-
Notifications
You must be signed in to change notification settings - Fork 969
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: redirect to OIDC providers only once in registration flows #3416
base: master
Are you sure you want to change the base?
feat: redirect to OIDC providers only once in registration flows #3416
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice job! Great to see your first Go code! :)
This indeed needs some test code to ensure that it does what we expect it to do. This would probably need to be done in Cypress e2e tests. We also need to consider potential security impact of this feature. Right now, we can pretty much assume that the OIDC linking is always accurate (because we always re-initiate the flow). Without this, we need other strong guarantees that the user who performs the registration flow is also indeed the user who performed the OIDC flow.
4b97280
to
13b1842
Compare
13b1842
to
14ae228
Compare
There is now an e2e test that verifies only one redirect to OIDC provider takes place. I wasn't sure what are the exact URLs I should be looking for so I'm intercepting everything that looks like such a redirect and it seems to work. About the security impact, I can imagine an attacker hijacking a registration flow if its ID was somehow leaked but unless there is a |
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #3416 +/- ##
==========================================
- Coverage 78.41% 78.37% -0.04%
==========================================
Files 344 344
Lines 23487 23515 +28
==========================================
+ Hits 18417 18431 +14
- Misses 3686 3701 +15
+ Partials 1384 1383 -1 ☔ View full report in Codecov by Sentry. |
So, after giving it some thought (and observing the behavior), we think it should be safe already, provided that we haven't missed something obvious (or you asked for something different and we just completely misunderstood). It basically boils down to leaked Let's also exclude MITM attacks. Here, the attacker might just wait and hijack the session cookie/token directly. We also need to consider only the case when the user is taken back to registration interface to fix form errors (e.g. missing traits), otherwise the flow will end the moment first redirect concludes, which was not affected by this PR and the same security guarantees hold. Let's consider how can we prevent the leaked NativeHere, we can't do much - it boils down to whether the native app keeps Since BrowserHere, the registration flow is already bound to the anti-CSRF token that is What do you think? |
14ae228
to
b2e87ac
Compare
b2e87ac
to
3dd152b
Compare
3dd152b
to
d9ae6a1
Compare
d9ae6a1
to
45353fa
Compare
Hey 👋 This patch looks amazing, and we'd love for it to be merged. |
Co-authored-by: Jakub Fijałkowski <[email protected]>
45353fa
to
e49da72
Compare
Hey @David-Wobrock, I admit this PR was slightly abandoned because I started seeing some e2e test failures for reasons that I couldn't explain and never had enough time to figure this out. I rebased my changes and pushed updated version but I imagine the two major blockers now are:
|
Removes the requirement to redirect to OIDC providers more than once in registration flows where Jsonnet mapper is unable to provide all required identity traits.
Related issue(s)
#2863
Checklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got the approval (please contact
[email protected]) from the maintainers to push
the changes.
works.
Further Comments
While the change itself is relatively small, I have no tests to verify it (yet!) and the way I chose to resolve it (by persisting received claims and ID/Access/Refresh tokens in internal context) may not be the best idea. On the other hand, this allows us to simply continue the flow as if we were already after the redirect and does not rely on clients setting proper
login_hint
or the provider even respecting this parameter which as far as I know is not guaranteed or could require the user to supply their credentials again.This is pretty much my first piece of code I've written in Go and my first dive into Kratos' codebase so please be gentle. That said, I'm submitting this to provide some context for questions I'd like to have answered and with them out of they way, I hope I'll be able to get this PR in shape so one day it could be merged.