wg-access-server icon indicating copy to clipboard operation
wg-access-server copied to clipboard
verified publisher icon Place1

bad nonce error on oidc login flow

Open verdin opened this issue 5 years ago • 5 comments

While using the OIDC login flow on the first login attempt from a clean tab I get the error "bad nonce". image Going back to https://myserver.mydomain.com/signin allows me to try again and the second time it works.

From looking at my traffic with an intercept proxy I was able to confirm my state (nonce) looks the same throughout the sign on flow and that the urls of the successful flows look the same as the "bad nonce" ones up to when the "bad nonce" comes back from the server.

The message seems to originate from here: https://github.com/Place1/wg-access-server/blob/89ab8fa29798f4eb79bf009b2a011f7666043cb1/pkg/authnz/authconfig/oidc.go#L88

I thought it might have been timeout related to this value: https://github.com/Place1/wg-access-server/blob/89ab8fa29798f4eb79bf009b2a011f7666043cb1/pkg/authnz/authconfig/oidc.go#L31

But my attempts to fix this by increasing the timeout were unsuccessful, changes: https://github.com/verdin/wg-access-server/commit/34872ba7e98a7d378dd8494e4e046c632cae7039 Even after making these changes I was still getting the "bad nonce" error. Although the server log "runtime error: invalid memory " error seemed to be gone, or less common.

My OIDC provider is AWS Cognito.

I am interested in digging into this but don't really know where to look next. I am also happy to run any tests or pull any logs that would be helpful.

Server log error, happens when I get "bad nonce"

time="2020-04-26T08:11:17Z" level=info msg="finished unary call with code OK" file="server_interceptors.go:95" grpc.code=OK grpc.method=ListDevices grpc.service=proto.Devices grpc.start_time="2020-04-26T08:11:17Z" grpc.time_ms=0.755 span.kind=server system=grpc
2020/04/26 23:14:06 http: panic serving 10.0.10.16:58098: runtime error: invalid memory address or nil pointer dereference
goroutine 333170 [running]:
net/http.(*conn).serve.func1(0xc000568320)
        /usr/local/go/src/net/http/server.go:1767 +0x139
panic(0xbb9960, 0x12e57b0)
        /usr/local/go/src/runtime/panic.go:679 +0x1b2
main.main.func2(0x0, 0xc0002ad440, 0xc000114900)
        /code/main.go:140 +0x2a
github.com/place1/wg-access-server/pkg/authnz.(*AuthMiddleware).Wrap.func4(0xdcf5c0, 0xc000566000, 0xc000114900)
        /code/pkg/authnz/router.go:69 +0x3b2
net/http.HandlerFunc.ServeHTTP(0xc000507f80, 0xdcf5c0, 0xc000566000, 0xc000114900)
        /usr/local/go/src/net/http/server.go:2007 +0x44
github.com/gorilla/mux.(*Router).ServeHTTP(0xc000162900, 0xdcf5c0, 0xc000566000, 0xc000114700)
        /go/pkg/mod/github.com/gorilla/[email protected]/mux.go:210 +0xe2
github.com/gorilla/mux.(*Router).ServeHTTP(0xc000162000, 0xdcf5c0, 0xc000566000, 0xc000114500)
        /go/pkg/mod/github.com/gorilla/[email protected]/mux.go:210 +0xe2
net/http.serverHandler.ServeHTTP(0xc0005660e0, 0xdcf5c0, 0xc000566000, 0xc000114500)
        /usr/local/go/src/net/http/server.go:2802 +0xa4
net/http.(*conn).serve(0xc000568320, 0xdd1340, 0xc0006aca40)
        /usr/local/go/src/net/http/server.go:1890 +0x875
created by net/http.(*Server).Serve
        /usr/local/go/src/net/http/server.go:2928 +0x384
2020/04/26 23:14:30 http: panic serving 10.0.10.16:58100: runtime error: invalid memory address or nil pointer dereference
goroutine 333182 [running]:
net/http.(*conn).serve.func1(0xc000569900)
        /usr/local/go/src/net/http/server.go:1767 +0x139
panic(0xbb9960, 0x12e57b0)
        /usr/local/go/src/runtime/panic.go:679 +0x1b2
main.main.func2(0x0, 0xc0002ad440, 0xc000115400)
        /code/main.go:140 +0x2a
github.com/place1/wg-access-server/pkg/authnz.(*AuthMiddleware).Wrap.func4(0xdcf5c0, 0xc0005662a0, 0xc000115400)
        /code/pkg/authnz/router.go:69 +0x3b2
net/http.HandlerFunc.ServeHTTP(0xc000507f80, 0xdcf5c0, 0xc0005662a0, 0xc000115400)
        /usr/local/go/src/net/http/server.go:2007 +0x44
github.com/gorilla/mux.(*Router).ServeHTTP(0xc000162900, 0xdcf5c0, 0xc0005662a0, 0xc000115200)
        /go/pkg/mod/github.com/gorilla/[email protected]/mux.go:210 +0xe2
github.com/gorilla/mux.(*Router).ServeHTTP(0xc000162000, 0xdcf5c0, 0xc0005662a0, 0xc000114f00)
        /go/pkg/mod/github.com/gorilla/[email protected]/mux.go:210 +0xe2
net/http.serverHandler.ServeHTTP(0xc0005660e0, 0xdcf5c0, 0xc0005662a0, 0xc000114f00)
        /usr/local/go/src/net/http/server.go:2802 +0xa4
net/http.(*conn).serve(0xc000569900, 0xdd1340, 0xc000302880)
        /usr/local/go/src/net/http/server.go:1890 +0x875
created by net/http.(*Server).Serve
        /usr/local/go/src/net/http/server.go:2928 +0x384

