search

panva / openid-client

OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
MIT License
1.83k stars 392 forks source link

Passport strategy broken with iss in authentication request #564

Closed trombonekenny closed 1 year ago

trombonekenny commented 1 year ago

5.0.0 introduced OAuth 2.0 authorization server issuer checking which has a side effect of causing the passport strategy to process authentication requests with iss in them as if they were responses instead of requests.

This errors with a did not find expected authorization request details in session, req.session['foo'] is undefined

I believe this is happening because iss is (as of 5.0.0) listed here: https://github.com/panva/node-openid-client/blob/363c2152d125580897b394841bfc785b0cdcb054/lib/client.js#L53

which causes the if here always fails and we pass into authentication response. https://github.com/panva/node-openid-client/blob/363c2152d125580897b394841bfc785b0cdcb054/lib/passport_strategy.js#L88

To Reproduce Steps to reproduce the behaviour:

  1. Setup a passport strategy with openid-client
  2. Send an authentication request that has the iss property present

Expected behaviour I'm currently working around this by doing a delete req.body.iss in my authentication request route before calling passport.authenticate. Then it behaves like the 4.9.1 version and processes the authentication request properly.

Environment:

Additional context The draft, now RFC9207 doesn't talk about authentication requests, only responses. That leads me to believe this is a bug.

The LTI 1.3 security framework is an example of a spec that says iss is required in the third-party initiated login authentication request.

panva commented 1 year ago

The draft, now RFC9207 doesn't talk about authentication requests, only responses. That leads me to believe this is a bug.

Exactly, because this is an authorization response parameter it makes iss listed as "callback" parameter, which means when present in the query the strategy flows to the "callback" code path.

That leads me to believe this is a bug.

Why?

trombonekenny commented 1 year ago

That leads me to believe this is a bug.

Why?

Because iss can also come in via an authentication request, per the LTI spec I posted. The presence of iss doesn't necessarily mean it is an authentication response. I believe in a response, it should validate the iss like the RFC recommends. But it's presence shouldn't be used by the passport strategy to determine if the .authenticate() is processing a request or response.

trombonekenny commented 1 year ago

Thanks for the quick response! I didn't see that you'd made a patch so quickly when this closed. 😃