Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token Endpoint should respond with nocache headers #145

Closed
gobengo opened this issue Nov 17, 2015 · 1 comment
Closed

Token Endpoint should respond with nocache headers #145

gobengo opened this issue Nov 17, 2015 · 1 comment
Assignees
@tpazderka
Labels
bug
Milestone
P1: MUST

Comments

@gobengo
Copy link
Contributor

gobengo commented Nov 17, 2015

Per OAuth2:

The authorization server MUST include the HTTP "Cache-Control"
   response header field [RFC2616] with a value of "no-store" in any
   response containing tokens, credentials, or other sensitive
   information, as well as the "Pragma" response header field [RFC2616]
   with a value of "no-cache".`

And OIDC:

All Token Responses that contain tokens, secrets, or other sensitive information MUST include the following HTTP response header fields and values:
Header Name Header Value
Cache-Control   no-store
Pragma  no-cache

But oic.oic.provider:Provider.token_endpoint does not set these headers. While I'm using 0.7.6, it also looks like the latest master branch is the same in this regard.

In my Provider, subclass, I created a decorator for token_endpoint to enforce this. Others may find it useful.

# HTTP headers required with successful token responses, per OAuth2 Spec
# https://tools.ietf.org/html/rfc6749#section-5.1
OAUTH2_NOCACHE_HEADERS = (
    ('Pragma', 'no-cache'),
    ('Cache-Control', 'no-store'),
)


def nocache_if_successful_token_response(token_endpoint):
    """
    Decorate Provider.token_endpoint to ensure compliance with
    https://tools.ietf.org/html/rfc6749#section-5.1
    by adding nocache response headers if needed
    """
    def wrapped(*args, **kwargs):
        response = token_endpoint(*args, **kwargs)
        return _ensure_token_response_nocache(response) or response
    return wrapped


def _ensure_token_response_nocache(response,
                                   required_headers=OAUTH2_NOCACHE_HEADERS):
    """
    Ensure a given token response is has no cache headers that it is required
    to have per the OAuth2 Spec. This mutates the provided response. :(

    The authorization server MUST include the HTTP "Cache-Control"
    response header field [RFC2616] with a value of "no-store" in any
    response containing tokens, credentials, or other sensitive
    information, as well as the "Pragma" response header field [RFC2616]
    with a value of "no-cache".

    :param response:
    :type response: oic.utils.http_util:Response
    :rtype: oic.utils.http_util:Response
    """
    successful = ( response.status == '200 OK' )
    contains_sensitive_info = ( '"access_token"' in response.message )
    if not (successful and contains_sensitive_info):
        # Doesn't need cache headers
        return response
    existing_headers = (h for h,v in response.headers)
    for header, value in OAUTH2_NOCACHE_HEADERS:
        # Only set headers if they weren't already set
        if header not in existing_headers:
            response.headers.append((header, value))
    return response

from oic.oic.provider import Provider
class MyProvider(Provider):
    @nocache_if_successful_token_response
    def token_endpoint(self, *args, **kwargs):
        response = super(MyProvider, self).token_endpoint(*args, **kwargs)
        return response

I'm not in a position to make a tested PR right away, but will strive to upstream some things like this once my subclass is polished a bit.
@decentral1se decentral1se added this to the P1: MUST milestone Feb 21, 2017
@tpazderka tpazderka self-assigned this Dec 13, 2017
tpazderka added a commit that referenced this issue Dec 13, 2017
@tpazderka
Add no-cache headers to token endpoints
fad896e 
Close #145
tpazderka added a commit that referenced this issue Dec 13, 2017
@tpazderka
Add no-cache headers to token endpoints
03ec842 
Close #145
@tpazderka tpazderka mentioned this issue Dec 13, 2017
Merged
2 tasks
tpazderka added a commit that referenced this issue Dec 13, 2017
@tpazderka
Add no-cache headers to token endpoints
f0222d5 
Close #145
tpazderka added a commit that referenced this issue Dec 13, 2017
@tpazderka
Add no-cache headers to token endpoints (#463)
9693b3c 
Close #145
@gobengo
Copy link
Contributor Author

gobengo commented Jan 1, 2018

Props to @tpazderka !

andrewkrug pushed a commit to mozilla-iam/pyoidc that referenced this issue Jun 6, 2019
@tpazderka @andrewkrug
Add no-cache headers to token endpoints (CZ-NIC#463)
c3a662f 
Close CZ-NIC#145
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tpazderka tpazderka

Labels
bug
Projects
None yet
Milestone
P1: MUST
Development

No branches or pull requests
3 participants
@gobengo @decentral1se @tpazderka