My OIDC in config.yaml

 oidc:
    name: "AWSCognito" # anything you want
    issuer: "https://cognito-idp.us-west-2.amazonaws.com/us-west-[...]" # Should point to the oidc url without .well-known
    clientID: "j[...]f"
    clientSecret: "p9[...]4"
    scopes: ["openid"]  # list of scopes, defaults to ["openid"]
    redirectURL: "https://[...].[...].[...].com/auth/callback" # full url you want the oidc to redirect to, example: https://vpn-admin.example.com/finish-signin
    # Optionally restrict login to users with an allowed email domain
    # if empty or omitted, any email domain will be allowed.
#    emailDomains:
#      - example.com

verdin avatar Apr 27 '20 00:04 verdin

@verdin sorry for being so slow to reply here.

I'm unsure what the issue is but it might be an issue with Cookies.

The nonce is saved in the client's session here (code). Is something in your setup breaking the session cookie? perhaps a browser extension or a proxy dropping the session cookie?

Place1 avatar May 10 '20 02:05 Place1

Thanks for your reply, no problem, we're all busy. I tested with a fresh private tab with my cookie remover disabled (I did have one) and ad bock turned off. I also had a friend test it. Still gives the same error. I just setup another OpenID provider and am going to test against that next.

verdin avatar May 13 '20 06:05 verdin

After digging into this more I was still unable to prevent this problem. Seems like AWS Cognito may not handle the nonce in a normal way or something about my setup interferes with the url. I am using Traefik as a reverse proxy if that's relevant.

To resolve this problem for my setup I used another OIDC login with Traefik Forward Auth in front of the web interface. I have not determine why this works without nonce problem. I'll update this issue if I figure it out.

verdin avatar May 31 '20 07:05 verdin

@verdin Do you mind sharing your docker compose? I'm using Traefik with forward auth too and am able to access the wg-access-server webui and generate tunnels but when connecting to the VPN from my phone it doesn't work.

robflate avatar Jun 09 '20 15:06 robflate

Hi @robflate apologies for the late reply, here is my configs https://github.com/verdin/wg-traefik-files.

My setup was originally based on docker swarm so you might seem some warnings from that sort of config, it still works in normal docker-compose.

verdin avatar Jul 19 '20 05:07 verdin