Skip to content

oauth2: CSRF cookie should be cleared after flow complete #39210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bplotnick opened this issue Apr 23, 2025 · 6 comments · Fixed by #39213
Closed

oauth2: CSRF cookie should be cleared after flow complete #39210

bplotnick opened this issue Apr 23, 2025 · 6 comments · Fixed by #39213
Labels
area/oauth bug

Comments

@bplotnick
Copy link
Contributor

Title: CSRF cookie should be cleared after flow complete

Description:
I think that the CSRF cookie should be cleared after the completion of the flow. Firstly, it isn't needed anymore after the flow, so it's extraneous. But more importantly, you can have a scenario where it fails validation but improperly causes a failed flow. Let's say you rotate the HMAC secret, the token hmac validation will fail, which will send you into redirectToOAuthServer(), but then the CSRF token will get validated here and also fail validation.

We should probably 1) clear the CSRF cooke after the callback validation and 2) clear and remove the cookie when during redirect rather than failing the flow.

Repro steps:

  1. Configure Envoy with the oauth2 filter and a given HMAC secret
  2. Complete the oauth2 flow - you will now have the token cookies as well as the OauthNonce (CSRF) cookie
  3. Change the HMAC secret
  4. Make a request - you'll get csrf token validation failed

CC: @zhaohuabing
@bplotnick bplotnick added bug triage Issue requires triage labels Apr 23, 2025
@zhaohuabing
Copy link
Member

@bplotnick Thanks for reporting this issue! Is it blocking your use case? I'll take care of it when I have some time.

@zhaohuabing
Copy link
Member

/assign

@bplotnick
Copy link
Contributor Author

@zhaohuabing yeah, it's blocking but i can write the fix (i've already written the regression test). just wanted to open the issue first to solicit input and make sure that the proposed solution is acceptable.

@zhaohuabing
Copy link
Member

zhaohuabing commented Apr 23, 2025
edited
Loading

  1. clear the CSRF cooke after the callback validation

The browser sometimes sends multiple requests before the first one gets authenticated, resulting in multiple callbacks from the OAuth2 server, which may not always arrive in the same order as the requests were sent. The same nonce is used for these requests to ensure successful nonce validation.

More discussion can be found here: #36276

  1. clear and remove the cookie when during redirect rather than failing the flow.

I think this approach should work. we can remove the existing CSRF cookie and create a new one using the new HMAC.

@zhaohuabing
Copy link
Member

/unassign

@bplotnick
Copy link
Contributor Author

The browser sometimes sends multiple requests before the first one gets authenticated, resulting in multiple callbacks from the OAuth2 server, which may not always arrive in the same order as the requests were sent. The same nonce is used for these requests to ensure successful nonce validation.

This makes sense, thanks for the context

clear and remove the cookie when during redirect rather than failing the flow.
I think this approach should work. we can remove the existing CSRF cookie and create a new one using the new HMAC.

ok i'll go ahead and implement this

@bplotnick bplotnick mentioned this issue Apr 23, 2025
Merged
@ravenblackx ravenblackx added area/oauth and removed triage Issue requires triage labels Apr 25, 2025
mattklein123 pushed a commit that referenced this issue Apr 30, 2025
@bplotnick
oauth2: Reset CSRF token when token validation fails during redirecti…
79acec1 
…on (#39213)

Commit Message: Reset CSRF token when token validation fails during
redirection
Additional Description: If the CSRF token cookie is present during the
redirection to the authorization server, it will be validated.
Previously, if this validation failed, the oauth flow would fail. Now it
will simply be reset. This fixes the case where an hmac secret change
causes a redirect flow, but the CSRF token cookie hasn't yet expired
causing a CSRF token validation failure.
Risk Level: Low
Testing: Unit tests
Docs Changes:
Release Notes: Reset CSRF token when token validation fails during
redirection. If the CSRF token cookie is present during the redirection
to the authorization server, it will be validated. Previously, if this
validation failed, the oauth flow would fail. Now the CSRF token will
simply be reset. This fixes the case where an hmac secret change causes
a redirect flow, but the CSRF token cookie hasn't yet expired causing a
CSRF token validation failure.
Platform Specific Features:
Fixes: #39210

---------

Signed-off-by: Ben Plotnick <bplotnick@netflix.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/oauth bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

oauth2: Reset CSRF token when token validation fails during redirection bplotnick/envoy
3 participants
@zhaohuabing @ravenblackx @bplotnick