-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat!: Replace bearer with cookie-based authentication #1587
Conversation
1f89769
to
ecf03fa
Compare
A Storybook preview is available for commit 463dede. |
870fece
to
a109d99
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good improvements in regards to XSS protection and a more stable authentication system. I have some comments which we should implement before merging.
frontend/src/app/projects/models/init-model/init-model.component.ts
Outdated
Show resolved
Hide resolved
670ec16
to
8ca343b
Compare
a9330d0
to
38acdc2
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1587 +/- ##
==========================================
+ Coverage 81.12% 83.97% +2.85%
==========================================
Files 191 184 -7
Lines 6215 6086 -129
Branches 692 673 -19
==========================================
+ Hits 5042 5111 +69
+ Misses 1027 827 -200
- Partials 146 148 +2 ☔ View full report in Codecov by Sentry. |
0935596
to
fc1f870
Compare
fd0c755
to
a56f41d
Compare
1e64fea
to
2a41f63
Compare
2a41f63
to
b3aee1c
Compare
b3aee1c
to
e773ef1
Compare
Quality Gate passedIssues Measures |
Breaking Changes
For Administrators
providers
abstraction in thevalues.yaml
. This means that theproviders
field that supportedazure
oroauth
as values has been removed and instead ofoauth.xy
orazure.xy
xy
is used directly (e.g. instead ofoauth.endpoints.wellKnown
it'sendpoints.wellKnown
).well-known
endpoint is now a required configuration value and must be defined inendpoints.wellKnown
. As a result of reading all endpoints from the well-known endpoint, theendpoints.token_issuance
endpoint has been removed. Theendpoints.authorization
endpoint can still be used to overwrite the authorization endpoint from the well known configuration. It's needed for the OAuth mock, is most of the cases you can omit it.usernameClaim
configuration was removed. Instead, a more fine-grained mapping is available. If you want to have the same behaviour as it was before the update, setidpIdentifier
andusername
to the previous value ofusernameClaim
.For API Users
/api/v1/users/{id}/roles
route has been removed. Use the new PATCH/api/v1/users/{id}
route and pass the new role as attribute in the payload./api/v1/users
endpoints requires a new attributeidp_identifier
in the payload./api/v1/sessions/{session_id}/connection
returns the cookies as header (Set-Cookie
) instead of an attribute in the payload.Description
Generalized Authentication Provider
Until now the CCM had two types of authentication providers, namely Azure and OAuth. This distinction is no longer necessary because by implementing support for OIDC providers in general, we are also including Azure. Therefore, this PR merges both providers into one generalized provider.
Security Improvements
Previously, the CCM stored the identity token and the refresh token in a variable in the front-end authentication service. However, because the CCM is a single-page application, the client has access to the code, and storing these values as service variables is vulnerable to XSS attacks. The new approach now stores both tokens as secure, httponly, and samesite=strict cookies, which means that they are only appended to secure http requests, i.e., https, that they are automatically appended to all requests to endpoints that match a defined domain and path, and that there is no way to access the cookies from javascript.
In addition, we now use three different security options/parameters that are supported and recommended in OIDC.
First, we use a state parameter generated in the backend and validated by the frontend to protect against Cross-Site Request Forgery (CSRF) attacks. This is achieved by only requesting a token exchange from the backend if the state returned by the OIDC provider exists in local storage. Theoretically, this is still vulnerable to a combination of XSS and CSRF attacks, but as mentioned in the OWASP Cross-Site Request Forgery Prevention Cheat Sheet, this is a typical problem.
Second, we use a nonce parameter that is generated in the backend and passed to the OIDC provider, which then includes the value directly in the identity token. Then, when the backend receives the identity token during the token exchange, we validate that the nonce contained in the token matches the generated nonce.
Finally, we also use the Proof of Key Code Exchange (PKCE) extension to the OAuth/OIDC authorization code flow, where we generate a code verifier, append a hashed version of the code verifier, called the code challenge, and the hash method, called the code challenge method, to the initial authentication URL, and then send the generated code verifier during the token exchange. The OIDC provider then validates that the code challenge is equal to the hash of the sent code verifier. By using PKCE, we protect against Authorization Code Interception Attacks and we already comply with the OAuth 2.1 requirement to use PKCE.
We also removed the custom implementation of a keystore previously found in
keystore.py
and switched to a JWK client implementation provided by the same library used to validate the JWT tokens. This not only removes a lot of code, but also increases security by using a well-known open source implementation.Removal of the ngx-cookie Package
Previously, we set session cookies in the frontend using the `ngx-cookie' package. This PR removes that package and now also sets the session cookies via set-cookie headers from the backend.
TODOs
keystore.py
file and replace it by the pyjwtPyJWKClient
as seen in pyjwt oidc login flowSameSite
attribute tostrict
orlax
. For more information, see Same site cookie attribute prevents CSRF attacks.users/current
endpoint and the navigation bar is not displayed. The problem here is that the endpoint is called before the/tokens
endpoint is called or its request has finished, so there is no identity token set yet./{user_id}/role
route as breaking change and mention the new patch/{user_id}
routePotential follow-up issues
nonce
andcode_verifier
from the frontend to a proper backend session using redis. We can then also move thestate
back to the backend and add theredirecTo
to the backend session object. This should further improve security as we are not exposing any information to the frontend that could be used for an attack.Resolves #1596, Resolves #1592