Skip to content

Do not block third-party cookies from reaching auth handlers #793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 28, 2018
Merged

Do not block third-party cookies from reaching auth handlers #793

merged 1 commit into from
Sep 28, 2018

Conversation

@RubenVerborgh
Copy link
Contributor

@RubenVerborgh RubenVerborgh commented Sep 27, 2018

This might fix logout from third-party origins.

@RubenVerborgh
Allow session to reach auth handlers.
4d0c094 
Otherwise, third-party origins cannot log the user out.
@RubenVerborgh RubenVerborgh added this to the 5.0.0 milestone Sep 27, 2018
@RubenVerborgh RubenVerborgh self-assigned this Sep 27, 2018
@RubenVerborgh RubenVerborgh mentioned this pull request Sep 27, 2018
Closed
RubenVerborgh
RubenVerborgh commented Sep 27, 2018
View reviewed changes
lib/create-app.js
}
next()
})
})
Copy link
Contributor Author

@RubenVerborgh RubenVerborgh Sep 27, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The blocking code used to be before the auth handlers, so third-party auth requests would never reach those handlers.

RubenVerborgh
RubenVerborgh commented Sep 27, 2018
View reviewed changes
lib/create-app.js
req.session.save = done => done()
}
next()
})
Copy link
Contributor Author

@RubenVerborgh RubenVerborgh Sep 27, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By moving the code after the auth handlers (but still before the LDP handlers), we ensure that third-party origins can log you out.

kidehen
kidehen reviewed Sep 28, 2018
View reviewed changes
Copy link

@kidehen kidehen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@RubenVerborgh ,

Confirming that this fix resolves the OIDC Identity Provider (OP) part of this "/logout" matter.
I've successfully logged in and out of:

[1] https://drive.verborgh.org -- but this only tests our server (which has the fix) functioning as the OP since your pod is a Relying Party (RP)
[2] https://solid.openlinksw.com:8444 -- our server in OP and RP modes

Thus, if you upgrade https://solid.community we will have a second OP for verifying this fix.

@RubenVerborgh
Copy link
Contributor Author

RubenVerborgh commented Sep 28, 2018

Thanks!

@RubenVerborgh RubenVerborgh merged commit d256943 into develop Sep 28, 2018
@RubenVerborgh RubenVerborgh deleted the fix/allow-external-logout branch September 28, 2018 12:09
@RubenVerborgh
Copy link
Contributor Author

RubenVerborgh commented Sep 28, 2018

Upgraded https://solid.community/ and https://solidtest.space/.

@kidehen
Copy link

kidehen commented Sep 28, 2018

@RubenVerborgh ,

Confirming that both https://solid.community and https://solidtest.space now pass the login and logout tests while operating as OIDC Identity Providers (OP or Idps).

We are done, finally!

@RubenVerborgh
Copy link
Contributor Author

RubenVerborgh commented Sep 28, 2018

Thanks @kidehen for your help, patience, and persistence!

@kidehen kidehen mentioned this pull request Oct 1, 2018
Closed
kidehen
kidehen reviewed Oct 2, 2018
View reviewed changes
Copy link

@kidehen kidehen left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This introduces regression at the Authorization Level i.e. The server now rejects authorizations in other places :(

Tue, 02 Oct 2018 13:13:22 GMT solid:authentication Rejecting session for https://kidehen2.solid.openlinksw.com:8444/profile/card#me from https://kidehen3.solid.openlinksw.com:8444

Tue, 02 Oct 2018 13:53:47 GMT solid:authentication Rejecting session for https://smalinin.solid.openlinksw.com:8444/profile/card#me from https://kidehen.solid.openlinksw.com:8444

The issue above goes away when we roll back the fix, and repeating the Authorization tests using our server.

Code diff:

-      if (!argv.host.allowsSessionFor(userId, origin)) {
+     if (req.path !== '/logout' && req.path !== '/goodbye' && !argv.host.allowsSessionFor(userId, origin)) {

@RubenVerborgh
Copy link
Contributor Author

RubenVerborgh commented Oct 2, 2018
edited
Loading

This introduces regression at the Authorization Level

Regression compared to 4.1.4 or compared to your fix?
If I understand correctly, it seems to be the latter.

So then there must be more cases still that need handling.

Can you create an issue with a request that fails?

@RubenVerborgh
Copy link
Contributor Author

RubenVerborgh commented Oct 2, 2018
edited
Loading

The server now rejects authorizations in other places

This might actually be intended behavior, depending on the details. See #526.

@kidehen
Copy link

kidehen commented Oct 2, 2018

@RubenVerborgh ,

Current setup, following downgrade:

OIDC Relying Party:

npm list @solid/oidc-rp
solid-server@4.1.4 /home/smalinin/node-solid-server-oidc
├─┬ @solid/oidc-auth-manager@0.16.4 (git+https://github.com/OpenLinkSoftware/oidc-auth-manager.git#045a256fb75040d8206bf0bb7ad034b725260dad)
│ └─┬ @solid/solid-multi-rp-client@0.4.4
│   └── @solid/oidc-rp@0.8.0  deduped
├─┬ @solid/solid-auth-oidc@0.3.0
│ └── @solid/oidc-rp@0.8.0 
└─┬ solid-auth-client@2.2.6 (git+https://github.com/OpenLinkSoftware/solid-auth-client.git#a68512b8a73780c00a0b1a7dedcf041f439e4b9a)
  └── @solid/oidc-rp@0.8.0  deduped

OIDC Provider

npm list @solid/oidc-op
solid-server@4.1.4 /home/smalinin/node-solid-server-oidc
├─┬ @solid/oidc-auth-manager@0.16.4 (git+https://github.com/OpenLinkSoftware/oidc-auth-manager.git#045a256fb75040d8206bf0bb7ad034b725260dad)
│ └── @solid/oidc-op@0.4.0  deduped
└── @solid/oidc-op@0.4.0}

/cc @smalinin @cblakeley

@kjetilk
Copy link
Member

kjetilk commented Oct 2, 2018

BTW, if we are targetting it for NSS 5, it should be based on the v5.0.0 branch. We can release it as a point or minor release too, and we're working on that, in which case it is OK with develop, but then it should be in the ASAP on Server project. :-)

@kidehen
Copy link

kidehen commented Oct 2, 2018
edited
Loading

@kjetilk ,

Ideally, this has to be pre NSS 5.0. Why? Because Authorization is currently broken i.e., you can Authenticate, but Authorization doesn't reflect what's described in ACLs.

Put differently, the baseline interop across pods is currently broken.

I cannot write to @RubenVerborgh's pod despite what's in the RWWCrew acl. You can try this yourself too, then repeat using my pods (which work).

@kjetilk
Copy link
Member

kjetilk commented Oct 2, 2018

Yeah, it is fine with me, I'll transfer it to the other project.

@kjetilk
Copy link
Member

kjetilk commented Oct 2, 2018

Oh, reading the backlog in more detail, please create another issue on this, since this one is an already merged PR.

This was referenced Oct 2, 2018
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smalinin smalinin Awaiting requested review from smalinin

1 more reviewer

@kidehen kidehen kidehen left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@RubenVerborgh RubenVerborgh

Labels

authentication bug

Projects

None yet

Milestone

5.0.0

Development

Successfully merging this pull request may close these issues.

4 participants

@RubenVerborgh @kidehen @kjetilk