Skip to content
Snippets Groups Projects
Commit 5490863d authored by Bruno Oliveira da Silva's avatar Bruno Oliveira da Silva Committed by Stian Thorgersen
Browse files

[KEYCLOAK-8984] Warning in Gatekeeper on invalid state

parent 91f6fdc4
No related branches found
No related tags found
No related merge requests found
......@@ -16,6 +16,7 @@ limitations under the License.
package main
import (
"encoding/base64"
"net/http"
"strconv"
"strings"
......@@ -89,6 +90,8 @@ func (r *oauthProxy) dropRefreshTokenCookie(req *http.Request, w http.ResponseWr
// dropStateParameterCookie drops a state parameter cookie into the response
func (r *oauthProxy) writeStateParameterCookie(req *http.Request, w http.ResponseWriter) string {
uuid := uuid.NewV4().String()
requestURI := base64.StdEncoding.EncodeToString([]byte(req.URL.RequestURI()))
r.dropCookie(w, req.Host, "request_uri", requestURI, 0)
r.dropCookie(w, req.Host, "OAuth_Token_Request_State", uuid, 0)
return uuid
}
......
......@@ -201,24 +201,20 @@ func (r *oauthProxy) oauthCallbackHandler(w http.ResponseWriter, req *http.Reque
r.dropAccessTokenCookie(req, w, accessToken, time.Until(identity.ExpiresAt))
}
// step: decode the state variable
state := "/"
// step: decode the request variable
redirectURI := "/"
if req.URL.Query().Get("state") != "" {
decoded, err := base64.StdEncoding.DecodeString(req.URL.Query().Get("state"))
if err != nil {
r.log.Warn("unable to decode the state parameter",
zap.String("state", req.URL.Query().Get("state")),
zap.Error(err))
} else {
state = string(decoded)
if encodedRequestURI, _ := req.Cookie("request_uri"); encodedRequestURI != nil {
decoded, _ := base64.StdEncoding.DecodeString(encodedRequestURI.Value)
redirectURI = string(decoded)
}
}
if r.config.BaseURI != "" {
// assuming state starts with slash
state = r.config.BaseURI + state
redirectURI = r.config.BaseURI + redirectURI
}
r.redirectToURL(state, w, req, http.StatusTemporaryRedirect)
r.redirectToURL(redirectURI, w, req, http.StatusTemporaryRedirect)
}
// loginHandler provide's a generic endpoint for clients to perform a user_credentials login to the provider
......
......@@ -304,7 +304,7 @@ func TestCallbackURL(t *testing.T) {
{
URI: cfg.WithOAuthURI(callbackURL) + "?code=fake&state=L2FkbWlu",
ExpectedCookies: map[string]string{cfg.CookieAccessName: ""},
ExpectedLocation: "/admin",
ExpectedLocation: "/",
ExpectedCode: http.StatusTemporaryRedirect,
},
}
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment