search

greenpau / caddy-security

🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐
https://authcrunch.com/
Apache License 2.0
1.46k stars 72 forks source link

breakfix: samesite strict makes redirect wrong #365

Open Gunni opened 2 days ago

Gunni commented 2 days ago

Describe the issue

When samesite is set to strict, the redirect back is wrong despite authentication being successful.

https://login.microsoftonline.com/kmsi (status 200) redirects me to https://subdomain.example.com/auth/saml/azure (status 303)

https://subdomain.example.com/auth/saml/azure (status 303) redirects me to https://subdomain.example.com/auth/portal (status 302)

https://subdomain.example.com/auth/portal (status 302) redirects me to https://subdomain.example.com/auth/login (status 200) where I end up

If the user then modifies the url to go to https://subdomain.example.com/ or https://subdomain.example.com/auth/whoami he can observe that he is actually authenticated despite the redirect being wrong.

But without samesite strict, f.ex lax, i stop on /auth/portal

Expected behavior

I am using subdomain.example.com, it should just work despite samesite being strict, right?

greenpau commented 2 days ago

@Gunni , could it be that you have redirect url configured for your azure enterprise application?

Gunni commented 11 hours ago

@Gunni , could it be that you have redirect url configured for your azure enterprise application?

Yes I believe it is set to https://subdomain.example.com/auth/saml/azure, which I would expect would redirect to https://subdomain.example.com/auth/portal or https://subdomain.example.com/, right?