feat: client-side PKCE take 3 #4078
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
alnr
force-pushed
the
alnr/oidc-callback-url-2
branch
2 times, most recently
from
79b76d6
to
03478f9
Compare
alnr
force-pushed
the
alnr/oidc-callback-url-2
branch
from
408913d
to
8397b5c
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #4078 +/- ##
==========================================
- Coverage 78.92% 78.46% -0.46%
==========================================
Files 373 376 +3
Lines 27123 26728 -395
==========================================
- Hits 21406 20973 -433
- Misses 4129 4150 +21
- Partials 1588 1605 +17 ☔ View full report in Codecov by Sentry. |
alnr
force-pushed
the
alnr/oidc-callback-url-2
branch
3 times, most recently
from
b098326
to
0c294ed
Compare
There was a problem hiding this comment.
Very nice and clean! The only thing that could suprise users is that pkce set to force will also change the callback URL, but at least it is well documented in the config schema.
Maybe we could set the issuer URL for more of the pre-configured providers, so that this will be an automatic security improvement for as many users as possible?
This change introduces a new configuration for OIDC providers: pkce with values auto (default), never, force. When auto is specified or the field is omitted, Kratos will perform autodiscovery and perform PKCE when the server advertises support for it. This requires the issuer_url to be set for the provider. never completely disables PKCE support. This is only theoretically useful: when a provider advertises PKCE support but doesn't actually implement it. force always sends a PKCE challenge in the initial redirect URL, regardless of what the provider advertises. This setting is useful when the provider offers PKCE but doesn't advertise it in his ./well-known/openid-configuration. Important: When setting pkce: force, you must whitelist a different return URL for your OAuth2 client in the provider's configuration. Instead of <base-url>/self-service/methods/oidc/callback/<provider>, you must use <base-url>/self-service/methods/oidc/callback (note missing last path segment). This is to enable the use of the same OAuth client ID+secret when configuring several Kratos OIDC providers, without having to whitelist individual redirect_uris for each Kratos provider config.
alnr
force-pushed
the
alnr/oidc-callback-url-2
branch
from
0c294ed
to
91b5cd3
Compare
There was a problem hiding this comment.
Good stuff! I'm mostly worried about regressions for existing OIDC providers. In particular I'm worried about redirects we do in Ory Network.
The easiest way to test this is to set up kratos before this patch with some OIDC connections, and then check if those work like they did before after those changes.
| func encryptState(ctx context.Context, c cipher.Cipher, state *oidcv1.State) (ciphertext string, err error) { | ||
| m, err := proto.Marshal(state) | ||
| if err != nil { | ||
| return "", herodot.ErrInternalServerError.WithReasonf("Unable to marshal state: %s", err) |
There was a problem hiding this comment.
Add WithStack for trace information across all error returns, it makes debugging significantly easier :)
|
|
||
| var newStyleState = false | ||
|
|
||
| func TestHookEnableNewStyleState(t *testing.T) { |
There was a problem hiding this comment.
Please don't reference the testing library in production code, but instead move this to _test.go files. If you include it, the testing library adds flags and has other side effects on the production binary. If you need to include this function in another else (like we do with persister tests), move it to a separate package. If the package is not referenced by production code, it is not included.
For example, running go run . version -test.short no longer fails with an invalid argument (as opposed to go run . version -asdf), because the flag is now defined. This can have unintended consequences / side effects.
There was a problem hiding this comment.
This code will be removed as soon as we have completed the two-step rollout on Ory Network.
| @@ -43,6 +44,11 @@ func (c *XChaCha20Poly1305) Encrypt(ctx context.Context, message []byte) (string | |||
| return "", herodot.ErrInternalServerError.WithWrap(err).WithReason("Unable to generate key") | |||
| } | |||
|
|
|||
| // Make sure the size calculation does not overflow. | |||
| if len(message) > math.MaxInt-aead.NonceSize()-aead.Overhead() { | |||
There was a problem hiding this comment.
This method is taken from cryptopasta, if I recall correctly. Could you point me to the documentation / issue this addresses? This method is being used in several places, and I am worried this will introduce regressions. Granted, MaxInt is pretty large.
