search

trinodb / trino-gateway

https://trinodb.github.io/trino-gateway/
Apache License 2.0
122 stars 47 forks source link

Add state and nonce verification in OIDC #345

Closed oneonestar closed 1 month ago

oneonestar commented 1 month ago

Description

Fix #339 Depends on #343 Add state and nonce verification and integration test in OIDC.

Implementation details

State

Ref: https://developers.google.com/identity/openid-connect/openid-connect#server-flow Correct implementation of OIDC:

  1. Create an anti-forgery state token (implemented by this PR using OidcCookie)
  2. Send an authentication request to Google
  3. Confirm the anti-forgery state token (implemented by this PR using state)
  4. Exchange code for access token and ID token
  5. Obtain user information from the ID token
  6. Authenticate the user

Nonce

Ref: https://openid.net/specs/openid-connect-core-1_0-17_orig.html#NonceNotes

The nonce parameter value needs to include per-session state and be unguessable to attackers. One method to achieve this for Web Server Clients is to store a cryptographically random value as an HttpOnly session cookie and use a cryptographic hash of the value as the nonce parameter. In that case, the nonce in the returned ID Token is compared to the hash of the session cookie to detect ID Token replay by third parties.

Implemented by this PR using nonce, hashNonce() and OidcCookie.

Release notes

( ) Release notes are required, with the following suggested text:

*