Giters

dgn / oidc-filter

A WASM plugin for Envoy supporting the Open ID Connect Authorization Flow, extending Istio's JWT functionality

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Support for Okta IdP (at least state parameter missing to proceed testing)

nonefaken opened this issue · comments

commented

Hello,

nice project and very actual target to solve ajax redirect issues!

I tried to test the project with Okta as IdP, but request to /authorize endpoint fails with error on Okta side: "The authentication request has an invalid state parameter".

Okta documentation: https://developer.okta.com/docs/reference/api/oidc/#request-parameters

Okta requires the OAuth 2.0 state parameter on all requests to the /authorize endpoint to prevent cross-site request forgery (CSRF).
The OAuth 2.0 specification requires (opens new window)that clients protect their redirect URIs against CSRF by sending a value in the authorize request that binds the request to the user-agent's authenticated state.
Using the state parameter is also a countermeasure to several other known attacks as outlined in OAuth 2.0 Threat Model and Security Considerations.

The valid request URL example:

https://vinted.oktapreview.com/oauth2/aus1nt2tmuLH9y9mX0x7/v1/authorize?client_id=XxXxXxXxXxXxXx&scope=user&response_type=code&redirect_uri=https://localhost/callback&state=https://localhost/&resource=testing_resource_definition_okta_seems_to_ignore

If success you get redirected back:

https://localhost/callback?code=TRooS-0pD78Gm0zSyg_0t2K8_WIgzzkpGkwIeoUa6Xg&state=https%3A%2F%2Flocalhost%2F

Just in case my oidc-filter config

          - name: envoy.filters.http.wasm
            typed_config:
              "@type": type.googleapis.com/udpa.type.v1.TypedStruct
              type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
              value:
                config:
                  name: oidc-filter
                  rootId: oidc-filter_root
                  configuration:
                    "@type": "type.googleapis.com/google.protobuf.StringValue"
                    value: |
                      {
                        "redirect_uri": "/callback",
                        "auth_cluster": "okta-cluster-https",
                        "auth_host": "winwin.oktapreview.com",
                        "token_uri": "/oauth2/aus1zi2tMuLkay9XX0x7/v1/token",
                        "login_uri": "https://winwin.oktapreview.com/oauth2/aus1zi2tMuLkay9XX0x7/v1/authorize",
                        "client_id": "0oa1ba2v832E9Xx120xe",
                        "client_secret": "ZzzzzzzzzzzzzzzzzzzzTOP"
                      }
                  vmConfig:
                    code:
                      local:
                        filename: /var/local/lib/wasm-filters/oidc.wasm
                    runtime: envoy.wasm.runtime.v8
                    vmId: oidc-filter
                    allow_precompiled: true

Thank you!

#enhancement