Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

State Cookie Not Found (mod_auth_openidc) #85

Open
jamesacris opened this issue Apr 14, 2023 · 2 comments
Open

State Cookie Not Found (mod_auth_openidc) #85

jamesacris opened this issue Apr 14, 2023 · 2 comments

Comments

@jamesacris
Copy link

Hello,

I'm facing a strange issue with OIDC. After what appears to be a successful authentication against the OIDC provider, I end up in a redirect loop, resulting in the browser throwing a 'too many redirects' error. In the apache logs, I can see this loop repeating:

...
... [auth_openidc:error] ... oidc_restore_proto_state: no "mod_auth_openidc_state_DVZRgAI5nzoxvAJ6EO-TOg" state cookie found: check domain and samesite cookie settings
... [auth_openidc:error] ... oidc_authorization_response_match_state: unable to restore state
... [auth_openidc:warn]  ... oidc_handle_authorization_response: invalid authorization response state; a default SSO URL is set, sending the user there: http://<MISP_BASE_URL>
...

I have confirmed that this only occurs after successful authorisation of the user - if they do not have the correct claims in their JWT they land on the correct 'permission denied' page, accompanied with a log, which is to be expected:

... [authz_core:error] ... user <id>@<url_of_idp>: authorization failure for "/":

It appears that this is a problem with the way mod_auth_openidc is used, in particular it appears that the state cookie is not able to be found (is it deleted too early for some reason?), or there is some problem with redirects after a successful authentication.

Anyone know why this could be happening?

My relevant config:

In docker-compose.yml:

PHP_SESSIONS_COOKIE_SAMESITE: Strict
MISP_BASEURL: http://<MISP_host>:8080
OIDC_LOGIN: true
OIDC_PROVIDER: https://<OIDC_provider_url>/.well-known/openid-configuration
OIDC_CLIENT_ID: 👾
OIDC_CLIENT_SECRET: 👾
OIDC_AUTHENTICATION_METHOD: client_secret_jwt
OIDC_CLIENT_CRYPTO_PASS: 👾
OIDC_CODE_CHALLENGE_METHOD: S256

In misp.conf:

...
    {% if OIDC_LOGIN %}
    OIDCProviderMetadataURL {{ OIDC_PROVIDER }}
    OIDCRedirectURI {{ MISP_BASEURL }}/oauth2callback
    OIDCCryptoPassphrase {{ OIDC_CLIENT_CRYPTO_PASS }}
    OIDCClientID {{ OIDC_CLIENT_ID }}
    OIDCClientSecret {{ OIDC_CLIENT_SECRET }}
    OIDCDefaultURL {{ MISP_BASEURL }}
    OIDCCookieSameSite On
    OIDCCookieDomain <MISP_host>
    OIDCCookiePath /
    OIDCStateTimeout 300
    OIDCProviderTokenEndpointAuth {{ OIDC_AUTHENTICATION_METHOD }}
    {% if OIDC_CODE_CHALLENGE_METHOD %}
    OIDCPKCEMethod {{ OIDC_CODE_CHALLENGE_METHOD }}
    {% endif %}
    OIDCScope "openid email profile"
...

The OIDCCookie settings are suspect to me due to the error message, but I've tried changing them and not had any luck so far.

Note I have also made the changes described in this comment to use the groups claim rather than roles.
@jamesacris
Copy link
Author

jamesacris commented Apr 18, 2023
edited
Loading

Further information:
Using my browser's developer tools, I can see that the state and session cookies have an expiry date in the past:

Set-Cookie: mod_auth_openidc_session=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Domain=<MISP_host>; HttpOnly
Set-Cookie: mod_auth_openidc_state_Aa1tEMd3qm3RoaCAyGyupKAMqco=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Domain=<MISP_host>; HttpOnly
Set-Cookie: mod_auth_openidc_state_68bz5KOz7emZvml8O-J7Pvc4TKo=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Domain=<MISP_host>; HttpOnly
Set-Cookie: mod_auth_openidc_session=655665dc-cb7e-4504-9e00-0bf0e09313f1; Path=/; Domain=<MISP_host>; HttpOnly

As I can gather, this is often done as a means of deleting the cookie. Not sure why these cookies have been deleted, but that's probably causing the error. Anyone know why this might happen?

@jamesacris
Copy link
Author

Further information: Using my browser's developer tools, I can see that the state and session cookies have an expiry date in the past:

Set-Cookie: mod_auth_openidc_session=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Domain=<MISP_host>; HttpOnly
Set-Cookie: mod_auth_openidc_state_Aa1tEMd3qm3RoaCAyGyupKAMqco=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Domain=<MISP_host>; HttpOnly
Set-Cookie: mod_auth_openidc_state_68bz5KOz7emZvml8O-J7Pvc4TKo=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Domain=<MISP_host>; HttpOnly
Set-Cookie: mod_auth_openidc_session=655665dc-cb7e-4504-9e00-0bf0e09313f1; Path=/; Domain=<MISP_host>; HttpOnly

As I can gather, this is often done as a means of deleting the cookie. Not sure why these cookies have been deleted, but that's probably causing the error. Anyone know why this might happen?

Thinking about it, it's possible this is from a previous browser session so maybe this is expected behaviour. Could be a red herring.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jamesacris