Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix bug in certain error handling for authorize endpoint when response_mode=form_post is requested #1179

Merged
merged 5 commits into from
Jun 8, 2022
Merged

Fix bug in certain error handling for authorize endpoint when response_mode=form_post is requested #1179

merged 5 commits into from
Jun 8, 2022

Conversation

cfryanr
Copy link
Member

@cfryanr cfryanr commented Jun 2, 2022

When response_mode=form_post is requested, some error cases will be returned to the client using the form_post web page to POST the result back to the client's redirect URL. However, the authorize endpoint was not setting the form_post page's CSP headers on its responses, so the browser would refuse to run the page's Javascript code to POST the error message back to the client's redirect URL. This broke the flow for certain error messages that were supposed to be shown to the user by the client, but instead the user would be left looking at a blank web page and a client still waiting for a callback to happen.

This was not caught by integration tests because it is very hard to write an integration test for any of these errors at the authorization endpoint. The e2e integration test covers using the CLI with form_post mode, however the CLI will never create the types of malformed requests which would demonstrate these errors which get returned by the authorize endpoint using the form_post page. The kinds of errors that would be easy to cause in a test (e.g. by purposefully misconfiguring an OIDCIdentityProvider) are all handled by the callback endpoint, which did not suffer from this same CSP headers bug.

Release note:

Fix a minor bug in how error messages are returned to the client for certain edge cases in the authorize endpoint when the client requests response_mode=form_post and also makes a bad request.

@cfryanr
Use CSP headers in auth handler response
b99c477 
When response_mode=form_post is requested, some error cases will be
returned to the client using the form_post web page to POST the result
back to the client's redirect URL.
@codecov
Copy link

codecov bot commented Jun 2, 2022
edited
Loading

Codecov Report

Merging #1179 (472ab22) into main (2c7b52d) will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@           Coverage Diff           @@
##             main    #1179   +/-   ##
=======================================
  Coverage   79.72%   79.72%           
=======================================
  Files         144      144           
  Lines       10518    10519    +1     
=======================================
+ Hits         8385     8386    +1     
  Misses       1853     1853           
  Partials      280      280
Impacted Files Coverage Δ
internal/oidc/auth/auth_handler.go 99.32% <100.00%> (+<0.01%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2c7b52d...472ab22. Read the comment docs.

@enj enj merged commit cc1163e into main Jun 8, 2022
@enj enj deleted the auth_handler_form_post_csp branch June 8, 2022 12:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@enj enj enj approved these changes

Assignees
No one assigned
Labels
cla-not-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cfryanr @enj @vmwclabot