An application allowing users to explore, create, annotate, and share extensions of the MITRE ATT&CK® knowledge base. This repository contains the REST API service for storing, querying, and editing ATT&CK objects.
Requests sent to the GET /api/authn/oidc/callback endpoint must include the cookie which identifies the server-side session for the user. Currently, requests that are missing this cookie result in a 500 Internal Error response. The server log shows the message:
[ERROR] catch all: Error: did not find expected authorization request details in session, req.session["oidc:localhost"] is undefined
This error occurs because the OIDC library expects to find the server-side session data that had been created during the initial call to start the OIDC log in process (GET /api/authn/oidc/login). The server-side session is identified by a cookie sent with the request and when the cookie is absent in the call the the callback endpoint, the REST API creates a new session, instead of accessing the one from the initial request.
The missing cookie can occur if the server can be accessed using two different domain names, and the client accesses the Workbench app using the first domain name, but the OIDC configuration includes the second domain name in the OIDC configuration (configured using the AUTHN_OIDC_REDIRECT_ORIGIN environment variable). This would result in the browser storing the cookie using the first domain name and sending it with any requests to a host with that domain name. But not sending it in requests to hosts with the second domain name.
The Fix
The REST API should identify requests to the OIDC callback endpoint that do not include the session identifier and send a suitable response, instead of a 500 Internal Error response
The documentation for configuring OIDC should be updated to emphasize the importance of using the same domain name as when accessing the Workbench app
The Issue
Requests sent to the
GET /api/authn/oidc/callback
endpoint must include the cookie which identifies the server-side session for the user. Currently, requests that are missing this cookie result in a 500 Internal Error response. The server log shows the message:This error occurs because the OIDC library expects to find the server-side session data that had been created during the initial call to start the OIDC log in process (
GET /api/authn/oidc/login
). The server-side session is identified by a cookie sent with the request and when the cookie is absent in the call the the callback endpoint, the REST API creates a new session, instead of accessing the one from the initial request.The missing cookie can occur if the server can be accessed using two different domain names, and the client accesses the Workbench app using the first domain name, but the OIDC configuration includes the second domain name in the OIDC configuration (configured using the
AUTHN_OIDC_REDIRECT_ORIGIN
environment variable). This would result in the browser storing the cookie using the first domain name and sending it with any requests to a host with that domain name. But not sending it in requests to hosts with the second domain name.The Fix