Problems with form-action CSP behind load palancer

[twenzel]

• [x] I read and understood how to enable logging

This issue is similar to #1811. After upgrading from 2.0.3 to 2.0.4 the callback to the client is broken with

Refused to send form data to 'http://tesmar4-qa.chg-meridian.com/' because it violates the following Content Security Policy directive: "form-action https://tesmar4-qa.chg-meridian.com".

The problem is, that no configuration says that http should be used. Everything should be running on https.

The response header of the callback page (https://xy.com/connect/authorize/callback?client_id=tesma&redirect_uri=https%3A%2F%2Ftesmar4-qa.xy.com%2Fsignin-oidc&response_mode=form_post&response_type=code%20id_token&scope=openid%20leaseService%20documentService%20assetService%20masterdataService%20datacontext&state=OpenIdConnect.AuthenticationProperties%3D0HwTJ...)

defines following CSP (Content-Security-Policy) default-src 'none'; frame-ancestors https://tesmar4-qa.chg-meridian.com; form-action https://tesmar4-qa.chg-meridian.com; script-src 'sha256-VuNUSJ59bpCpw62HM2JG/hCyGiqoPN3NqGvNXQPU+rY=';

The callback page returns the correct HTML:

<form method='post' action='https://tesmar4-qa.chg-meridian.com/signin-oidc'><input type='hidden' name='code' value='fe8cbe360aef6e2b5f4fb4f10bf3f1dd954eddcf30d503681894bdc6e8189b63' />
<input type='hidden' name='id_token' value='ey...' />
<input type='hidden' name='scope' value='openid datacontext leaseService documentService assetService masterdataService' />
<input type='hidden' name='state' value='OpenIdConnect.AuthenticationProperties=0HwTJ...' />
<input type='hidden' name='session_state' value='TNH2qF4vQwLxUBFdcdOLaYkebWTC1NT5iV6yZts_HwY.73d9d792d4cdc5fc98bb636c1e6cda48' />
</form><script>(function(){document.forms[0].submit();})();</script>

What might be a root of this issue is, that we're running behind a load balancer doing SSL offloading. Therefor we already set the PublicOrigin and IssuerUri option to the public url.

I guess the bugfix #1748 (which introduced the form-action CSP) might be a problem. I can reproduce it with Chrome (64).

[gterdem]

I'm the author of #1811, After publishing, we're having the same issue where it works fine on localhost. We too run behind a load balancer.

Refused to send form data to 'https://abc.edu.tr/connect/authorize?client_id=sabis.adabis.mvc&redirect_uri=https%3A%2F%2Fadabismvc.sakarya.edu.tr%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20offline_access&response_mode=form_post&nonce=636487535314992627.M2YzNDAzYTMtNzg5YS00MzIwLTkyYjQtMjk5NDY3MmQ5YmMxZGYyYjk2ZDQtYjQ2ZS00N2E2LTllYWQtYjkyYjdhNDhmNTU0&state=CfDJ8KEMmXMUTTpNhx0xZPiKaIbS1v2vzr_t_InIpmYv6VXUUeH76kZoTj9seLB-kEd4OznfO8BTZUgI9EmY-XlOXDJbZEMAc8-c4DzuTckGCf3J6wr_8Ix4vEraiZeLUXSupVdvC3oV8VT7NkC0p4pdQO2MzfvUhm6QLDavzdMwXVlD2uJGifkTcVnPhod0f_Ahc_pfRVqL9k-bAnkPVaZoFfjM8pPg1dZsbo-gFYtsUS5HmH6Uq7dd8XRY1WFNdkPXVcSreWEQxUbgXyzcV1dUu59e-CODSUu_vU8nHvF_VoAK4nGiSsj4xn21KbwiJibDSBUDgO0yC8vyF7qHlbzd020b5IpaHvc-ukHK9ZhJ9jM6&x-client-SKU=ID_NET&x-client-ver=2.1.4.0' because it violates the following Content Security Policy directive: "form-action https://adabismvc.sakarya.edu.tr".

callback response header:

Content-Security-Policy:default-src 'none'; frame-ancestors https://adabismvc.sakarya.edu.tr; form-action https://adabismvc.sakarya.edu.tr; script-src 'sha256-VuNUSJ59bpCpw62HM2JG/hCyGiqoPN3NqGvNXQPU+rY=';

And this is identityserver:

<PackageReference Include="IdentityServer4" Version="2.0.3" />

I still couldn't check client logs but not sure if I'll find the solution there.

[zapatodefuego]

We've also been running into this issue in IdentityServer4 2.0.5 and 2.0.4, though through a different workflow. CSP is blocking the redirect to RedirectUrl after successfully logging in with no load balancer or other infrastructure in place. For a temporary workaround (before realizing we could just downgrade) we found that if we enabled the consent screen (RequiresConsent=true), everything worked fine and the issue was avoided.

As for the actual error, this is what is what we get:

Refused to send form data to 'http://localhost:64062/' because it violates the following Content Security Policy directive: "form-action http://localhost:5000".

Downgrading to IdentityServer4 2.0.3 fixes the issue.

[brockallen]

@zapatodefuego

Refused to send form data to 'http://localhost:64062/' because it violates the following Content Security Policy directive: "form-action http://localhost:5000".

This tells me your CSP is on the login page, right? Did you happen to update it to the latest CSP we issue in the quickstart UI? https://github.com/IdentityServer/IdentityServer4/blob/release/src/Host/Quickstart/SecurityHeadersAttribute.cs

[brockallen]

I have removed the form-action that was added in the 2.0.4 release. Can you test against the myget feed that contains our dev builds? http://docs.identityserver.io/en/release/intro/packaging.html

Thanks.

[brockallen]

Actually, to make it easier to test we pushed a 2.0.6-preview1 to NuGet. Have a look, please.

[Dixtosa]

I have upgraded the identity server from 2.0.5 to the 2.0.6-preview1 and the error is gone. Though I am still puzzled as to why this has been happening to me. I will describe my case FWIW. We did not have a load balancer. Puzzling fact#1: The error only appeared if the client application hit my OnRemoteFailure event which redirected to Home page like this context.HandleResponse(); context.Response.Redirect("/Home"); Puzzling fact#2: All the header values were equal to the those if no error was occurred. P.S. Firefox had been ignoring the error and just redirected. P.P.S I used OnRemoteFailure for an unrelated nonce cookie handling.

[brockallen]

I have seen odd behaviors in Chrome when there are several redirects involved and it seems like the CSP from the last visible and rendered page is what's honored.

[twenzel]

With the 2.0.6-preview1 version the error is gone.

[MuhammadAqibAli]

@twenzel I have same issue with 2.2.0 version

[eyupalemdar]

I don't want to open new issue so i wrote here. I am facing the same problem too with IdentityServer4.AccessTokenValidation (version 2.6.0)

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.