Validate client redirects in SSO client logins

[espadolini]

This PR makes it so that client redirect URLs for SSO login sessions that are not web sessions (i.e., they're from tsh login) are now required to be http://127.0.0.1:*/callback (with ipv6 and "localhost" variants) with no query parameters other than the secret_key required for the response, or https://<hostname>/callback with the same single query parameter, and a hostname that matches one of the hostnames configured in the auth connector.

Configuration UX:

version: vX
kind: (saml|oidc|github)
metadata:
  name: ...
spec:
  ...
  client_redirect_settings:
    allowed_https_hostnames:
      - '*.app.github.dev'
      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'

Related enterprise PR: gravitational/teleport.e#3727.

[fghamsary]

These type of breaking changes should always have a backup configuration, which can be override if needed by the final client!

[zmb3]

Hi @fghamsary,

There is a backup configuration. It is called allowed_https_hostnames and it is illustrated in the description in this PR.

[espadolini]

To elaborate further: we considered adding an allowlist for non-https redirect URLs as well, but deliberately decided against it (requiring a valid webpki certificate at least adds some protection against DNS poisoning). This change is the remediation for a security vulnerability classified as HIGH (see https://github.com/gravitational/teleport/releases/tag/v15.3.6 ).

[fghamsary]

I understand that you did it for a reason, but I'm telling you that as an end user we may need the http and without DNS as it might be local IP.
In my case I use teleport-ent inside WSL2 on windows and the IP address is dynamic and I need to open the connection for tsh with --bind-addr to point to correct IP address. But this doesn't work anymore due to this change that you did.
Please consider adding http list as well, even though in many cases this is a vulnerability and security risk but in some cases that the Admin decides this should be possible for any reason, just as I mentioned on my case.

[fghamsary]

Please refer to this as well.
#41516 (comment)
I saw that https is possible, but I need http with IP address!

[fghamsary]

In my opinion at least all local (private) IPs should be valid without any other configuration just like 127.0.0.1.
You know better than me the ranges of the IP addresses such as 172.0.0.0/8, 192.0.0.0/24 and 10.0.0.0/24

[yylbfyl]

I'm facing the same issue , I using Virtual Box to login teleport with a shell , I need redirect the port to a virtual IP to open SSO link from host machine, but it doesn't work now. Parameter --bind-addr is not work, it will return an error :
Failed to login due to a disallowed callback URL. Please check Teleport's log for more details.

So how to correctly to use parameter "--bind-addr" now?

[webvictim]

Documentation is missing for this: #43373