From 3a654474cb52194f64512bd75a251cc0b72d8302 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christoph=20B=C3=B6hme?= Date: Fri, 8 Jul 2022 15:05:32 +0200 Subject: [PATCH 1/2] [ELY-2360] Change OIDC_STATE delimiter Change the delimiter character sequence used in the OIDC_STATE cookie to avoid clashes when the same character sequence appears in the encoded tokens stored in the cookie. Additionally, a debug log message is added to print the value of the OIDC_STATE cookie if the value could not be split into its components. --- .../org/wildfly/security/http/oidc/OidcCookieTokenStore.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcCookieTokenStore.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcCookieTokenStore.java index 927f87eb66c..070699ba034 100644 --- a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcCookieTokenStore.java +++ b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcCookieTokenStore.java @@ -36,7 +36,7 @@ public class OidcCookieTokenStore implements OidcTokenStore { private final OidcHttpFacade httpFacade; - private static final String DELIM = "___"; + private static final String DELIM = "###"; private static final int EXPECTED_NUM_TOKENS = 3; private static final int ACCESS_TOKEN_INDEX = 0; private static final int ID_TOKEN_INDEX = 1; @@ -206,7 +206,8 @@ public static OidcPrincipal getPrincipalFromCook String cookieVal = cookie.getValue(); String[] tokens = cookieVal.split(DELIM); if (tokens.length != EXPECTED_NUM_TOKENS) { - log.warnf("Invalid format of %s cookie. Count of tokens: %s, expected 3", OIDC_STATE_COOKIE, tokens.length); + log.warnf("Invalid format of %s cookie. Count of tokens: %s, expected %s", OIDC_STATE_COOKIE, tokens.length, EXPECTED_NUM_TOKENS); + log.debugf("Value of %s cookie is: %s", OIDC_STATE_COOKIE, cookieVal); return null; } String accessTokenString = tokens[ACCESS_TOKEN_INDEX]; From 6d0a2270463bf1cfe6e79d999dc5315b4b0b798e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christoph=20B=C3=B6hme?= Date: Tue, 19 Jul 2022 15:03:02 +0200 Subject: [PATCH 2/2] [ELY-2360] Accept cookies containing old delimiter Commit 3a654474cb52194f64512bd75a251cc0b72d8302 changed the delimiter used to separate tokens in cookies. This change renders existing cookies which still use the old delimiters invalid, though. To avoid this, a fallback for the old delimiter is added. --- .../wildfly/security/http/oidc/OidcCookieTokenStore.java | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcCookieTokenStore.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcCookieTokenStore.java index 070699ba034..88d37b90bcf 100644 --- a/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcCookieTokenStore.java +++ b/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcCookieTokenStore.java @@ -37,6 +37,7 @@ public class OidcCookieTokenStore implements OidcTokenStore { private final OidcHttpFacade httpFacade; private static final String DELIM = "###"; + private static final String LEGACY_DELIM = "___"; private static final int EXPECTED_NUM_TOKENS = 3; private static final int ACCESS_TOKEN_INDEX = 0; private static final int ID_TOKEN_INDEX = 1; @@ -205,6 +206,11 @@ public static OidcPrincipal getPrincipalFromCook } String cookieVal = cookie.getValue(); String[] tokens = cookieVal.split(DELIM); + if (tokens.length != EXPECTED_NUM_TOKENS) { + // Cookies set by older versions of wildfly-elytron use a different token delimiter. Since clients may + // still send such cookies we fall back to the old delimiter to avoid discarding valid tokens: + tokens = cookieVal.split(LEGACY_DELIM); + } if (tokens.length != EXPECTED_NUM_TOKENS) { log.warnf("Invalid format of %s cookie. Count of tokens: %s, expected %s", OIDC_STATE_COOKIE, tokens.length, EXPECTED_NUM_TOKENS); log.debugf("Value of %s cookie is: %s", OIDC_STATE_COOKIE, cookieVal);