Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #25690 [oidc-client] Sending a nonce with the authentication request should be done
    Actions
    Infos
    #25690
    Manuel Vacelet (vaceletm)
    2022-05-02 11:03
    2022-03-07 10:22
    27223
    Details
    [oidc-client] Sending a nonce with the authentication request should be done

    Sending a nonce with the authentication request should be done https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

    Mediawiki Standalone
    development
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Robert Vogel (rvogel)
    Stage
    Dejan Savuljesku (dsavuljesku)
    Closed
    2022-05-02
    Attachments
    Artifact links
    Empty
    Empty
    References
    References list is empty
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2022-03-31 10:26

    Hello,

    I think there is still an issue with this one but I maybe misreading the code.

    The verification is handled by this code:

    		$nonce = $d->nonce ?? null;
		if ( $nonce ) {
			if ( !$this->session ) {
				throw new Exception( 'Session must be set before obtaining AccessToken' );
			}
			$storedNonce = $this->session->get( 'tuleapOauth2nonce' );
			if ( !hash_equals( $nonce, $storedNonce ) ) {
				throw new Exception( 'Verify JWT: nonce does not match' );
			}
		}

    https://github.com/wikimedia/mediawiki-extensions-TuleapIntegration/blob/3002953f2cc0cf47a58ec759a0bf1f835c4ea5aa/src/Provider/Tuleap.php#L139-L148

    It looks like the verification is only done when we find a nonce in the ID Token and skipped otherwise. This seems incorrect to me since we always send a nonce we should always expect one in the response.

    This is mentioned in the OIDC Core specification:

    If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request.

    This is done this way because otherwise it becomes possible to just strip the nonce from the response to pass the validation.

    Also I have some concerns about the way the nonce is generated.

    	private function getNonce() {
		return sodium_bin2base64(
			hash( 'sha256', $this->session->getId(), true ),
			SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING
		);
	}

    https://github.com/wikimedia/mediawiki-extensions-TuleapIntegration/blob/3002953f2cc0cf47a58ec759a0bf1f835c4ea5aa/src/TuleapConnection.php#L200-L209

    I'm not exactly sure how the MediaWiki\Session\Session::getID generates the ID (I'm guessing it is dependent of backend used and in some case it is probably a session_id() call) but it is unlikely to be a reliable source of entropy. Since PHP 7, PHP got this right and there is an easy way to generate cryptographically secure random data with random_bytes(). Replacing the existing implementation with something like this should do the trick:

    	private function getNonce(): string {
		return sodium_bin2base64(
			random_bytes(32),
			SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING
		);
	}
    User avatar
    Manuel Vacelet (vaceletm)2022-03-07 10:27
    • Summary
      -Sending a nonce with the authentication request should be done 
      +[oidc-client] Sending a nonce with the authentication request should be done