Open zboralski opened 1 year ago
for more context this happens with Vault as the OIDC provider
Any updates on this? Do you have another self-hosted provider to recommend? All of our infrastructure use Vault but if we can't use we can think of another provider for now.
hey @jnunes-tc
Therefore, the OAuth flow should grab the state param from the GET parameter for
state
We do read it from GET search params and then compare against the cookie state
https://github.com/temporalio/ui/blob/ce57e5792a89ac1c1f7b016c9f3c8874b99a9e07/server/server/auth/oidc.go#L66
All of our infrastructure use Vault but if we can't use we can think of another provider for now.
Keycloak is a pretty popular self hosted OIDC provider. I only started looking into Vault's provider and haven't addressed, unlikely that have enough capacity. If you still want to use Vault would appreciate a contribution if you find what causes this behavior 🙏
Describe the bug
When using SSO to log in, the first attempt results in a "State cookie is not set in request" error.
The user needs to go back and click SSO again to log in successfully.
Additionally, the access token and ID token are being set as cookies, which is a potential security issue.
Request 1 fails
Response
Request 2 succeeds
Response 2
Decoded Cookie
{"AccessToken":"","IDToken":"","Name":"","Email":"","Picture":""}
To Reproduce Steps to reproduce the behavior:
Expected behavior SSO should log in the user on the first attempt and not set tokens as cookies.
Screenshots
Desktop (please complete the following information):
Additional context
According to the OpenID Connect (OIDC) Core standard: "The state parameter is used to link the authentication request with the response." Therefore, the OAuth flow should grab the state param from the GET parameter for
state
, rather than relying on a cookie. Additionally, setting access and ID tokens as cookies is a potential security issue, as cookies can be stolen by malicious actors. I suggest using a more secure method for handling tokens, such as session storage or local storage.