There was a problem hiding this comment.
The AES-GCM code comes from cryptopasta. The XChaCha code was hand-written from the start.
In an earlier revision of this PR, I touched this code but reverted it later to the original version. GitHub's security scanner then started complaining, correctly, that the size calculation below could overflow. Even though the code was unchanged from master. So I added this assertion, which is the exact same as the one in Hydra.
| @@ -63,10 +62,12 @@ func TestGetCmd(t *testing.T) { | |||
| return out | |||
| } | |||
| transform := func(token string) string { | |||
| if !encrypt { | |||
| return token | |||
| if encrypt { | |||
There was a problem hiding this comment.
I assume this changed because we now, somewhere, properly check if the token can be decrypted and then this test failed?
There was a problem hiding this comment.
Exactly. I changed most tests across Kratos to actually use encryption, and this one was the only one to fail. Good sign :)
| config.ViperKeySecretsCookie: []string{randx.MustString(32, randx.AlphaNum)}, | ||
| config.ViperKeySecretsDefault: []string{randx.MustString(32, randx.AlphaNum)}, |
There was a problem hiding this comment.
Are these now always required? If so, have the quickstarts been adjusted?
There was a problem hiding this comment.
They are not strictly required, but I would consider it insecure to run Kratos without these even before this changeset.
| @@ -5,6 +5,28 @@ | |||
| "ui": { | |||
| "method": "POST", | |||
| "nodes": [ | |||
| { | |||
There was a problem hiding this comment.
Is it expected for these existing OIDC snapshots to be updated?
There was a problem hiding this comment.
Yes, because I configured additional OIDC providers (those with PKCE=force,auto,never).
| return []oauth2.AuthCodeOption{oauth2.VerifierOption(s.GetPkceVerifier())} | ||
| } | ||
|
|
||
| func maybePKCE(ctx context.Context, d pkceDependencies, _p Provider) (verifier string) { |
There was a problem hiding this comment.
nit: underscore is possible to use in Go, but uncommon since it's the throwaway variable name, e.g. _ context.Context. Better would be to use p Provider and oauth2Provider, ok := p.(OAuth2Provider)
| } | ||
|
|
||
| func (s *State) String() string { | ||
| return base64.RawURLEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", s.FlowID, s.Data))) |
There was a problem hiding this comment.
We rely on this format in RedirectSocialAuthenticationFlows in our other repository. Changing this method will most likely cause regressions there. Are you aware of this?
There was a problem hiding this comment.
Yes I am aware, that's why the toggle (which defaults to the old-style state generation) exists in the first place. I will adjust the code in cloud to work with both state generation versions before we activate the new one.
| } | ||
|
|
||
| func ParseStateCompatiblity(ctx context.Context, c cipher.Cipher, s string) (*oidcv1.State, error) { | ||
| // new-style: encrypted |
There was a problem hiding this comment.
New style probably won't work with RedirectSocialAuthenticationFlows
There was a problem hiding this comment.
Yep, we need a two-step rollout for this (hence the temporary toggle).
This change introduces a new configuration for OIDC providers:
pkcewith valuesauto(default),never,force.When
autois specified or the field is omitted, Kratos will perform autodiscovery and perform PKCE when the server advertises support for it. This requires theissuer_urlto be set for the provider.nevercompletely disables PKCE support. This is only theoretically useful: when a provider advertises PKCE support but doesn't actually implement it.forcealways sends a PKCE challenge in the initial redirect URL, regardless of what the provider advertises. This setting is useful when the provider offers PKCE but doesn't advertise it in his./well-known/openid-configuration.Important: When setting
pkce: force, you must whitelist a different return URL for your OAuth2 client in the provider's configuration. Instead of<base-url>/self-service/methods/oidc/callback/<provider>, you must use<base-url>/self-service/methods/oidc/callback(note missing last path segment). This is to enable the use of the same OAuth client ID+secret when configuring several Kratos OIDC providers, without having to whitelist individualredirect_uris for each Kratos provider config.Supersedes #4033
Supersedes #4059
Closes #4009
Ref https://github.com/ory-corp/cloud/issues/6613