Support nonce and acr with OIDC + Tests #883
Conversation
fflorent
force-pushed
the
support-nonce-and-acr-with-oidc
branch
3 times, most recently
from
e78e2f3
to
8b90c90
Compare
| post_logout_redirect_uri: redirectUrl.href, | ||
| state: mreq.session.oidc?.state, | ||
| id_token_hint: mreq.session.oidc?.idToken, | ||
| }); |
There was a problem hiding this comment.
Note to the reviewers: I don't clear either the state or the idToken from the session in this method, as I feel like it's more secure to secure the logout if the first attempt fails (the following attempts may succeed).
There was a problem hiding this comment.
This makes sense, but I can't see where this info is cleaned up. Can you point me to that?
|
Opening the PR for checking whether the tests work in the CI |
fflorent
changed the title
fflorent
force-pushed
the
support-nonce-and-acr-with-oidc
branch
20 times, most recently
from
b3ca7fe
to
56706b3
Compare
fflorent
force-pushed
the
support-nonce-and-acr-with-oidc
branch
from
56706b3
to
1bf114a
Compare
fflorent
changed the title
fflorent
force-pushed
the
support-nonce-and-acr-with-oidc
branch
from
eb8331b
to
0115474
Compare
|
Looks good to me |
fflorent
force-pushed
the
support-nonce-and-acr-with-oidc
branch
from
763caf6
to
a992efa
Compare
|
Hi @fflorent, sorry for the delay in reviewing this! Dmitry just hasn't had time, and likely won't for a while. @SleepyLeslie has offered to take it on. |
There was a problem hiding this comment.
Thanks @fflorent for the work. I left some thoughts. I am new to these security features so I had to learn before commenting - sorry for the delay!
Also, feel free to point out any mistakes I make and any misunderstandings I have - I've just joined Grist Labs last week and I'm still largely unfamiliar with this codebase.
| document.title = t("Signin failed{{suffix}}", {suffix: getPageTitleSuffix(getGristConfig())}); | ||
| return pagePanelsError(appModel, t("Signin failed{{suffix}}", {suffix: ''}), [ | ||
| cssErrorText(message ?? | ||
| t("Failed to login.{{separator}}Please try again or contact the support.", { |
There was a problem hiding this comment.
"contact support" - no need for "the".
| @@ -1849,7 +1849,9 @@ export class FlexServer implements GristServer { | |||
| } | |||
|
|
|||
| public resolveLoginSystem() { | |||
| return process.env.GRIST_TEST_LOGIN ? getTestLoginSystem() : (this._getLoginSystem?.() || getLoginSystem()); | |||
| return isAffirmative(process.env.GRIST_TEST_LOGIN) ? | |||
There was a problem hiding this comment.
Why not call allowTestLogin()?
| .omitBy(_.isFunction) | ||
| .mapValues((value, key) => { | ||
| const showValueInClear = ['token_type', 'expires_in', 'expires_at', 'scope'].includes(key); | ||
| return showValueInClear ? value : 'REDACTED'; |
There was a problem hiding this comment.
Why not just show these 4 values?
| res.redirect(targetUrl ?? '/'); | ||
| } catch (err) { | ||
| log.error(`OIDC callback failed: ${err.stack}`); | ||
| if (Object.prototype.hasOwnProperty.call(err, 'response')) { | ||
| log.error(`Response received: ${err.response?.body ?? err.response}`); | ||
| } | ||
| // Delete the session data even if the login failed. | ||
| // This way, we prevent several login attempts. | ||
| // | ||
| // Also session deletion must be done before sending the response. | ||
| delete mreq.session.oidc; |
There was a problem hiding this comment.
Comments here should be updated. It's no longer "even if the login failed" - if I understand correctly, OIDC-related session data now needs to be preserved until logout if login succeeds.
I don't quite understand the "we prevent several login attempts" part - can you explain that a bit more?
| // Delete the session data even if the login failed. | ||
| // This way, we prevent several login attempts. | ||
| // | ||
| // Also session deletion must be done before sending the response. | ||
| delete mreq.session.oidc; | ||
| res.status(500).send(`OIDC callback failed.`); | ||
| await this._sendAppPage(req, res, { |
There was a problem hiding this comment.
Nice UX improvement.
| { | ||
| itMsg: 'should fulfill when the end_session_endpoint is not known ' + | ||
| 'and GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT=true', | ||
| end_session_endpoint: undefined, | ||
| env: { | ||
| GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT: 'true' | ||
| } | ||
| }, |
| const promise = OIDCConfigStubbed.buildWithStub(client.asClient()); | ||
| if (ctx.errorMsg) { | ||
| await assert.isRejected(promise, ctx.errorMsg); | ||
| assert.isFalse(logInfoStub.calledOnce); |
There was a problem hiding this comment.
Is this test making sure log.info(`OIDCConfig: initialized with issuer ${issuerUrl}`) wasn't called?
| assert.isFalse(config.supportsProtection("STATE")); | ||
| }); | ||
|
|
||
| it('if omitted, should defaults to "STATE,PKCE"', async function () { |
There was a problem hiding this comment.
Typo: remove "s" - "should default to"
| } | ||
| }, | ||
| expectedErrorMsg: /Login is stale/, | ||
| }, |
There was a problem hiding this comment.
Maybe it's helpful for long-term maintenance to explicitly specify GRIST_OIDC_IDP_ENABLED_PROTECTIONS here?
| }); | ||
| }); | ||
| }); | ||
| }); |
There was a problem hiding this comment.
Very comprehensive testing. Thanks!
By the way, can you provide some examples for these IdPs? |
Context
Proposed solution
GRIST_OIDC_IDP_ENABLED_PROTECTIONSvariable who can contain comma-separated values with either:STATE,NONCEandPKCE, and defaults toSTATE,PKCE;GRIST_OIDC_IDP_ACR_VALUESvariable with space separated values;