Skip to content

fix: Prevent infinite redirects on oidc errors #6550

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 10, 2023
Merged

fix: Prevent infinite redirects on oidc errors #6550

merged 2 commits into from
Mar 10, 2023

Conversation

Emyrk
Copy link
Member

@Emyrk Emyrk commented Mar 10, 2023
edited
Loading

Providing an invalid scope -oidc-scopes openid,profile,email,bad on Okta OIDC provider causes infinite redirect loop.

@Emyrk Emyrk changed the title fix: Prevent infinite redirects on bad oidc scopes fix: Prevent infinite redirects on oidc errors Mar 10, 2023
@Emyrk Emyrk requested review from johnstcn and kylecarbs March 10, 2023 05:21
sreya
sreya approved these changes Mar 10, 2023
View reviewed changes
Copy link
Collaborator

@sreya sreya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Honestly a great find 👍

@johnstcn johnstcn self-requested a review March 10, 2023 09:28
johnstcn
johnstcn reviewed Mar 10, 2023
View reviewed changes
Copy link
Member

@johnstcn johnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice find Steven. Just a couple comments about how we handle the error_description and error_uri parameters.

coderd/httpmw/oauth2.go
// if for example we are providing and invalid scope.
// We should terminate the OIDC process if we encounter an error.
oidcError := r.URL.Query().Get("error")
errorDescription := r.URL.Query().Get("error_description")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per the OIDC spec only the error response parameter is required; the error_description field is optional so we should handle that being blank.

Also there is an error_uri parameter that might be present so we should check for that as well.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do handle an empty error_description. The Details part of the error is extra developer debug info. If it is empty, we provide no extra details, since we have no extra information.

I can add error_uri though 👍

kylecarbs
kylecarbs approved these changes Mar 10, 2023
View reviewed changes
Copy link
Member

@kylecarbs kylecarbs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Woot woot! I've had URI mismatch on my OIDC setup so many times and I always had to inspect. Great change.

@Emyrk Emyrk merged commit a8433b1 into main Mar 10, 2023
@Emyrk Emyrk deleted the stevenmasley/oidc_errors branch March 10, 2023 16:12
@github-actions github-actions bot locked and limited conversation to collaborators Mar 10, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@sreya sreya sreya approved these changes

@johnstcn johnstcn johnstcn approved these changes

@kylecarbs kylecarbs kylecarbs approved these changes

Assignees

@Emyrk Emyrk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Emyrk @sreya @johnstcn @kylecarbs