use only User-Agent header for state browser fingerprinting by default

as cloud environments increasingly use dynamic proxy IPs in front Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>
OpenIDC · Oct 31, 2023 · f127c0f · f127c0f
1 parent f9a5250
commit f127c0f
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 6 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -2,7 +2,9 @@
 - add capability to seamlessly rollover OIDCCryptoPassphrase using a (temporary) 2nd value that holds the old one
 - bump to 2.4.15rc1
 - remove obsolete support for Token Binding https://www.rfc-editor.org/rfc/rfc8471.html (id_token, access_token, session cookie)
-
+- use only the User-Agent header as input for the state browser fingerprinting by default (no X-Forwarded-For)
+  as cloud environments increasingly use dynamic proxy IPs in front
+
 10/30/2023
 - do not apply logout_on_error and authenticate_on_error when a parallel refresh token request is detected
   see https://github.com/OpenIDC/mod_auth_openidc/discussions/1132; thanks @esunke

diff --git a/auth_openidc.conf b/auth_openidc.conf
@@ -1028,10 +1028,9 @@
 # The optional authenticate_on_error flag sends the user for authentication when the refresh fails.
 #OIDCRefreshAccessTokenBeforeExpiry <seconds> [logout_on_error | authenticate_on_error]
 
-# Defines whether the value of the User-Agent and X-Forwarded-For headers will be used as the input
-# for calculating the fingerprint of the state during authentication.
-# When not defined the default "both" is used.
-#OIDCStateInputHeaders [none|user-agent|x-forwarded-for|both]
+# Defines which headers will be used as the "state" input for calculating the fingerprint of the browser
+# during authentication. When not defined the default "user-agent" is used.
+#OIDCStateInputHeaders [user-agent|x-forwarded-for|both|none]
 
 # Define one or more regular expressions that specify URLs (or domains) allowed for post logout and
 # other redirects such as the "return_to" value on refresh token requests, the "login_uri" value

diff --git a/src/config.c b/src/config.c
@@ -161,7 +161,7 @@
 /* define the default number of seconds that the access token needs to be valid for; -1 = no refresh */
 #define OIDC_DEFAULT_REFRESH_ACCESS_TOKEN_BEFORE_EXPIRY -1
 /* default setting for calculating the fingerprint of the state from request headers during authentication */
-#define OIDC_DEFAULT_STATE_INPUT_HEADERS (OIDC_STATE_INPUT_HEADERS_USER_AGENT | OIDC_STATE_INPUT_HEADERS_X_FORWARDED_FOR)
+#define OIDC_DEFAULT_STATE_INPUT_HEADERS OIDC_STATE_INPUT_HEADERS_USER_AGENT
 /* default prefix of the state cookie that binds the state in the authorization request/response to the browser */
 #define OIDC_DEFAULT_STATE_COOKIE_PREFIX "mod_auth_openidc_state_"
 /* default x-forwarded-* headers to be interpreted */