Support nonce and acr with OIDC + Tests #883
Conversation
fflorent
force-pushed
the
support-nonce-and-acr-with-oidc
branch
3 times, most recently
from
e78e2f3
to
8b90c90
Compare
| post_logout_redirect_uri: redirectUrl.href, | ||
| state: mreq.session.oidc?.state, | ||
| id_token_hint: mreq.session.oidc?.idToken, | ||
| }); |
There was a problem hiding this comment.
Note to the reviewers: I don't clear either the state or the idToken from the session in this method, as I feel like it's more secure to secure the logout if the first attempt fails (the following attempts may succeed).
There was a problem hiding this comment.
This makes sense, but I can't see where this info is cleaned up. Can you point me to that?
|
Opening the PR for checking whether the tests work in the CI |
fflorent
changed the title
fflorent
force-pushed
the
support-nonce-and-acr-with-oidc
branch
21 times, most recently
from
56706b3
to
1bf114a
Compare
fflorent
changed the title
There was a problem hiding this comment.
Thanks @fflorent for the work. I left some thoughts. I am new to these security features so I had to learn before commenting - sorry for the delay!
Also, feel free to point out any mistakes I make and any misunderstandings I have - I've just joined Grist Labs last week and I'm still largely unfamiliar with this codebase.
| .omitBy(_.isFunction) | ||
| .mapValues((value, key) => { | ||
| const showValueInClear = ['token_type', 'expires_in', 'expires_at', 'scope'].includes(key); | ||
| return showValueInClear ? value : 'REDACTED'; |
There was a problem hiding this comment.
Why not just show these 4 values?
There was a problem hiding this comment.
These four values are the only ones that are displayed (they are whitelisted, not blacklisted).
I prefer removing any other field as they might contain sensible data.
| res.redirect(targetUrl ?? '/'); | ||
| } catch (err) { | ||
| log.error(`OIDC callback failed: ${err.stack}`); | ||
| if (Object.prototype.hasOwnProperty.call(err, 'response')) { | ||
| log.error(`Response received: ${err.response?.body ?? err.response}`); | ||
| } | ||
| // Delete the session data even if the login failed. | ||
| // This way, we prevent several login attempts. | ||
| // | ||
| // Also session deletion must be done before sending the response. | ||
| delete mreq.session.oidc; |
There was a problem hiding this comment.
Comments here should be updated. It's no longer "even if the login failed" - if I understand correctly, OIDC-related session data now needs to be preserved until logout if login succeeds.
I don't quite understand the "we prevent several login attempts" part - can you explain that a bit more?
| const promise = OIDCConfigStubbed.buildWithStub(client.asClient()); | ||
| if (ctx.errorMsg) { | ||
| await assert.isRejected(promise, ctx.errorMsg); | ||
| assert.isFalse(logInfoStub.calledOnce); |
There was a problem hiding this comment.
Is this test making sure log.info(`OIDCConfig: initialized with issuer ${issuerUrl}`) wasn't called?
| } | ||
| }, | ||
| expectedErrorMsg: /Login is stale/, | ||
| }, |
There was a problem hiding this comment.
Maybe it's helpful for long-term maintenance to explicitly specify GRIST_OIDC_IDP_ENABLED_PROTECTIONS here?
There was a problem hiding this comment.
I've added something, I hope I understood correctly what you suggested
By the way, can you provide some examples for these IdPs? |
fflorent
force-pushed
the
support-nonce-and-acr-with-oidc
branch
from
a992efa
to
085ce57
Compare
Context
Proposed solution
GRIST_OIDC_IDP_ENABLED_PROTECTIONSvariable who can contain comma-separated values with either:STATE,NONCEandPKCE, and defaults toSTATE,PKCE;GRIST_OIDC_IDP_ACR_VALUESvariable with space separated values;