vouch / vouch-proxy

an SSO and OAuth / OIDC login solution for Nginx using the auth_request module
MIT License
2.92k stars 327 forks source link

Okta Chicklet adds an '?iss=http://OURDOMAIN.okta.com' parameter to request, /login flags that as an error #510

Closed airpaio closed 1 year ago

airpaio commented 1 year ago

I have a basic python Dash (flask) application running with vouch and nginx configured, and Okta as my SSO provider.

The issue I am facing is when there is not currently any vouch cookie set, and I try to reach my application from the Okta chicklet, I get a vouch 400 Bad Request with no jwt found in request in the logs (I am already signed in to okta). If I navigate to the app's url directly in a new browser tab, then the whole vouch/okta flow seems to work fine, and I end up getting a VouchCookie set and I can access my application. Then subsequently, If I go back to Okta and click on the app's chicklet again, I am successfully routed to my application because a vouch cookie was set previously when I directly navigated to the app's url.

How can I get the vouch/okta flow to work properly if clicking form the Okta chicklet for the first time without a vouch cookie having been set yet?

I have everything running in containers with docker-compose on an AWS EC2 right now. I am not using SSL right now, just trying to get everything else working for now.

I have included links to logs and config gists below.

Logs: https://gist.github.com/airpaio/a29191d4fe52fd79bb458c0a86c4eca7 Vouch Config: https://gist.github.com/airpaio/0df27b9240f656361dff1f0f81f14b81 NginxConfig: https://gist.github.com/airpaio/ab498461d07bd481a9bdb5a8661e7a48

airpaio commented 1 year ago

This seems related to discussion in #313.

airpaio commented 1 year ago

I understand that there are some redirection checks in place to address security concerns, but would it be acceptable to implement a vouch.login_redirect_uris_whitelist in the config, and skip those whitelisted uri in this badStrings filter? This would leave the redirection security risks up to the user. Are there any other suggestions you have that could resolve my issue without making this implementation?

bnfinet commented 1 year ago

closing in favor of #313 (dup)