Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passport strategy broken with iss in authentication request #564

Closed
2 tasks done
trombonekenny opened this issue Feb 5, 2023 · 3 comments
Closed
2 tasks done

Passport strategy broken with iss in authentication request #564

trombonekenny opened this issue Feb 5, 2023 · 3 comments

Comments

@trombonekenny
Copy link

5.0.0 introduced OAuth 2.0 authorization server issuer checking which has a side effect of causing the passport strategy to process authentication requests with iss in them as if they were responses instead of requests.

This errors with a did not find expected authorization request details in session, req.session['foo'] is undefined

I believe this is happening because iss is (as of 5.0.0) listed here:
https://github.com/panva/node-openid-client/blob/363c2152d125580897b394841bfc785b0cdcb054/lib/client.js#L53

which causes the if here always fails and we pass into authentication response.
https://github.com/panva/node-openid-client/blob/363c2152d125580897b394841bfc785b0cdcb054/lib/passport_strategy.js#L88

To Reproduce
Steps to reproduce the behaviour:

  1. Setup a passport strategy with openid-client
  2. Send an authentication request that has the iss property present

Expected behaviour
I'm currently working around this by doing a delete req.body.iss in my authentication request route before calling passport.authenticate. Then it behaves like the 4.9.1 version and processes the authentication request properly.

Environment:

  • openid-client version: 5.3.2

Additional context
The draft, now RFC9207 doesn't talk about authentication requests, only responses. That leads me to believe this is a bug.

The LTI 1.3 security framework is an example of a spec that says iss is required in the third-party initiated login authentication request.

  • the bug is happening on latest openid-client too.
  • I have searched the issues tracker on github for similar issues and couldn't find anything related.
@panva
Copy link
Owner

panva commented Feb 5, 2023

The draft, now RFC9207 doesn't talk about authentication requests, only responses. That leads me to believe this is a bug.

Exactly, because this is an authorization response parameter it makes iss listed as "callback" parameter, which means when present in the query the strategy flows to the "callback" code path.

That leads me to believe this is a bug.

Why?

@panva panva closed this as completed in 568709a Feb 5, 2023
@panva panva removed the triage label Feb 5, 2023
@trombonekenny
Copy link
Author

That leads me to believe this is a bug.

Why?

Because iss can also come in via an authentication request, per the LTI spec I posted. The presence of iss doesn't necessarily mean it is an authentication response. I believe in a response, it should validate the iss like the RFC recommends. But it's presence shouldn't be used by the passport strategy to determine if the .authenticate() is processing a request or response.

@trombonekenny
Copy link
Author

Thanks for the quick response! I didn't see that you'd made a patch so quickly when this closed. 😃

@github-actions github-actions bot locked and limited conversation to collaborators May 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@panva @trombonekenny