enhancement: same site strict cookies (#8716)

To enhance the security of our application and prevent Cross-Site Request Forgery (CSRF) attacks, we have updated the
SameSite attribute of the build in Identity Provider (IDP) cookies to Strict.

changelog/unreleased/enhancement-strict-same-site-cookie.md

@@ -0,0 +1,12 @@
+Enhancement: Make IDP cookies same site strict
+
+To enhance the security of our application and prevent Cross-Site Request Forgery (CSRF) attacks, we have updated the
+SameSite attribute of the build in Identity Provider (IDP) cookies to Strict.
+
+This change restricts the browser from sending these cookies with any cross-site requests,
+thereby limiting the exposure of the user's session to potential threats.
+
+This update does not impact the existing functionality of the application but provides an additional layer of security
+where needed.
+
+https://github.com/owncloud/ocis/pull/8716

go.mod

@@ -57,7 +57,7 @@ require (
 	github.com/justinas/alice v1.2.0
 	github.com/leonelquinteros/gotext v1.5.3-0.20230317130943-71a59c05b2c1
 	github.com/libregraph/idm v0.4.1-0.20231213140724-56a222fb4215
-	github.com/libregraph/lico v0.61.2
+	github.com/libregraph/lico v0.61.3-0.20240322112242-72cf9221d3a7
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/mna/pigeon v1.2.1
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826

go.sum

@@ -1618,8 +1618,8 @@ github.com/leonelquinteros/gotext v1.5.3-0.20230317130943-71a59c05b2c1 h1:k56sFO
 github.com/leonelquinteros/gotext v1.5.3-0.20230317130943-71a59c05b2c1/go.mod h1:AT4NpQrOmyj1L/+hLja6aR0lk81yYYL4ePnj2kp7d6M=
 github.com/libregraph/idm v0.4.1-0.20231213140724-56a222fb4215 h1:Yw/I6l/0S/zDq2Hnibvwy8cVLpMaBwDe0aUSv/FNU6U=
 github.com/libregraph/idm v0.4.1-0.20231213140724-56a222fb4215/go.mod h1:h/B7mB5OqrsrobydErMGewHxonYDKjGOaJsFabXyRo8=
-github.com/libregraph/lico v0.61.2 h1:sU8eQ2E9Uq5wnTkD33YX5+gRj59MkPLgDVoB72L1q8w=
-github.com/libregraph/lico v0.61.2/go.mod h1:TgZGBAYzVRQSRdBC8PgGQKjYhtXuTr6UCM3ZZyGTleQ=
+github.com/libregraph/lico v0.61.3-0.20240322112242-72cf9221d3a7 h1:fcPgiBu7DGyGeokE0Qk+S+GW/3n+QWu1dIjw0TqadhI=
+github.com/libregraph/lico v0.61.3-0.20240322112242-72cf9221d3a7/go.mod h1:TgZGBAYzVRQSRdBC8PgGQKjYhtXuTr6UCM3ZZyGTleQ=
 github.com/libregraph/oidc-go v1.0.0 h1:l2tE/EwLyLXVy0B5BuVKgIFX9pNpz/5J3x5IBw0KEhc=
 github.com/libregraph/oidc-go v1.0.0/go.mod h1:7TRHrY/H1Vg6JqFjV0oAe1+kN+mGFBqXYvclSyvhRyc=
 github.com/linode/linodego v0.25.3/go.mod h1:GSBKPpjoQfxEfryoCRcgkuUOCuVtGHWhzI8OMdycNTE=

services/idp/pkg/backends/cs3/bootstrap/cs3.go

@@ -25,6 +25,7 @@ import (
 	"github.com/libregraph/lico/identifier"
 	"github.com/libregraph/lico/identity"
 	"github.com/libregraph/lico/identity/managers"
+
 	cs3 "github.com/owncloud/ocis/v2/services/idp/pkg/backends/cs3/identifier"
 )
 
@@ -88,12 +89,18 @@ func NewIdentityManager(bs bootstrap.Bootstrap) (identity.Manager, error) {
 	activeIdentifier, err := identifier.NewIdentifier(&identifier.Config{
 		Config: config.Config,
 
-		BaseURI:         config.IssuerIdentifierURI,
-		PathPrefix:      bs.MakeURIPath(bootstrap.APITypeSignin, ""),
-		StaticFolder:    config.IdentifierClientPath,
-		LogonCookieName: "__Secure-KKT", // Kopano-Konnect-Token
-		ScopesConf:      config.IdentifierScopesConf,
-		WebAppDisabled:  config.IdentifierClientDisabled,
+		BaseURI:        config.IssuerIdentifierURI,
+		PathPrefix:     bs.MakeURIPath(bootstrap.APITypeSignin, ""),
+		StaticFolder:   config.IdentifierClientPath,
+		ScopesConf:     config.IdentifierScopesConf,
+		WebAppDisabled: config.IdentifierClientDisabled,
+
+		LogonCookieName:     "__Secure-KKT", // Kopano-Konnect-Token
+		LogonCookieSameSite: config.CookieSameSite,
+
+		ConsentCookieSameSite: config.CookieSameSite,
+
+		StateCookieSameSite: config.CookieSameSite,
 
 		AuthorizationEndpointURI: fullAuthorizationEndpointURL,
 		SignedOutEndpointURI:     fullSignedOutEndpointURL,

services/idp/pkg/config/config.go

@@ -2,6 +2,7 @@ package config
 
 import (
 	"context"
+	"net/http"
 
 	"github.com/owncloud/ocis/v2/ocis-pkg/shared"
 )
@@ -112,6 +113,7 @@ type Settings struct {
 
 	CookieBackendURI string
 	CookieNames      []string
+	CookieSameSite   http.SameSite
 
 	AccessTokenDurationSeconds        uint64 `yaml:"access_token_duration_seconds" env:"IDP_ACCESS_TOKEN_EXPIRATION" desc:"'Access token lifespan in seconds (time before an access token is expired).'" introductionVersion:"pre5.0"`
 	IDTokenDurationSeconds            uint64 `yaml:"id_token_duration_seconds" env:"IDP_ID_TOKEN_EXPIRATION" desc:"ID token lifespan in seconds (time before an ID token is expired)." introductionVersion:"pre5.0"`

services/idp/pkg/config/defaults/defaultconfig.go

@@ -1,6 +1,7 @@
 package defaults
 
 import (
+	"net/http"
 	"path/filepath"
 	"strings"
 
@@ -64,6 +65,7 @@ func DefaultConfig() *config.Config {
 			ValidationKeysPath:                "",
 			CookieBackendURI:                  "",
 			CookieNames:                       nil,
+			CookieSameSite:                    http.SameSiteStrictMode,
 			AccessTokenDurationSeconds:        60 * 5,            // 5 minutes
 			IDTokenDurationSeconds:            60 * 5,            // 5 minutes
 			RefreshTokenDurationSeconds:       60 * 60 * 24 * 30, // 30 days