OAuth1.0 should not validate the timestamp against server's system clock

[higuhi]

Preconditions and environment

• Magento version: 2.x (found in 2.4.0 and also confirmed on vanilla 2.5.4)
• Anything else that would help a developer reproduce the bug

Steps to reproduce

Step 1 - Magento Setup

1. Setup clean vanilla Magento
2. Go to SYSTEM > Integrations and click "Add New Integration"
3. Fill in the form and create a new integration (choose ALL for Available APIs)

Step2 - OAuth1.0 Test Client

You can use any OAuth1.0 Client, but you can quickly set up a test client if you have PHP and composer. Note that the client must run outside the Magento server because we need to change the time of the client to replicate the issue.

1. make sure you can run PHP and composer commands
2. run composer require guzzlehttp/oauth-subscriber
3. copy and paste the PHP script below and update the base URL and OAuth credentials
4. run the script to see if it works (you should get HTTP Error Response 400)
5. change the client PC's clock to the future time like tomorrow (the time must be more than 10 minutes future than the Magento server clock)
6. run the script and you will get a HTTP Error Response 401 with "An error occurred validating the nonce"

<?php

require_once 'vendor/autoload.php';

use GuzzleHttp\Client;
use GuzzleHttp\HandlerStack;
use GuzzleHttp\Subscriber\Oauth\Oauth1;

$stack = HandlerStack::create();

// Base URL to your magento
$baseURL = '<Your Base URL>';

// Integration credentials 
$middleware = new Oauth1([
    'consumer_key'    => '<Your Consumer Key>',
    'consumer_secret' => '<Your Consumer Sercret>',
    'token'           => '<Your Token>',
    'token_secret'    => ''<Your Token Secret>',
    'signature_method' => Oauth1::SIGNATURE_METHOD_HMACSHA256,
]);
$stack->push($middleware);

$client = new Client([
    'base_uri' => $baseURL,
    'handler' => $stack
]);

// Set the "auth" request option to "oauth" to sign using oauth

try {
    $res = $client->get('rest/V1/products', ['auth' => 'oauth']);
} catch (\Exception $ex) {
    echo "You should get HTTP ERRROR Response 400 with parameter error here \n";
    echo $ex->getMessage();
}

Expected result

You should get HTTP ERRROR Response 400 with parameter error here 
Client error: `GET http://vanila-shop.europeanspermbank.com/rest/V1/products` resulted in a `400 Bad Request` response:
{"message":"\"%fieldName\" is required. Enter and try again.","parameters":{"fieldName":"searchCriteria"},"trace":"#0 \/ (truncated...)

Actual result

You should get HTTP ERRROR Response 400 with parameter error here 
Client error: `GET http://vanila-shop.europeanspermbank.com/rest/V1/products` resulted in a `401 Unauthorized` response:
{"message":"An error occurred validating the nonce","trace":"#0 \/var\/www\/html\/magento\/vendor\/magento\/framework\/O (truncated...)

Even if the client PC or server has the future time incorrectly, Magento should not reject the request as long as the timestamp is newer than the timestamp of the previous request.

Additional information

When OAuth1 authentication is used, the following code validates the nonce and timestamp from the client requesting authentication.

https://github.com/magento/magento2/blob/91549b925da128ba79807400f551f2b2d0cfeed9/app/code/Magento/Integration/Model/Oauth/Nonce/Generator.php#L79

According to the if condition in line 79, it rejects request if the timestamp is in the future exceeding TIME_DEVIATION, which is 10 minutes.

In other words, if the client mistakingly has a wrong time in the future OR magento server incorrectly has past time, the client is not authenticated.

This validation logic that checks client's timestamp against the server's system clock is wrong because:

• it is not defined in OAuth1.0 (see https://oauth.net/core/1.0/#nonce) - it only says "The timestamp value MUST be a positive integer and MUST be equal or greater than the timestamp used in previous requests", so we only need to check the timestamp from the timestamp used in the previous request, not against the sever's timestamp.
• we cannot expect all client PC/servers to have the correct system time

I am not sure, but the issue reported https://github.com/magento/magento2/issues/33724 might be caused by this.

Release note

No response

Triage and priority

• [ ] Severity: S0 - Affects critical data or functionality and leaves users without workaround.
• [ ] Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
• [ ] Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
• [X] Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
• [ ] Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

[m2-assistant[bot]]

Hi @higuhi. Thank you for your report. To speed up processing of this issue, make sure that you provided the following information:

• Summary of the issue
• Information on your environment
• Steps to reproduce
• Expected and actual results

Make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:

@magento give me 2.4-develop instance - upcoming 2.4.x release

For more details, review the Magento Contributor Assistant documentation.

Add a comment to assign the issue: @magento I am working on this

To learn more about issue processing workflow, refer to the Code Contributions.

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

:warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.

:clock10: You can find the schedule on the Magento Community Calendar page.

:telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

:pencil2: Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel

[higuhi]

@magento I am working on it

[m2-assistant[bot]]

Hi @higuhi! :wave: Thank you for collaboration. Only members of Community Contributors Team are allowed to be assigned to the issue. Please use @magento add to contributors team command to join Contributors team.

[higuhi]

@magento add to contributors team

[m2-assistant[bot]]

Hi @higuhi! :wave: Thank you for joining. Please accept team invitation :point_right: here :point_left: and add your comment one more time.

[higuhi]

@magento add to contributors team

[higuhi]

@magento I am working on it

[m2-assistant[bot]]

Hi @engcom-Hotel. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

• [ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).

  Details

  If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

• [ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

• [ ] 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• [ ] 4. Verify that the issue is reproducible on 2.4-develop branch

  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

• [ ] 5. Add label Issue: Confirmed once verification is complete.

• [ ] 6. Make sure that automatic system confirms that report has been added to the backlog.

[engcom-Hotel]

Hello @higuhi,

Thanks for the report and collaboration!

We have tried to reproduce the issue in Magento's development branch i.e. 2.4-develop and the issue is reproducible for us. We have also checked the official website of Oauth1.0 for the documentation related with timestamp, which is as follows:

Nonce and Timestamp Unless otherwise specified by the Service Provider, the timestamp is expressed in the number of seconds since January 1, 1970 00:00:00 GMT. The timestamp value MUST be a positive integer and MUST be equal or greater than the timestamp used in previous requests.

The Consumer SHALL then generate a Nonce value that is unique for all requests with that timestamp. A nonce is a random string, uniquely generated for each request. The nonce allows the Service Provider to verify that a request has never been made before and helps prevent replay attacks when requests are made over a non-secure channel (such as HTTP).

We are getting the actual result mentioned in the main description. Hence confirming the issue.

Thanks

[github-jira-sync-bot]

:white_check_mark: Jira issue https://jira.corp.adobe.com/browse/AC-6725 is successfully created for this GitHub issue.

[m2-assistant[bot]]

:white_check_mark: Confirmed by @engcom-Hotel. Thank you for verifying the issue.
Issue Available: @engcom-Hotel, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.