Skip to content
Snippets Groups Projects
Commit 5490863d authored by Bruno Oliveira da Silva's avatar Bruno Oliveira da Silva Committed by Stian Thorgersen
Browse files

[KEYCLOAK-8984] Warning in Gatekeeper on invalid state

parent 91f6fdc4
No related branches found
No related tags found
No related merge requests found
...@@ -16,6 +16,7 @@ limitations under the License. ...@@ -16,6 +16,7 @@ limitations under the License.
package main package main
import ( import (
"encoding/base64"
"net/http" "net/http"
"strconv" "strconv"
"strings" "strings"
...@@ -89,6 +90,8 @@ func (r *oauthProxy) dropRefreshTokenCookie(req *http.Request, w http.ResponseWr ...@@ -89,6 +90,8 @@ func (r *oauthProxy) dropRefreshTokenCookie(req *http.Request, w http.ResponseWr
// dropStateParameterCookie drops a state parameter cookie into the response // dropStateParameterCookie drops a state parameter cookie into the response
func (r *oauthProxy) writeStateParameterCookie(req *http.Request, w http.ResponseWriter) string { func (r *oauthProxy) writeStateParameterCookie(req *http.Request, w http.ResponseWriter) string {
uuid := uuid.NewV4().String() uuid := uuid.NewV4().String()
requestURI := base64.StdEncoding.EncodeToString([]byte(req.URL.RequestURI()))
r.dropCookie(w, req.Host, "request_uri", requestURI, 0)
r.dropCookie(w, req.Host, "OAuth_Token_Request_State", uuid, 0) r.dropCookie(w, req.Host, "OAuth_Token_Request_State", uuid, 0)
return uuid return uuid
} }
......
...@@ -201,24 +201,20 @@ func (r *oauthProxy) oauthCallbackHandler(w http.ResponseWriter, req *http.Reque ...@@ -201,24 +201,20 @@ func (r *oauthProxy) oauthCallbackHandler(w http.ResponseWriter, req *http.Reque
r.dropAccessTokenCookie(req, w, accessToken, time.Until(identity.ExpiresAt)) r.dropAccessTokenCookie(req, w, accessToken, time.Until(identity.ExpiresAt))
} }
// step: decode the state variable // step: decode the request variable
state := "/" redirectURI := "/"
if req.URL.Query().Get("state") != "" { if req.URL.Query().Get("state") != "" {
decoded, err := base64.StdEncoding.DecodeString(req.URL.Query().Get("state")) if encodedRequestURI, _ := req.Cookie("request_uri"); encodedRequestURI != nil {
if err != nil { decoded, _ := base64.StdEncoding.DecodeString(encodedRequestURI.Value)
r.log.Warn("unable to decode the state parameter", redirectURI = string(decoded)
zap.String("state", req.URL.Query().Get("state")),
zap.Error(err))
} else {
state = string(decoded)
} }
} }
if r.config.BaseURI != "" { if r.config.BaseURI != "" {
// assuming state starts with slash // assuming state starts with slash
state = r.config.BaseURI + state redirectURI = r.config.BaseURI + redirectURI
} }
r.redirectToURL(state, w, req, http.StatusTemporaryRedirect) r.redirectToURL(redirectURI, w, req, http.StatusTemporaryRedirect)
} }
// loginHandler provide's a generic endpoint for clients to perform a user_credentials login to the provider // loginHandler provide's a generic endpoint for clients to perform a user_credentials login to the provider
......
...@@ -304,7 +304,7 @@ func TestCallbackURL(t *testing.T) { ...@@ -304,7 +304,7 @@ func TestCallbackURL(t *testing.T) {
{ {
URI: cfg.WithOAuthURI(callbackURL) + "?code=fake&state=L2FkbWlu", URI: cfg.WithOAuthURI(callbackURL) + "?code=fake&state=L2FkbWlu",
ExpectedCookies: map[string]string{cfg.CookieAccessName: ""}, ExpectedCookies: map[string]string{cfg.CookieAccessName: ""},
ExpectedLocation: "/admin", ExpectedLocation: "/",
ExpectedCode: http.StatusTemporaryRedirect, ExpectedCode: http.StatusTemporaryRedirect,
}, },
} }
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment