2 - [#​30453](quarkusio/quarkus#30453) - Gradle build failing w/ Quarkus 2.16.0 - [#​30430](quarkusio/quarkus#30430) - Bump gizmo from 1.5.0.Final to 1.6.0.Final - [#​30429](quarkusio/quarkus#30429) - Bump Keycloak version to 20.0.3 - [#​30426](quarkusio/quarkus#30426) - Fix redundant push when using buildx - [#​30424](quarkusio/quarkus#30424) - Building of container images with buildx causes build failures - [#​30423](quarkusio/quarkus#30423) - 2.15+ - Services dependent on libraries without classes no longer build - [#​30418](quarkusio/quarkus#30418) - Disable -D argument propagation in DevMojo - [#​30415](quarkusio/quarkus#30415) - Arc - Change Types#getTypeClosure so that superclasses and interfaces of producer types no longer throw on finding wildcards - [#​30412](quarkusio/quarkus#30412) - Arc - wildcard detection for producer methods/fields is too aggressive - [#​30410](quarkusio/quarkus#30410) - Introduce support for GraalVM `--enable-monitoring` - [#​30408](quarkusio/quarkus#30408) - Warning: Option 'AllowVMInspection' is deprecated and might be removed from future versions: Please use --enable-monitoring - [#​30405](quarkusio/quarkus#30405) - Quarkus Undertow doesn't work with blocking SecurityIdentityAugmentor - [#​30399](quarkusio/quarkus#30399) - Fix ElasticSearch Dev Services container restart - [#​30384](quarkusio/quarkus#30384) - Elasticsearch Dev Services restarts container on every auto-compile - [#​30368](quarkusio/quarkus#30368) - Allow Environment variables to populate property Maps in build time Config - [#​30354](quarkusio/quarkus#30354) - AWT `io.quarkus.awt.it.ImageGeometryFontsIT` native integration test failing with "GraalVM for Java 20" dev builds - [#​30347](quarkusio/quarkus#30347) - Bump junit-jupiter from 5.9.1 to 5.9.2 - [#​30343](quarkusio/quarkus#30343) - Trailing comma is lost from prometheus metrics - [#​30335](quarkusio/quarkus#30335) - Add native compilation section to Hibernate Validator guide - [#​30332](quarkusio/quarkus#30332) - NPE in toString method for Processor Parameters in kafka-streams 3.3.1 version - [#​30275](quarkusio/quarkus#30275) - Inline Log category property doesn't work - [#​30208](quarkusio/quarkus#30208) - OIDC: 401 when access-token needs to be refreshed and user-info-required=true - [#​30179](quarkusio/quarkus#30179) - Add an owasp-check profile - [#​28781](quarkusio/quarkus#28781) - RESTEasy Reactive: document redirects - [#​24027](quarkusio/quarkus#24027) - Hibernate Validator does not use META-INF/validation.xml, it should work or be stated in the documentation. - [#​23002](quarkusio/quarkus#23002) - if more than two running IDE while launching 'x' gives error </details> <details> <summary>quarkusio/quarkus-platform</summary> ### [`v2.16.1.Final`](quarkusio/quarkus-platform@2.16.0.Final...2.16.1.Final) [Compare Source](quarkusio/quarkus-platform@2.16.0.Final...2.16.1.Final) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This MR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yNC4wIiwidXBkYXRlZEluVmVyIjoiMzQuMjQuMCJ9-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Using the OIDC authentication code workflow may lead to a loop of authentication requests, if not properly configured and currently there is no hint to that in the Documentation.
If the user visits the app for the first time, the current default setting of
quarkus.oidc.authentication.cookie-same-site=strictleads to the following chain:So after an additional roundtrip, the user is authenticated and everything is ok (if it works as I understand it).
However, if provider.org does not send a 302 for the redirection but an html page with a javascript redirect (e.g. gitlab, the only provider I currently test with) this leads to a loop, since the request is originated always from provider.org and with sameSite=strict the cookie will never be send.
It's not a bug as it can be configured and many providers probably do the redirect with a 302, but I think it is worth noting in the documentation.
The following setting solved the issue for me:
Implementation ideas
No response
The text was updated successfully, but these errors were encountered: