nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
27.58k stars 4.08k forks source link

SSO/OIDC with redirect and nextcloud's form-action CSP do not play nice together #29317

Open Ramblurr opened 3 years ago

Ramblurr commented 3 years ago

How to use GitHub

Explanation

This issue is related to https://github.com/nextcloud/server/pull/16711 from @rullzer

Background: You will remember (:roll_eyes: ) that Chrome and Firefox apply the form-action CSP differently when the response to a form request is a redirect. This is currently undefined behavior and the W3C has not yet decided what to do about it. Firefox does not apply the form-action CSP, but Chrome does.

The above merged PR from @rullzer fixes the case where Nextcloud responds to the POST /login/flow request with a 303 redirect to the OIDC callback url. This is working fine.

However... what happens when the service being redirected to itself issues a redirect to a different origin (that wasn't in the original allowed form-action source list?

   ┌────────────────────────────┐
   │                            │
   │  POST   <NC>/login/flow    │
   │                            │
   └─────────────┬──────────────┘
                 │
                 │
┌────────────────▼──────────────────┐
│   303 redirect oidc callback url  │
│                                   │
└────────────────┬──────────────────┘
                 │
                 ▼
┌──────────────────────────────────┐
│    oidc service 302/3 redirect   │
│                                  │
└──────────────────────────────────┘

Well for Firefox this works just fine as it doesn't keep the form-action CSP around.

On Chrome/Edge, the "Grant Access" button just spins for a long time and if you open the console you see:

Refused to send form data to 'ORIGINAL <NC>/login/flow' because it violates the following Content Security Policy directive: "form-action 'self' https://oidc-callback-url".

The solution is to ensure that the domain for the 2nd redirect is included in the original form-action CSP.

I was able to manually add this by editing lib/public/AppFramework/Http/ContentSecurityPolicy.php and appending my extra domain to the $allowedFormActionDomains array.

I'm not sure what the proper solution is here. As a nextcloud administrator I need to have some way to allow certain domains in the form-action policy. But the workaround in the previous paragraph is NOT a good solution as it applies to every form in the application, whereas it is only required for the POST /login/flow during the oauth/oidc workflow.

Maybe the "OAuth 2.0 clients" feature should allow additional URIs?

image

Steps to reproduce

This is rather cumbersome to reproduce as you will need a third-party software authenticating to nextclouds oidc provider.

  1. Install matrix's synapse homeserver on your server
  2. Install the element web client on your server
  3. Configure synapse to support user authentication via the Nextcloud OIDC provider
  4. Attempt to login in Element to the server (via the SSO option)

Expected behaviour

The oauth login flow should complete without error

Actual behaviour

Firefox : Everything works fine

Chrome/Edge: The login flow fails after pressing the "Grant Access" button in nextcloud.

Given:

Then the POST https://nextcloud.example.com/login/flow returns 303 redirect with Location: https://matrix.example.com/_synapse/client/oidc/callback, and this also returns a 302 redirect to https://chat.example.com/something/something

So from Chrome's point of view all three domains must exist in the form-action CSP, but only the first two are included.

Server configuration

Operating system: linux

Web server: apache

Database: postgres

PHP version: 21.0.5

Nextcloud version: 21.0.5

Updated from an older Nextcloud/ownCloud or fresh install: no

Where did you install Nextcloud from: official docker image 21-apache tag

Signing status:

Signing status ``` No errors have been found. ```

List of activated apps:

App list ``` Enabled: - accessibility: 1.7.0 - activity: 2.14.3 - audioplayer: 3.2.2 - cloud_federation_api: 1.4.0 - comments: 1.11.0 - contactsinteraction: 1.2.0 - dav: 1.17.1 - discoursesso: 1.22.0 - external: 3.8.2 - federatedfilesharing: 1.11.0 - federation: 1.11.0 - files: 1.16.0 - files_external: 1.12.0 - files_pdfviewer: 2.1.0 - files_rightclick: 1.0.0 - files_sharing: 1.13.1 - files_texteditor: 2.14.0 - files_trashbin: 1.11.0 - files_versions: 1.14.0 - files_videoplayer: 1.10.0 - firstrunwizard: 2.10.0 - logreader: 2.6.0 - lookup_server_connector: 1.9.0 - mail: 1.10.5 - nextcloud_announcements: 1.10.0 - notifications: 2.9.0 - oauth2: 1.9.0 - password_policy: 1.11.0 - privacy: 1.5.0 - provisioning_api: 1.11.0 - recommendations: 1.0.0 - serverinfo: 1.11.0 - settings: 1.3.0 - sharebymail: 1.11.0 - spreed: 11.3.2 - support: 1.4.0 - survey_client: 1.9.0 - systemtags: 1.11.0 - text: 3.2.0 - theming: 1.12.0 - twofactor_backupcodes: 1.10.0 - updatenotification: 1.11.0 - user_status: 1.1.1 - viewer: 1.5.0 - weather_status: 1.1.0 - workflowengine: 2.3.1 Disabled: - admin_audit - dashboard - encryption - photos - user_ldap ```

Nextcloud configuration:

Config report ``` { "system": { "htaccess.RewriteBase": "\/", "memcache.local": "\\OC\\Memcache\\APCu", "apps_paths": [ { "path": "\/var\/www\/html\/apps", "url": "\/apps", "writable": false }, { "path": "\/var\/www\/html\/custom_apps", "url": "\/custom_apps", "writable": true } ], "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_proxies": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "***REMOVED SENSITIVE VALUE***" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "pgsql", "version": "21.0.5.1", "overwrite.cli.url": "REMOVED SENSITIVE VALUE", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "auth.bruteforce.protection.enabled": false, "overwriteprotocol": "https", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "587", "mail_smtpsecure": "tls", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "skeletondirectory": "", "mail_smtpmode": "smtp", "mail_smtpauthtype": "LOGIN", "mail_sendmailmode": "smtp", "mail_smtpauth": 1, "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "default_language": "de", "default_locale": "de_AT", "theme": "", "loglevel": 0, "maintenance": false, "default_phone_region": "AT" } } ```

Are you using external storage, if yes which one: local + sftp

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: Chrome + Firefox

Operating system: Windows + Linux + Mac

Logs

Refused to send form data to 'ORIGINAL <NC>/login/flow' because it violates the following Content Security Policy directive: "form-action 'self' https://oidc-callback-url".

sanfx commented 2 years ago

I am facing the same issue when using webview for authorization I get the same error just marginally different URL ending at grant instead of flow.

I have Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self' sis.redsys.es; frame-ancestors 'self'" set in apache2 config

and http-response set-header Content-Security-Policy: "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self';" in haproxy .

restarted apache2 and haproxy server … still cannot go beyond Grant page.

ThisIsQasim commented 2 years ago

I was having the same issue so ended up patching the file after each deployment with a sed replace

CSP_DOMAIN=subdomain.example.com
sed -i '/protected \$allowedFormActionDomains = \[/a '\'''$CSP_DOMAIN''\'',' \
  lib/public/AppFramework/Http/ContentSecurityPolicy.php

Would be great of course if this could be added as a configurable option

szaimen commented 1 year ago

Hi, please update to 24.0.9 or better 25.0.3 and report back if it fixes the issue. Thank you!

My goal is to add a label like e.g. 25-feedback to this ticket of an up-to-date major Nextcloud version where the bug could be reproduced. However this is not going to work without your help. So thanks for all your effort!

If you don't manage to reproduce the issue in time and the issue gets closed but you can reproduce the issue afterwards, feel free to create a new bug report with up-to-date information by following this link: https://github.com/nextcloud/server/issues/new?assignees=&labels=bug%2C0.+Needs+triage&template=BUG_REPORT.yml&title=%5BBug%5D%3A+

ThisIsQasim commented 1 year ago

Hi, I have just updated to 25.0.3 and the issue still persists.

struffel commented 1 year ago

Thanks for the explanation. Now I at least know how to work around the issue until it gets resolved.

Hellmanx commented 1 month ago

I was having the same issue so ended up patching the file after each deployment with a sed replace

CSP_DOMAIN=subdomain.example.com
sed -i '/protected \$allowedFormActionDomains = \[/a '\'''$CSP_DOMAIN''\'',' \
  lib/public/AppFramework/Http/ContentSecurityPolicy.php

Would be great of course if this could be added as a configurable option

Where do you add that patch?

Unfortunately still an issue on version 30.0.0. Causes issues with collabora over HTTPs reverse proxy