search

tolgee / tolgee-platform

Developer & translator friendly web-based localization platform
https://tolgee.io
Other
1.82k stars 186 forks source link

Oauth2 with Jumpcloud complains with invalid_state error #1830

Closed Thibault-Brocheton closed 1 year ago

Thibault-Brocheton commented 1 year ago

Hi !

i'm trying to setup Oauth2 flow with Jumpcloud provider. Jumpcloud redirects me to my website with following http url: .../login/auth_callback/oauth2?error=invalid_state&error_description=The+state+is+missing+or+does+not+have+enough+characters+and+is+therefore+considered+too+weak.+Request+parameter+%27state%27+must+be+at+least+be+8+characters+long+to+ensure+sufficient+entropy.&state=

I read some doc about the State, this article for instance: https://medium.com/keycloak/the-importance-of-the-state-parameter-in-oauth-5419c94bef4c

Seems like something needs to be done on Tolgee side.

I found this closed PR, that seemed to try to add the State: https://github.com/tolgee/tolgee-platform/pull/1625

Does someone know if this PR would fix my issue ? If yes I could spend some times on it to make it work.

Kind Regards

cyyynthia commented 1 year ago

Hey there,

While Tolgee currently does not use the OAuth state parameter during the execution of the OAuth protocol, the proposed solution in #1625 (and #1832) are not implementations that conforms to RFC 6749 and does not properly authenticate the request. They don't provide any security benefit as-is, but would "solve" the missing state problem.

However, this is not the only problem you'll face, as the current implementation of the custom OAuth provider does expect quite a specific format of data returned by the user endpoint (see https://github.com/tolgee/tolgee-platform/issues/1471#issuecomment-1366011272)

Thibault-Brocheton commented 1 year ago

Hey @cyyynthia , I'm having a hard time reading RFC and understanding what I should do to comply with them May you give me more feedback on what I should do regarding the state parameter ? I can make needed changes if it doesn't take me too much time

cyyynthia commented 1 year ago

RFCs can be a bit hard to read through, no worries haha. The problem of the proposed implementation is that the state never expires and is not managed by the client (in the context of OAuth, the client is the Tolgee server requesting the external platform authorization). Ideally, the state should not be accessible to JavaScript running in the browser (HttpOnly cookie) and have a short lifetime to further secure the state token. It's not a critical flaw per-se, and still an improvement compared to the current method, but still quite sub-par.

That being said as I said this will not be the only problem you'll face with OAuth authentication and you'll likely not be able to authenticate anyway, due to the server currently looking for specific, hard-coded parameters when trying to fetch user information after a successful authentication, as seen here with the sub field which is meant to be the external account ID of the user

https://github.com/tolgee/tolgee-platform/blob/869dfaf2ccbf43f66b5c82b03b37bde15078b02d/backend/api/src/main/kotlin/io/tolgee/security/third_party/OAuth2Delegate.kt#L71-L91