Issuer no longer working

mozilla-iam / federated-aws-rp

DEPRECATED. Federated AWS RP is an AWS API Gateway and Lambda OpenID Connect (OIDC) Relying Party (RP) to allow users to log into the AWS Management Console with their federated identity using Single Sign On. This is no longer used by Mozilla SSO/IAM as of September 15th, 2023.

Mozilla Public License 2.0

3 stars 3 forks source link

Issuer no longer working #20

Open gene1wood opened 4 years ago

gene1wood commented 4 years ago

It looks like somethings happened and the issuer value that we pass, which should tell AWS where to send the user after their session expires, isn't working any more.

When I return to a session after 12 hours, I get redirected to https://signin.aws.amazon.com/signin instead of the URL passed in the issuer value

Here's an example of a URL that federated-aws-rp sends me to which should set the issuer.

https://signin.aws.amazon.com/federation?Action=login&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2Fconsole%2Fhome&SigninToken=XXXXREDACTEDXXXX&Issuer=https%3A%2F%2Faws.sso.mozilla.com%2F%3Faccount%3Dinfosec-prod%26role%3DMAWS-Admin

gene1wood commented 4 years ago

This appears to fail intermittently. When it works the sequence is

User browses to https://console.aws.amazon.com/console/home
Page renders and a JS redirect is sent to https://console.aws.amazon.com/console/home?&state=hashArgs%23
This URL redirects the user to https://us-east-1.signin.aws.amazon.com/oauth?SignatureVersion=4&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=REDACTED&X-Amz-Date=2020-05-19T18%3A42%3A23.356Z&X-Amz-Signature=REDACTED&X-Amz-SignedHeaders=host&client_id=arn%3Aaws%3Aiam%3A%3A015428540659%3Auser%2Fhomepage&code_challenge=REDACTED&code_challenge_method=SHA-256&redirect_uri=https%3A%2F%2Fconsole.aws.amazon.com%2Fconsole%2Fhome%3Fstate%3DhashArgs%2523%26isauthcode%3Dtrue&response_type=code&state=hashArgs%23
- Note the client_id of arn:aws:iam::015428540659:user/homepage which is apparently an AWS account that hosts AWS's signin stuff
Finally the page with the link to the issuer is rendered

gene1wood commented 4 years ago

And here's the failure case

User browses to https://console.aws.amazon.com/console/home
Page renders and a JS redirect is sent to https://console.aws.amazon.com/console/home?&state=hashArgs%23
This URL redirects the user to the same URL as the working case
In response the https://us-east-1.signin.aws.amazon.com/oauth page responds with a 302 with the same arguments to https://signin.aws.amazon.com/oauth . This differs from the success case

This page responds with a 302 to

https://signin.aws.amazon.com/signin?redirect_uri=https%3A%2F%2Fconsole.aws.amazon.com%2Fconsole%2Fhome%3Fstate%3DhashArgs%2523%26isauthcode%3Dtrue
&client_id=arn%3Aaws%3Aiam%3A%3A015428540659%3Auser%2Fhomepage
&forceMobileApp=0
&code_challenge=REDACTED
&code_challenge_method=SHA-256

which serves up the AWS user password prompt