You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@guacamole.apache.org by "Nick Couchman (JIRA)" <ji...@apache.org> on 2018/05/04 01:36:00 UTC
[jira] [Comment Edited] (GUACAMOLE-560) Include "state" parameter
in OpenID Connect authorization request
[ https://issues.apache.org/jira/browse/GUACAMOLE-560?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16463270#comment-16463270 ]
Nick Couchman edited comment on GUACAMOLE-560 at 5/4/18 1:35 AM:
-----------------------------------------------------------------
{quote}
While the spec stipulates what the client must do if they provide the state parameter in the initial request, whether that parameter is provided in the request is still up to the client.
{quote}
I looked at the Okta developer page mentioned on the mailing list post, and it looks like the Okta SSO product does require this parameter as part of the OIDC login. See the "State" parameter under the following section:
https://developer.okta.com/docs/api/resources/oidc#parameter-details
{quote}
Okta requires the OAuth 2.0 state parameter on all requests to the /authorize endpoint in order to prevent cross-site request forgery (CSRF). The OAuth 2.0 specification requires that clients protect their redirect URIs against CSRF by sending a value in the authorize request which binds the request to the user-agent’s authenticated state. Using the state parameter is also a countermeasure to several other known attacks as outlined in OAuth 2.0 Threat Model and Security Considerations.
{quote}
was (Author: nick.couchman@yahoo.com):
{quote}
While the spec stipulates what the client must do if they provide the state parameter in the initial request, whether that parameter is provided in the request is still up to the client.
{quote}
I looked at the Okta developer page mentioned on the mailing list post, and it looks like the Okta SSO product does require this parameter as part of the OIDC login. See the "State" parameter under the following section:
> Include "state" parameter in OpenID Connect authorization request
> -----------------------------------------------------------------
>
> Key: GUACAMOLE-560
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-560
> Project: Guacamole
> Issue Type: Wish
> Components: guacamole-auth-openid
> Affects Versions: 0.9.14
> Reporter: Dave Smith
> Priority: Trivial
>
> {quote}i've tried to get this setup. Unfortunately it seems Okta insist (even with Single Page App (SPA)) to have state field in the POST even if (when using SPA) it's not actually used. The guacamole client just goes in a redirect loop with error in URL visible of "invalid state".
>
> With SPA the state parameter can even be some random letters, but must be there. Using OIDCDebugger.com gleans this:{quote}
> {quote}
> error=invalid_request
> error_description=The authentication request has an invalid 'state' parameter.
>
> yet by adding a bunch of x's to the state parameter..
>
> i get a much more positive response:
> state=xxxxxxxxxxxxx
> id_token=eyJraWQiOiI0NlpNbjlZZG5HQ1AxMGhDUWs5VWtvc2ljUmltTURJRDBBbVh1dWhHUUhrIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUxMDAxNnVwUzhFaENuMjJwNyIsInZlciI6MSwiaXNzIjoiaHR0cHM6Ly9hdG9zbXBjYXdzLm9rdGEuY29tIiwiYXVkIjoiMG9hMTIzZG8weXNibFN4dUoycDciLCJpYXQiOjE1MjQ3NTQwOTUsImV4cCI6MTUyNDc1NzY5NSwianRpIjoiSUQuRmZGYzFpZlA2VG
>
> I'd kindly ask that state could be added as an optional parameter to the guac properties file.{quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)