gloo
gloo copied to clipboard
solo-io
Tokens collision when using oidc / cookies
Version
No response
Is your feature request related to a problem? Please describe.
The following issue was discovered while working towards isolated authN environments in Auth0 using an additional subdomain for a new, lower staging environment. We've setup a new Auth0 tenant with a new custom domain of staging.example.com. Our existing oidc integration with Gloo and Auth0 uses a custom domain of example.com and is working well.
Scenario: Successful login to example.com and staging.example.com Given an Auth Config A using oidc with Auth0 for domain example.com Given an Auth Config B using oidc with Auth0 for domain staging.example.com Given a successful oidc login flow using Auth Config A sets id_token for example.com in browser When attempting an additional oidc login flow for Auth Config B Then login flow completes AND and an additional id_token for staging.example.com exists in the browser
Actual Behavior The oidc flow for Auth Config B results in an infinite loop of redirects, meaning the "When step" above never completes.
Additional notes
I see the set_cookie working in the /callback for the Auth Config B but it looks like there's a collision at some point as both id_token cookies then get sent back through the gateway and my guess is that the first (example.com) is given priority in evaluation but fails as it does not match Auth Config B, resulting in a new redirect to /authorize. See the attached screenshot.
It may be worth noting that the example.com cookie is configured as SameSite='None'. This cookie is sent through an additional gateway, configured in gloo, which protects a REST API hosted at api-sub-domain.example.com.
Given a situation where multiple id_tokens may be sent, how is the "most correct" token determined?
Describe the solution you'd like
If multiple token exist in the same cookie, they shouldn't not collide (Example: logout)
Describe alternatives you've considered
No response
Additional Context
No response
Hey Adam! Do we know what version of gloo was used with this configuration? (to think about backports)
