No state param being sent / passed back to the callback endpoint, or handled in the callback handler

[arcseldon]

Great library - thank you for sharing this.

Have written a couple of Auth0 Samples, and the Regular Web App utilises the library. Please see here:

Auth0 Elixir Regular Web App

Auth0 Elixir Single Page App

A concern I have for Regular Web apps using this library today, is that I do not see any handling of a state parameter in either the handle request or the handle callback logic.

It is imperative with Code Authorization Grant flow that a state param is used in conjunction with Auth0 implementations in order to avoid phishing or replay attacks against the callback endpoint. Can read about state param here.

Please can you advise whether the ueberauth strategy will easily support this without additional code changes to your library, or whether you would consider adjusting your request and callback logic to support the state param - if you wish to make its usage optional for your library, that would be sufficient. See that the ueberauth library references callback_params here but not familar yet with its internals. As a strategy, can you hook into that?

It is a best practice to always include a state param - but not necessary compulsary as an Oauth2 implementation requirement. Thanks, and be great to hear your thoughts.

[sobolevn]

@arcseldon thanks! That's indeed needs to be implemented. We have something similar in another ueberauth strategy.

And about making it optional or not, I really like to enforce best practices and security features. @sntran what do you think?

@arcseldon Are you wishing to contribute?

[arcseldon]

@sobolevn - Thanks for your reply and offer to get the state added. Longer term, I would def. be interested in staying close to this library and being a contributor. If you can take care of this change in interim that would be ideal. Several developers at Auth0 really like Phoenix / Elixir & OTP and we are gradually introducing its usage on appropriate projects. The next step for us is to convert the samples linked above into official QuickStarts for Elixir available from our Dashboard. Since the Regular App has a dependency on this library, its usage shall likely increase - we have had quite a few quickstart suggestions of late for an Elixir option hence the timing. So definitely grateful for the community support you and @sntran have provided with this library. Hope you'll be happy to continue maintaining it too, and like I say, for sure Auth0 (myself) will be able to offer some support!

[sobolevn]

@arcseldon oh, nice to meet you. I am an Auth0 ambassador myself. It is also nice to hear that Auth0 likes Elixir/Phoenix.

Ok, I will add this feature to my priority list. Let's say it would be this weekend.

[arcseldon]

@sobolevn - great to hear - sure Auth0 would be happy to send you and @sntran some swag too ;)

[sntran]

Hi there. Sorry for the late response. Personally, this is not just an OAuth implementation, but a strategy specific to Auth0, so I'd make it a default, but let the user turn it off if needed.

[arcseldon]

@sntran @sobolevn - what would be best way to communicate with you re general conversations. Slack / email etc? Like to ask a few questions, not convinced github issues is best approach for that.

[sntran]

Email would be the best way for me, as I can't handle too many channels (Slack, Gitter, Keybase, Hangout, etc...). I do understand that it won't be immediate. In that case, I can do whatever @sobolevn prefers.

[arcseldon]

Here are a few quick fire clarifications please.

First question - do you have github repo etc with a sample application using this library?

Secondly, I'd be interested to know more regarding how to send additional params with the authorize request to Auth0. For instance, how would I specify specific set of scopes?

eg.

audience=organise
scope=openid profile email offline_access read:contacts read:calendar

See here that it inspects the query params from the connection (conn) object. But in my sample, seemingly have little control over this.

tried doing something like:

  <h4>You are not logged in! Please <a href="/auth/auth0?audience%3Dorganise%26scope%3Dopenid%20profile%20email%20offline_access%20read%3Acontacts%20read%3Acalendar%0A

The resultant call to Auth0 did not contain any of those extra params.

The AuthController I am using does not define an explicit action method for the request.

Here is my router set up for AuthController

and here is the AuthController implementation

Notice, only have logout and callback actions defined. Do you have an example of overriding the request?

I tried with router get "/:provider", AuthController, :request and then a custom function in AuthController

  def request(conn, _params) do
    conn
    |> redirect(to: "https://demonstration.auth0.com/authorize?response_type=code&client_id=j4GnxkfxO7rfa7Y5d3TCfoqSAGDAXCOF&redirect_uri=http://app1.com:3000/callback&audience=organise&state=30f00710-853a-412e-820b-a4299684df4f&scope=openid profile email offline_access read:contacts read:calendar")
  end

But it never gets invoked ?!

Thirdly, how do I gain access to the returned Access Token directly?

For instance, wish to use it to call an external API. Does ueberauth have a standard session storage path? Eg. access_token = get_session(conn, :access_token) etc. See here that there is a credentials function - does that hook into ueberauth as a strategy hook ? Is there a standard way to query for that Credentials struct.

Thanks for any quick insights, and apologies if some of these questions could have been better thought through - am coming up to speed with Elixir OTP and Phoenix rapidly, yet a long way to go.

What I shall commit to is writing some tests, and beefing up the README for the library over time, referencing existing working samples that use this library to illustrate how it works from an end-user perspective.

[arcseldon]

@sntran - awesome. Can you email at richard.seldon@auth0.com just so i have your email for ref. In meantime, I have put my immediate questions above. Really grateful if you can offer some insights. I am planning a company presentation on Phoenix (an internal tech talk) this evening.

[arcseldon]

For the request override, I had also referenced here as a sample pattern.

[sntran]

@arcseldon I'm actually on the road so I won't be able to give you an answer until tomorrow. We probably need to poke @sobolevn :P

[arcseldon]

Thanks. tomorrow (your time) may work :) It is 9 am ish here in Tokyo, Japan atm - Weds, 31st Jan.

[sobolevn]

@arcseldon sorry for being late with the answers, but it were night hours here in Russia (Moscow in particular, fun fact: there are 16 timezones in Russia)

Answers:

1. Yes, we do have an example. Check it out: https://github.com/sobolevn/phoenix_auth0
2. Here's an example on how to provide extra scope parameters in the config: https://github.com/sntran/ueberauth_auth0/blob/master/lib/ueberauth/strategy/auth0.ex#L17
3. You can access auth_token via conn.private.auth0_token, like we do it here: https://github.com/sntran/ueberauth_auth0/blob/master/lib/ueberauth/strategy/auth0.ex#L102

Feel free to email me if you do have any questions (my email is listed in my profile). Or you can find me in Auth0Ambassadors slack.

[arcseldon]

@sobolevn - Superb - thanks for the comprehensive reply. Ok, makes sense and looks like I was on the right tracks - unclear why the request action on AuthController was not being invoked based on your sample - the reference sample you provided is very helpful in doing comparisons. Thanks again for clarifying the above.

[sntran]

@arcseldon as for modifying the scopes on the fly, it does take the scope in the param of the request.

I tested it with /auth/auth0?audience=organise&scope=openid%20profile%20email%20offline_access%20read:contacts%20read:calendar and it transfers them to Auth0 request.

[achedeuzot]

Hi @arcseldon !

After some time without too much maintainers, I've taken the role of maintaining this package. In the latest version (0.7.0), you'll see that it now supports the state parameter.

Feel free to continue the discussion or close the ticket if everything is OK now.

Best regards,

[achedeuzot]

Following the latest release using ueberauth 0.7.0, the state parameter is now used by the ueberauth library. I'm therefore closing this ticket.