Support for Okta IdP (at least state parameter missing to proceed testing)
nonefaken opened this issue · comments
nonefaken commented
Hello,
nice project and very actual target to solve ajax redirect issues!
I tried to test the project with Okta as IdP, but request to /authorize endpoint fails with error on Okta side: "The authentication request has an invalid state parameter".
Okta documentation: https://developer.okta.com/docs/reference/api/oidc/#request-parameters
Okta requires the OAuth 2.0 state parameter on all requests to the /authorize endpoint to prevent cross-site request forgery (CSRF).
The OAuth 2.0 specification requires (opens new window)that clients protect their redirect URIs against CSRF by sending a value in the authorize request that binds the request to the user-agent's authenticated state.
Using the state parameter is also a countermeasure to several other known attacks as outlined in OAuth 2.0 Threat Model and Security Considerations.
The valid request URL example:
https://vinted.oktapreview.com/oauth2/aus1nt2tmuLH9y9mX0x7/v1/authorize?client_id=XxXxXxXxXxXxXx&scope=user&response_type=code&redirect_uri=https://localhost/callback&state=https://localhost/&resource=testing_resource_definition_okta_seems_to_ignore
If success you get redirected back:
https://localhost/callback?code=TRooS-0pD78Gm0zSyg_0t2K8_WIgzzkpGkwIeoUa6Xg&state=https%3A%2F%2Flocalhost%2F
Just in case my oidc-filter config
- name: envoy.filters.http.wasm
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
name: oidc-filter
rootId: oidc-filter_root
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{
"redirect_uri": "/callback",
"auth_cluster": "okta-cluster-https",
"auth_host": "winwin.oktapreview.com",
"token_uri": "/oauth2/aus1zi2tMuLkay9XX0x7/v1/token",
"login_uri": "https://winwin.oktapreview.com/oauth2/aus1zi2tMuLkay9XX0x7/v1/authorize",
"client_id": "0oa1ba2v832E9Xx120xe",
"client_secret": "ZzzzzzzzzzzzzzzzzzzzTOP"
}
vmConfig:
code:
local:
filename: /var/local/lib/wasm-filters/oidc.wasm
runtime: envoy.wasm.runtime.v8
vmId: oidc-filter
allow_precompiled: true
Thank you!
#enhancement