misp icon indicating copy to clipboard operation
misp copied to clipboard

Published 20 hours ago verified publisher icon NUKIB

State Cookie Not Found (mod_auth_openidc)

Open jamesacris opened this issue 1 year ago • 2 comments

Hello,

I'm facing a strange issue with OIDC. After what appears to be a successful authentication against the OIDC provider, I end up in a redirect loop, resulting in the browser throwing a 'too many redirects' error. In the apache logs, I can see this loop repeating:

...
... [auth_openidc:error] ... oidc_restore_proto_state: no "mod_auth_openidc_state_DVZRgAI5nzoxvAJ6EO-TOg" state cookie found: check domain and samesite cookie settings
... [auth_openidc:error] ... oidc_authorization_response_match_state: unable to restore state
... [auth_openidc:warn]  ... oidc_handle_authorization_response: invalid authorization response state; a default SSO URL is set, sending the user there: http://<MISP_BASE_URL>
...

I have confirmed that this only occurs after successful authorisation of the user - if they do not have the correct claims in their JWT they land on the correct 'permission denied' page, accompanied with a log, which is to be expected:

... [authz_core:error] ... user <id>@<url_of_idp>: authorization failure for "/":

It appears that this is a problem with the way mod_auth_openidc is used, in particular it appears that the state cookie is not able to be found (is it deleted too early for some reason?), or there is some problem with redirects after a successful authentication.

Anyone know why this could be happening?

My relevant config:

In docker-compose.yml:

PHP_SESSIONS_COOKIE_SAMESITE: Strict
MISP_BASEURL: http://<MISP_host>:8080
OIDC_LOGIN: true
OIDC_PROVIDER: https://<OIDC_provider_url>/.well-known/openid-configuration
OIDC_CLIENT_ID: 👾
OIDC_CLIENT_SECRET: 👾
OIDC_AUTHENTICATION_METHOD: client_secret_jwt
OIDC_CLIENT_CRYPTO_PASS: 👾
OIDC_CODE_CHALLENGE_METHOD: S256

In misp.conf:

...
    {% if OIDC_LOGIN %}
    OIDCProviderMetadataURL {{ OIDC_PROVIDER }}
    OIDCRedirectURI {{ MISP_BASEURL }}/oauth2callback
    OIDCCryptoPassphrase {{ OIDC_CLIENT_CRYPTO_PASS }}
    OIDCClientID {{ OIDC_CLIENT_ID }}
    OIDCClientSecret {{ OIDC_CLIENT_SECRET }}
    OIDCDefaultURL {{ MISP_BASEURL }}
    OIDCCookieSameSite On
    OIDCCookieDomain <MISP_host>
    OIDCCookiePath /
    OIDCStateTimeout 300
    OIDCProviderTokenEndpointAuth {{ OIDC_AUTHENTICATION_METHOD }}
    {% if OIDC_CODE_CHALLENGE_METHOD %}
    OIDCPKCEMethod {{ OIDC_CODE_CHALLENGE_METHOD }}
    {% endif %}
    OIDCScope "openid email profile"
...

The OIDCCookie settings are suspect to me due to the error message, but I've tried changing them and not had any luck so far.

Note I have also made the changes described in this comment to use the groups claim rather than roles.

jamesacris avatar Apr 14 '23 11:04 jamesacris

Further information: Using my browser's developer tools, I can see that the state and session cookies have an expiry date in the past:

Set-Cookie: mod_auth_openidc_session=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Domain=<MISP_host>; HttpOnly
Set-Cookie: mod_auth_openidc_state_Aa1tEMd3qm3RoaCAyGyupKAMqco=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Domain=<MISP_host>; HttpOnly
Set-Cookie: mod_auth_openidc_state_68bz5KOz7emZvml8O-J7Pvc4TKo=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Domain=<MISP_host>; HttpOnly
Set-Cookie: mod_auth_openidc_session=655665dc-cb7e-4504-9e00-0bf0e09313f1; Path=/; Domain=<MISP_host>; HttpOnly

As I can gather, this is often done as a means of deleting the cookie. Not sure why these cookies have been deleted, but that's probably causing the error. Anyone know why this might happen?

jamesacris avatar Apr 18 '23 12:04 jamesacris

Further information: Using my browser's developer tools, I can see that the state and session cookies have an expiry date in the past:

Set-Cookie: mod_auth_openidc_session=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Domain=<MISP_host>; HttpOnly
Set-Cookie: mod_auth_openidc_state_Aa1tEMd3qm3RoaCAyGyupKAMqco=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Domain=<MISP_host>; HttpOnly
Set-Cookie: mod_auth_openidc_state_68bz5KOz7emZvml8O-J7Pvc4TKo=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Domain=<MISP_host>; HttpOnly
Set-Cookie: mod_auth_openidc_session=655665dc-cb7e-4504-9e00-0bf0e09313f1; Path=/; Domain=<MISP_host>; HttpOnly

As I can gather, this is often done as a means of deleting the cookie. Not sure why these cookies have been deleted, but that's probably causing the error. Anyone know why this might happen?

Thinking about it, it's possible this is from a previous browser session so maybe this is expected behaviour. Could be a red herring.

jamesacris avatar Apr 19 '23 14:04 jamesacris