-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to pass custom state after the CSRF refactoring? #83
Comments
@fedme would you mind suggesting some changes in |
Hey @yordis, thanks for getting back to me! I am not sure my Elixir skills are yet at the point where I can contribute a change of this kind. But I am thinking maybe I can use a cookie to store my custom state between the request and callback (instead of using the |
@fedme well, it depends on how Google OAuth2 handles the CSRF token. Do you know? Chaging this line,
That function just read the state, https://github.com/ueberauth/ueberauth/blob/5c297f1d7574a034b2117a4f6ffb3075ca66d359/lib/ueberauth/strategies/helpers.ex#L178 and add it to the configuration, but you don't have to use it. Also, I notice that maybe, we need to disable CSRF attack for this provider. Will get back to you on this late today hopefully |
Thanks for your help @yordis! As a workaround, I did manage to use the session cookie to store my custom state (instead of using the See the following code that shows how I managed to do it: defmodule MyAppWeb.AuthController do
use MyAppWeb, :controller
plug(Ueberauth, providers: [:google_custom])
@provider_config {Ueberauth.Strategy.Google, [default_scope: "email profile"]}
def request(conn, %{"provider" => "google", "custom_state" => custom_state) do
# Store custom state in the session
conn
|> put_session(:auth_custom_state, custom_state)
|> Ueberauth.run_request("google", @provider_config)
end
def callback(conn, params) do
%{assigns: %{ueberauth_auth: auth}} =
conn
|> Ueberauth.run_callback("google", @provider_config)
# Get custom state back from session
auth_custom_state = get_session(conn, :auth_custom_state)
IO.inspect(auth_custom_state, label: "Auth custom state")
end
end With that code, I am able to start the OAuth flow passing some custom state in the URL (e.g. It seems to work well as a workaround, so maybe there is no need to make any changes to the library? |
Hey @fedme It seems that Google OAuth2 does support https://developers.google.com/identity/protocols/oauth2/web-server |
I am closing this, strongly recommend refactoring your side, and use something else for your intention. |
@yordis just to understand correctly, |
@fernandofleury the latest integration will inject a His issue is that we overwrite the value of such |
it does seem a bit confusing to overwrite it in ueberauth imo, the google spec does explicitly suggest using it for "directing the user to the correct resource" as fernando is doing in his original code? would it make sense to add the csrf (e.g. use a map that gets serialised) to the user provided state inside ueberauth and then strip it out when passing it back to the application code? |
This is also a hindrance for us - the state parameter is not meant solely to be used for security purposes. |
Sounds like we might need to reopen this again |
Would you consider opening this again? It is really blocking when we need to pass a custom state, either because it's used for another thing than security purposes, or because we need to pass the CSRF nonce generated by another, external, tool (that breaks because of this)? Defaulting to using Ueberauth's own CSRF is good, but breaks workflows if there are no escape hatches. A simple way to tap into the |
Hey peeps, let me get back to this when I can, if you feel capable or want to collaborate on adding the feature, please take the lead. |
Still feels a bit like an anti pattern to store anything else than a nonce in the state param. I would suggest to follow the advice from the link above and store the information locally to get her with the nonce and then verify the state nonce after the auth flow. I believe the only missing feature for this to work is for this us to get the state nonce into user land. Would this work for you @apognu |
@Hanspagh from https://auth0.com/docs/secure/attack-protection/state-parameters#csrf-attacks or the Google one I shared. I don't feel confident that using such |
Yes from auth0 they mention here how to do redirects while still only using the state param for csrf protection |
Are you referring to https://auth0.com/docs/secure/attack-protection/state-parameters#alternate-redirect-method
Just to confirm that I didn't misread since English isn't my first language and I would like to avoid ambiguous language and misunderstanding from my side. |
Yes, precisely. |
Hi!
I have noticed that after #82 the
state
query parameter is set internally by Ueberauth to perform CSRF validation.The question now is, can we still pass custom state data during the OAuth process? Does anyone know how?
It seems that whatever you pass via the
state
query param gets overwritten with Ueberauth's CSRF token. This breaks our app logic, which usesstate
to know where to redirect users after login.Thanks!
The text was updated successfully, but these errors were encountered: