Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

SAML2: email validation links from auth0 sometimes fail and give a confusing error #6893

Closed
richvdh opened this issue Feb 11, 2020 · 3 comments
Closed

SAML2: email validation links from auth0 sometimes fail and give a confusing error #6893

richvdh opened this issue Feb 11, 2020 · 3 comments
Assignees
@babolivier
Labels
z-bug (Deprecated Label)

Comments

@richvdh
Copy link
Member

richvdh commented Feb 11, 2020

Steps to reproduce:

  • Have a homeserver that authenticates against an auth0 instance via SAML2.
  • When authenticating, follow auth0's authentication flow to register with a new email address; this will lead auth0 to send a validation email
  • Wait for the link in that email to expire (alternatively: try to use it twice)
  • Observe an error that looks like this:

image
@richvdh
Copy link
Member Author

richvdh commented Feb 11, 2020

What seems to be happening here is that auth0 redirects to /_matrix/saml2/authn_response with an error encoded as a URI fragment, for example https://example.com/_matrix/saml2/authn_response#error=unauthorized&error_description=Wrong%20email%20or%20verification%20code.&state=<encoded state>.

This isn't a legitimate thing to do in SAML2: I think that sending errors back in URI fragments is an OAuth2 thing, so this seems to be mainly auth0's fault. To mitigate it, we could serve a static page with javascript that displays the error information.

(The fact that synapse claims only to support HEAD is #6894)

@richvdh richvdh added z-bug (Deprecated Label) z-p2 (Deprecated Label) labels Feb 17, 2020
@ara4n
Copy link
Member

ara4n commented Mar 6, 2020
edited
Loading

This is biting a significant number of people - perhaps everyone who tries to auth via email:

https://www.reddit.com/r/firefox/comments/fdplxc/moznet_irc_is_dead_long_live_mozilla_matrix/fjldxdi/
https://news.ycombinator.com/item?id=22492150

etc

I'm unconvinced that it's only affecting expired/invalid links.

@ara4n ara4n changed the title SAML2: clicking on invalid/expired email validation links from auth0 gives a confusing error SAML2: email validation links from auth0 sometimes fail and give a confusing error Mar 6, 2020
@ara4n ara4n added p1 and removed z-p2 (Deprecated Label) labels Mar 6, 2020
@babolivier babolivier self-assigned this Mar 9, 2020
@babolivier
Copy link
Contributor

It looks to me like Auth0 has quite a few failure modes when using passwordless auth, each of which has a different behaviour. For example, if the token has expired, then you get the same thing except the error is passed as a query parameter (e.g. https://example.com/_matrix/saml2/authn_response?error=unauthorized&error_description=Wrong%20email%20or%20verification%20code.&state=<encoded state>).

Therefore, for now, we're going with a configurable HTML file that tells users "oops, something went wrong", and that they should go back to their Matrix client and try to authenticate again. This was done in #7058, so I'm going to close this issue.

babolivier added a commit that referenced this issue Mar 11, 2020
@babolivier
Move the default SAML2 error HTML to a dedicated file
b8cfe79 
Also add some JS to it to process any error we might have in the URI
(see #6893).
@babolivier babolivier mentioned this issue Mar 11, 2020
Merged
phil-flex pushed a commit to phil-flex/synapse that referenced this issue Apr 15, 2020
@babolivier @phil-flex
Move the default SAML2 error HTML to a dedicated file
e91b1f7 
Also add some JS to it to process any error we might have in the URI
(see matrix-org#6893).
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@babolivier babolivier

Labels
z-bug (Deprecated Label)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ara4n @richvdh @babolivier