Block cookie auth from non-subdomains, but allow all other auth from everywhere #835
Conversation
|
Re
I assume that only applies to WebID-OIDC mode servers rather than both WebID-OIDC or WebID-TLS mode servers. Basically, if one deployed a TLS-mode pod said issue wouldn't exist, which is what I would expect. |
Yes. |
|
Actually, @kidehen, I realize that this issue is not a server-side issue but an OIDC client issue. At the moment, the logout request is being authenticated through a cookie. And we normally block cross-origin cookies for security purposes, but now explicitly make an exception for logout requests. However, why don't we authenticate the logout request with an OIDC bearer token? Then none of this is necessary. Or is this against OIDC spec? |
| function isLogoutRequest (req) { | ||
| // TODO: this is a hack that hard-codes OIDC paths, | ||
| // this code should live in the OIDC module | ||
| return req.path === '/logout' || req.path === '/goodbye' |
There was a problem hiding this comment.
Hmm..
I would suggest the workaround as is for now, we know it works (and it doesn't hurt in the worst case).
/cc @smalinin @cblakeley
|
Authenticating with a cookie is a temporary hack. The spec requires the token to be used. This is implemented in oidc-op, btw. (apologies for brevity, on mobile) |
|
Thanks @dmitrizagidulin, this is what I suspected. Anything stopping solid-auth-client from using that oidc-op code? We use |
|
Yeah, solid-auth-client just requires refactoring to use oidc-rp’s logoutRequest() method instead of logout(). (and send a POST to the resulting url) |
|
We are now back to oidc-op, which @cblakeley has been working on. Thus, can we triangulate back to the issue and PR combo that put an end to this issue. |
|
@kidehen Not quite, we’re not back to oidc-op. I was just saying that the correct fix has been already added to oidc-op and -rp. And the last step required is the refactor to auth client. |
|
How do I compute
Where is the correct fix bearing in mind the oidc-op and -rp fixes you mention? My setup: OIDC Relying Party (RP) and OIDC Provider I can only conclude that "refactoring" in the solid-auth-client is WIP, so our workaround stays until that work is completed, right? |
There was a problem hiding this comment.
Confirming authorization informed by ACLs is still working, based on current workaround.
Evidence:
- https://drive.verborgh.org/public/RWWCrewQA/RWWCrew%20Meeting%20by%20%40kidehen/ -- entries created across panes using one of my many WebIDs
I'm referring to PRs nodeSolidServer/oidc-op#7 and nodeSolidServer/oidc-rp#6
That seems reasonable to me. We can roll back the cookie changes in this PR afterwards, when the auth client refactor is merged. |
|
OK, sounds good. @RubenVerborgh please merge at your discretion, we can then roll a release ASAP. |
RubenVerborgh
force-pushed
the
fix/allow-subdomain-cookies
branch
from
389cd32 to
0a48614
Compare
|
Thanks all! |
|
solid-auth-client fix so that cookies are no longer used in nodeSolidServer/solid-auth-client#70 |
#834 overreached, since it applied the cross-domain cookie ban from #793 to all auth methods, not just the cookie-base auth method.
The implementation currently contains a level-breaking hack, where the general module needs to know about the OIDC logout paths. A proper fix would require a more intense refactoring, where cookie-based auth is seen as a third method in addition to WebID-TLS and WebID-OIDC, not as part of either.
Also, we should note that this fix (as did #834) allows any third party app to log the user out without their explicit permission if they happen to know the user's pod.