[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 --- Comment #14 from Tomás Cohen Arazi --- (In reply to Jonathan Druart from comment #13) > No tests => regression later! > bug 36219. :-( -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 --- Comment #13 from Jonathan Druart --- No tests => regression later! bug 36219. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Katrin Fischer changed: What|Removed |Added Blocks||34755 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34755 [Bug 34755] Error authenticating to external OpenID Connect (OIDC) identity provider : wrong_csrf_token -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Michaela Sieber changed: What|Removed |Added CC||clemens.tub...@kit.edu, ||lukasz.kos...@kit.edu, ||michaela.sie...@kit.edu -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 David Cook changed: What|Removed |Added Blocks||34163 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163 [Bug 34163] CSRF error if try OAuth2/OIDC after logout -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 --- Comment #12 from Matt Blenkinsop --- Nice work everyone! Pushed to stable for 22.11.x -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Matt Blenkinsop changed: What|Removed |Added Status|Pushed to master|Pushed to stable Version(s)|23.05.00|23.05.00,22.11.07 released in|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Tomás Cohen Arazi changed: What|Removed |Added Keywords|rel_23_05_candidate | Text to go in the||This development adds release notes||support for the `state` ||parameter generation and ||delivery when contacting ||IdPs. This is an optional ||but recommended opaque ||value in the OAuth2/OIDC ||specs that helps prevent ||CSRF attacks, but is also a ||requirement on some ||Identity Provider ||solutions. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 --- Comment #11 from Tomás Cohen Arazi --- Pushed to master for 23.05. Nice work everyone, thanks! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Tomás Cohen Arazi changed: What|Removed |Added Status|Passed QA |Pushed to master Version(s)||23.05.00 released in|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Nick Clemens changed: What|Removed |Added Blocks||33782 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33782 [Bug 33782] Oauth2/OIDC identity providers code is not covered by unit tests -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Nick Clemens changed: What|Removed |Added Attachment #151036|0 |1 is obsolete|| --- Comment #10 from Nick Clemens --- Created attachment 151436 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=151436=edit Bug 33675: Add CSRF protection to OAuth/OIDC authentication This patch makes the OAuth/OIDC client pass a `state` parameter with a CSRF protection token, to be validated back when the flow returns to Koha. Ideally, the Mojolicious::Plugin::OAuth2 library should deal with this implicitly, probably making use of JWT. But as of now, this is the best way to implement it. To test: 1. Have a working SSO solution (ktd --sso) 2. Click to login using SSO => SUCCESS: Notice a 'state' parameter on the URL, looks like a random thing 3. When you login, no error is reported Signed-off-by: David Cook Signed-off-by: Nick Clemens -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Nick Clemens changed: What|Removed |Added Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Tomás Cohen Arazi changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=33768 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Nick Clemens changed: What|Removed |Added URL|https://www.oauth.com/oauth |https://www.oauth.com/oauth |2-servers/accessing-data/au |2-servers/accessing-data/au |thorization-request/|thorization-request/ |https://wiki.koha-community | |.org/wiki/Testing_SSO | -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Nick Clemens changed: What|Removed |Added URL|https://www.oauth.com/oauth |https://www.oauth.com/oauth |2-servers/accessing-data/au |2-servers/accessing-data/au |thorization-request/|thorization-request/ ||https://wiki.koha-community ||.org/wiki/Testing_SSO -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 --- Comment #9 from Jonathan Druart --- Could we add a test to cover this change? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Tomás Cohen Arazi changed: What|Removed |Added Keywords||rel_23_05_candidate -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 --- Comment #8 from Tomás Cohen Arazi --- (In reply to Jonathan Druart from comment #7) > First time trying this, and I failed to test. > > I am getting > > """ > test > We are sorry... > > Invalid parameter: redirect_uri > """ > After I clicked "login with test" > The generated URL is > http://sso:8082/auth/realms/test/protocol/openid-connect/ > auth?response_type=code_id=kohaoidc_uri=http%3A%2F%2Fkohadev- > intra.myDNSname. > org%3A8081%2Fapi%2Fv1%2Foauth%2Flogin%2Ftest%2Fstaff=openid+email > =873f7839ab38384730c0635c3b260564297de884%2Ca443349be07f4216b95089525be35eeb9 > 6b74452%2C1683794690 > > I guess I made an error in the config somewhere but I have double-checked > everything :-/ The wiki suggests using localhost:port/* but your URL is using kohadev.myDNSname... because it picks it from the baseURL prefs -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Jonathan Druart changed: What|Removed |Added CC||jonathan.druart+koha@gmail. ||com --- Comment #7 from Jonathan Druart --- First time trying this, and I failed to test. I am getting """ test We are sorry... Invalid parameter: redirect_uri """ After I clicked "login with test" The generated URL is http://sso:8082/auth/realms/test/protocol/openid-connect/auth?response_type=code_id=kohaoidc_uri=http%3A%2F%2Fkohadev-intra.myDNSname.org%3A8081%2Fapi%2Fv1%2Foauth%2Flogin%2Ftest%2Fstaff=openid+email=873f7839ab38384730c0635c3b260564297de884%2Ca443349be07f4216b95089525be35eeb96b74452%2C1683794690 I guess I made an error in the config somewhere but I have double-checked everything :-/ -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 David Cook changed: What|Removed |Added Attachment #151019|0 |1 is obsolete|| --- Comment #6 from David Cook --- Created attachment 151036 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=151036=edit Bug 33675: Add CSRF protection to OAuth/OIDC authentication This patch makes the OAuth/OIDC client pass a `state` parameter with a CSRF protection token, to be validated back when the flow returns to Koha. Ideally, the Mojolicious::Plugin::OAuth2 library should deal with this implicitly, probably making use of JWT. But as of now, this is the best way to implement it. To test: 1. Have a working SSO solution (ktd --sso) 2. Click to login using SSO => SUCCESS: Notice a 'state' parameter on the URL, looks like a random thing 3. When you login, no error is reported Signed-off-by: David Cook -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 David Cook changed: What|Removed |Added Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 --- Comment #5 from David Cook --- (In reply to David Cook from comment #4) > Hmm I got an error the first time I tried it and then when I clicked the > "Login" button a second time it worked. The error might be residue from > previous work I suppose. Going to see if I can reproduce it... Can't reproduce so yeah probably not a problem. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 --- Comment #4 from David Cook --- Hmm I got an error the first time I tried it and then when I clicked the "Login" button a second time it worked. The error might be residue from previous work I suppose. Going to see if I can reproduce it... -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 David Cook changed: What|Removed |Added Depends on||33708 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 --- Comment #3 from David Cook --- (In reply to Tomás Cohen Arazi from comment #1) > This is a recommended openid-connect parameter [1] and OAuth2 integrations > seem to require it [2], but I'm not sure if it should be enforced. Basically > because I don't know all the IdPs around. It looks like OAuth2 also only recommends it: https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1 However, the specs do say that the "state" parameter is required in the Authorization Response if it was included in the Authorization Request: https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2 I suspect that most IdPs should support "state" if they want to be spec compliant, although I suppose there's no guarantee. I've certainly dealt with 1 non-compliant IdP in the past, although that was nearly 10 years ago now. If we are worried, I think we could make using "state" optional in terms of whether or not to send it, but... I think it should be all right. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33675] Add CSRF protection to OAuth/OIDC authentication
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 Tomás Cohen Arazi changed: What|Removed |Added Summary|OAuth should support state |Add CSRF protection to |parameter |OAuth/OIDC authentication -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
