search

simplesamlphp / simplesamlphp-module-oidc

A SimpleSAMLphp module for OIDC OP support.
Other
46 stars 23 forks source link

Reintroduction of issue #12 #45

Closed cicnavi closed 3 years ago

cicnavi commented 4 years ago

Hi guys, thank you for your great work on SPP and its modules.

I have a fresh install of SSP 1.18.7 and I have installed the OIDC module version ^1.0. When I go to 'Federation' > 'OpenID Connect Client Registry' > 'Add client', I get the same error as in issue #12. You can find my backtrace at the bottom.

As I can see, the solution was added in commit https://github.com/rediris-es/simplesamlphp-module-oidc/commit/06847d2f631fefcd571c35e4f225f571214058c2. However, I see that, for example, the file lib/Form/Controls/CsrfProtection.php from the mentioned commit is deleted in commit https://github.com/rediris-es/simplesamlphp-module-oidc/commit/250078b75386ce4d605eaae79151f3767c58c65a. In that commit I see a note '* Fixed CsrfProtection form control', so I'm not sure about the intended fix here.

At the moment, I have changed my store type from 'phpsession' to 'sql', just so I can continue testing it locally, but this seems something that should be addressed (in production SSP instance we currently use 'phpsession' setting).

Thank you in advance and greetings from Croatia Marko I.

SimpleSAML\Error\Error: UNHANDLEDEXCEPTION

Backtrace:
1 www/_include.php:17 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Twig\Error\RuntimeError: An exception has been thrown during the rendering of a template ("Unable to set 'session.gc_maxlifetime' to value '10800' when session has been started by session.auto_start or session_start().").
Backtrace:
20 modules/oidc/templates/clients/_form.twig:73 (Twig\Template::displayBlock)
19 vendor/twig/twig/src/Environment.php(418) : eval()'d code:272 (__TwigTemplate_e86ebcbe5ef94a7489e1d12c14e3bae1d1fb3a16679da9ceb268a069fc250da1::block_contentwrapper)
18 vendor/twig/twig/src/Template.php:184 (Twig\Template::displayBlock)
17 vendor/twig/twig/src/Environment.php(418) : eval()'d code:188 (__TwigTemplate_e86ebcbe5ef94a7489e1d12c14e3bae1d1fb3a16679da9ceb268a069fc250da1::doDisplay)
16 vendor/twig/twig/src/Template.php:407 (Twig\Template::displayWithErrorHandling)
15 vendor/twig/twig/src/Template.php:380 (Twig\Template::display)
14 vendor/twig/twig/src/Environment.php(418) : eval()'d code:44 (__TwigTemplate_ddba0a60fe93730df45f5f2da020fac6678930053c9193b1c6a133bb61884e6d::doDisplay)
13 vendor/twig/twig/src/Template.php:407 (Twig\Template::displayWithErrorHandling)
12 vendor/twig/twig/src/Template.php:380 (Twig\Template::display)
11 vendor/twig/twig/src/Environment.php(418) : eval()'d code:46 (__TwigTemplate_7a4a46764482504dbc07c10c4c6317bcef6d488844a0374d8e16938d8c9dd9e3::doDisplay)
10 vendor/twig/twig/src/Template.php:407 (Twig\Template::displayWithErrorHandling)
9 vendor/twig/twig/src/Template.php:380 (Twig\Template::display)
8 vendor/twig/twig/src/Template.php:392 (Twig\Template::render)
7 vendor/twig/twig/src/TemplateWrapper.php:45 (Twig\TemplateWrapper::render)
6 vendor/twig/twig/src/Environment.php:318 (Twig\Environment::render)
5 lib/SimpleSAML/XHTML/Template.php:515 (SimpleSAML\XHTML\Template::getContents)
4 lib/SimpleSAML/XHTML/Template.php:527 (SimpleSAML\XHTML\Template::send)
3 modules/oidc/lib/Services/RoutingService.php:57 (SimpleSAML\Modules\OpenIDConnect\Services\RoutingService::call)
2 modules/oidc/www/clients/new.php:18 (require)
1 lib/SimpleSAML/Module.php:260 (SimpleSAML\Module::process)
0 www/module.php:10 (N/A)
tvdijen commented 4 years ago

I wonder about this line in the template:

https://github.com/rediris-es/simplesamlphp-module-oidc/commit/250078b75386ce4d605eaae79151f3767c58c65a#diff-3af80b223bbc63e288f3f37d4c0ea76dR39

I'm used to {%trans%}Some text to be translated{%endtrans%}

The traceback is clearly a Twig rendering-issue though, so it has nothign to do with CsrfProtection..

cicnavi commented 4 years ago

Here is the 'Caused by' line from backtrace... this time without horizontal scrolling needed :):

Caused by: Twig\Error\RuntimeError: An exception has been thrown during the rendering of a template ("Unable to set 'session.gc_maxlifetime' to value '10800' when session has been started by session.auto_start or session_start().").

tvdijen commented 4 years ago

I thanks, I had missed that.. It has nothing to do with the trans-tag then..

sgomez commented 3 years ago

The problem here is with nette/forms. It is trying to start a new session when CSRF component is rendered. It detects that a session is already started and launch the exception. The behavior of this component can't be modified. I don't know why this stopped to work, because I didn't change anything (maybe was a BC in a minor nette/form version?)

IMHO there are only ways to fix this:

When I created this module, I chose nette/form because it has less dependencies than symfony/form.

Probably symfony/form could be a proper way if we want to refactor all with symfony components, but we have the problem to store the CSRF token. symfony/security-csrf component has a dependency with symfony TokenStorageInterface. So we need a proxy between this interface and SSP Session class.

Another dependency is symfony/twig-bridge to be able to render the form with twig. This bridge add {{ form_* }} functions in templates.

All this is possible, but requires a lot of changes. And I think that this should be in SSP core instead here, that way all modules could use symfony/form to create forms with twig with a few lines.

So, I will try to fix this with the first option. In the future, if symfony/form was added to SSP core we can refactor the form.