Comments (18)
it does seem a bit confusing to overwrite it in ueberauth imo, the google spec does explicitly suggest using it for "directing the user to the correct resource" as fernando is doing in his original code?
would it make sense to add the csrf (e.g. use a map that gets serialised) to the user provided state inside ueberauth and then strip it out when passing it back to the application code?
from ueberauth_google.
Hey @fedme
It seems that Google OAuth2 does support state
param, I would suggest stopping using such thing for other things than security reasons as Ueberauth is trying to do at the moment.
https://developers.google.com/identity/protocols/oauth2/web-server
from ueberauth_google.
I am closing this, strongly recommend refactoring your side, and use something else for your intention.
from ueberauth_google.
@fedme would you mind suggesting some changes in ueberauth
where we configure the state token creation?
from ueberauth_google.
Hey @yordis, thanks for getting back to me!
I am not sure my Elixir skills are yet at the point where I can contribute a change of this kind.
But I am thinking maybe I can use a cookie to store my custom state between the request and callback (instead of using the state
query parameter). That should be possible, right?
from ueberauth_google.
@fedme well, it depends on how Google OAuth2 handles the CSRF token. Do you know?
Chaging this line,
to should do the trick, and pass the token to the right configurationThat function just read the state, https://github.com/ueberauth/ueberauth/blob/5c297f1d7574a034b2117a4f6ffb3075ca66d359/lib/ueberauth/strategies/helpers.ex#L178 and add it to the configuration, but you don't have to use it.
Also, I notice that maybe, we need to disable CSRF attack for this provider.
Will get back to you on this late today hopefully
from ueberauth_google.
Thanks for your help @yordis!
As a workaround, I did manage to use the session cookie to store my custom state (instead of using the state
query parameter).
See the following code that shows how I managed to do it:
defmodule MyAppWeb.AuthController do
use MyAppWeb, :controller
plug(Ueberauth, providers: [:google_custom])
@provider_config {Ueberauth.Strategy.Google, [default_scope: "email profile"]}
def request(conn, %{"provider" => "google", "custom_state" => custom_state) do
# Store custom state in the session
conn
|> put_session(:auth_custom_state, custom_state)
|> Ueberauth.run_request("google", @provider_config)
end
def callback(conn, params) do
%{assigns: %{ueberauth_auth: auth}} =
conn
|> Ueberauth.run_callback("google", @provider_config)
# Get custom state back from session
auth_custom_state = get_session(conn, :auth_custom_state)
IO.inspect(auth_custom_state, label: "Auth custom state")
end
end
With that code, I am able to start the OAuth flow passing some custom state in the URL (e.g. https://localhost:4000/auth/google?custom_state=some_values_here
) and then take it back from the session in the callback function.
It seems to work well as a workaround, so maybe there is no need to make any changes to the library?
from ueberauth_google.
@yordis just to understand correctly, state
is a valid part of Google's OAuth2 spec, but will this ueberauth plugin re-introduce support to pass it through? Or am I missing something?
from ueberauth_google.
@fernandofleury the latest integration will inject a state
into the URL, to avoid CSRF attacks.
His issue is that we overwrite the value of such state
key, so he lost his value to do other stuff he was trying to do, so it conflicts with state
coming from the CSRF attack.
from ueberauth_google.
This is also a hindrance for us - the state parameter is not meant solely to be used for security purposes.
from ueberauth_google.
Sounds like we might need to reopen this again
from ueberauth_google.
Would you consider opening this again?
It is really blocking when we need to pass a custom state, either because it's used for another thing than security purposes, or because we need to pass the CSRF nonce generated by another, external, tool (that breaks because of this)?
Defaulting to using Ueberauth's own CSRF is good, but breaks workflows if there are no escape hatches. A simple way to tap into the ignore_csrf_attack
attribute would be interesting.
from ueberauth_google.
Hey peeps, let me get back to this when I can, if you feel capable or want to collaborate on adding the feature, please take the lead.
from ueberauth_google.
Still feels a bit like an anti pattern to store anything else than a nonce in the state param. I would suggest to follow the advice from the link above and store the information locally to get her with the nonce and then verify the state nonce after the auth flow.
I believe the only missing feature for this to work is for this us to get the state nonce into user land.
Would this work for you @apognu
from ueberauth_google.
The primary reason for using the state parameter is to mitigate CSRF attacks
@Hanspagh from https://auth0.com/docs/secure/attack-protection/state-parameters#csrf-attacks or the Google one I shared.
I don't feel confident that using such state
field should be used for anything else than security reasons. It is not clear to me that they are proposing to use it for other stuff.
from ueberauth_google.
Yes from auth0 they mention here how to do redirects while still only using the state param for csrf protection
https://auth0.com/docs/secure/attack-protection/state-parameters#redirect-users
from ueberauth_google.
Are you referring to https://auth0.com/docs/secure/attack-protection/state-parameters#alternate-redirect-method
- Generate and store a nonce value locally.
- Encode any desired state (like the redirect URL) along with the nonce in a protected message (that will need to be encrypted/signed to avoid tampering).
- In the response processing, unprotect the message, getting the nonce and other properties stored.
- Validate that the included nonce matches what was stored locally and, if so, accept the OAuth2 message.
Just to confirm that I didn't misread since English isn't my first language and I would like to avoid ambiguous language and misunderstanding from my side.
Auth0 is popular enough that if they are teaching people to do that, probably we should open the package to support it then.
from ueberauth_google.
Yes, precisely.
The state is still "just" used for csrf protecting, but users can access the nonce before and after the auth request and therefore store any information related to it
from ueberauth_google.
Related Issues (20)
- How do I get rid of the pound sign to my redirect URI?
- Default `prompt` param HOT 1
- Release new version HOT 3
- Any chance for release including env vars?
- Deprecation warnings even after an upgrade HOT 3
- Upgrade/allow oauth2 to be 2.0 HOT 2
- What would cause "No code received" error? HOT 5
- Per Strategy callback_url or callback_path HOT 1
- Should the strategy be responsible of validating the "hd" attribute? HOT 2
- Support for incremental authorization
- How do I get scopes which are not under userinfo?
- Does not work with Google Identity Service
- Getting csrf_attack exception in callback but only on Safari and Safari Mobile HOT 12
- Runtime config should be put in config/runtime.exs? HOT 1
- callback_scheme option override doesn't seem to work HOT 1
- 0.8 Hex release
- OAuth2.Error{reason: :closed} is not handled in get_access_token for Google OAuth HOT 3
- Redirect_URI not resolving correctly HOT 2
- %OAuth2.Response{status_code: 503} with no error_description in body is not handled in get_access_token HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ueberauth_google.