500 Error when embedding in another site

[alexeisenhart]

Hello! I'm using this plugin to authenticate with Azure Active Directory. It works perfectly if I navigate directly to my Etherpad public URL, but I get a 500 error if I try to load a page in another website that is embedding a pad. The other website is also authenticated to the same AAD.

Is there some sort of cross site issue happening perhaps?

Just in case this is not the best way to attack the problem, my goal is to secure the Etherpad site and only interact with the admin panel (for basic maintenance), embed a pad via an iframe in another site (and continue to track edits to a user), and to use the Web API to get and set a pad's HTML. If there was another secure strategy, I can move away from using AAD in Etherpad.

Here's how I'm embedding:

<iframe class="etherpad" style="width:100%; height:720px" src='@Model.Document.Url?showChat=false&showLineNumbers=true'></iframe>

AAD is set up to redirect to /ep_openid_connect/callback.

On the client side, loading the pad fails with a 500 error to my-azure-site.com/ep_openid_connect/callback?code={code here}&state={state here}&session_state={session state here}

Here are the server side logs:

[36m[2021-04-13 16:03:15.448] [DEBUG] ep_openid_connect - [39mProcessing /ep_openid_connect/callback?code={code here}&state={state here}&session_state={session state here}
[36m[2021-04-13 16:03:15.464] [DEBUG] SessionStore - [39mSET 3oNV_K07DfvLaswbYAqFpvSJVCCgSErz
[31m[2021-04-13 16:03:15.479] [ERROR] console - [39mError: no authentication paramters found in session state
    at C:\home\site\wwwroot\node_modules\ep_openid_connect\index.js:55:37
    at C:\home\site\wwwroot\node_modules\ep_openid_connect\index.js:72:7
    at Layer.handle [as handle_request] (C:\home\site\wwwroot\node_modules\ep_etherpad-lite\node_modules\express\lib\router\layer.js:95:5)
    at next (C:\home\site\wwwroot\node_modules\ep_etherpad-lite\node_modules\express\lib\router\route.js:137:13)
    at Route.dispatch (C:\home\site\wwwroot\node_modules\ep_etherpad-lite\node_modules\express\lib\router\route.js:112:3)
    at Layer.handle [as handle_request] (C:\home\site\wwwroot\node_modules\ep_etherpad-lite\node_modules\express\lib\router\layer.js:95:5)
    at C:\home\site\wwwroot\node_modules\ep_etherpad-lite\node_modules\express\lib\router\index.js:281:22
    at Function.process_params (C:\home\site\wwwroot\node_modules\ep_etherpad-lite\node_modules\express\lib\router\index.js:335:12)
    at next (C:\home\site\wwwroot\node_modules\ep_etherpad-lite\node_modules\express\lib\router\index.js:275:10)
    at checkAccess (C:\home\site\wwwroot\node_modules\ep_etherpad-lite\node\hooks\express\webaccess.js:124:41)
    at processTicksAndRejections (internal/process/task_queues.js:93:5)
[36m[2021-04-13 16:03:15.495] [DEBUG] ueberDB - [39mSET    - sessionstorage:3oNV_K07DfvLaswbYAqFpvSJVCCgSErz - {"cookie":{"path":"/","_expires":null,"originalMaxAge":null,"httpOnly":true,"sameSite":"Lax","secure":true}} - to database

[alexeisenhart]

Logged in the client console:

Summary
GET https://sitename.azurewebsites.net/ep_openid_connect/callback?code={code}&state=&session_state={session state}#
[HTTP/1.1 500 Internal Server Error 331ms]

GET
    https://sitename.azurewebsites.net/ep_openid_connect/callback?code={code}&state={state}&session_state={session state}
Status 500
Internal Server Error
Version HTTP/1.1
Transferred 512 B (75 B size)
Referrer Policy strict-origin-when-cross-origin

Response Headers

    HTTP/1.1 500 Internal Server Error
            Content-Length: 75
            Content-Type: text/html
            ETag: W/"2a-TMqDHQ8miTnhfLD0CaBhSfNzQC8"
            Server: Microsoft-IIS/10.0
            Set-Cookie: express_sid={value}; Path=/; HttpOnly; Secure; SameSite=Lax
            X-Powered-By: Express
            X-UA-Compatible: IE=Edge,chrome=1
            Referrer-Policy: same-origin
            X-Powered-By: ASP.NET
            Date: Tue, 13 Apr 2021 16:03:15 GMT

Request Headers     
    GET /ep_openid_connect/callback?code={code}&state={state}&session_state={session state}# HTTP/1.1
            Host: sitename.azurewebsites.net
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
            Accept-Language: en-US,en;q=0.5
            Accept-Encoding: gzip, deflate, br
            Connection: keep-alive
            Cookie: token={token}; ARRAffinity={value}; ARRAffinitySameSite={value}
            Upgrade-Insecure-Requests: 1
        Cache-Control: max-age=0

[alexeisenhart]

I'm debugging the plugin code. The login request does not have the same session as the callback request. So processing the callback fails because the authParams are not available.

[alexeisenhart]

I tried a naive solution: login caches the authParams in an array and callback performs a lookup based on the state then updates the session's authParams.... but that lead to a redirection issue.

[alexeisenhart]

After a lot of debugging and testing, I discovered the sameSite property in settings.json. The default is "sameSite": "Lax". Changing this to "sameSite": "None" seems to have fixed my iframe embedding issue.

Closing this item. May it help someone in the future.

[jonasfs]

In case anyone got here for the same reason I did, you also get a similar behavior if you're running "sameSite": "None" without https (like mentioned in the documentation, the cookie will not be properly set on Etherpad).

In this particular case leaving it on "Lax" solved the issue for me.