Back-Channel Logout fails with cookie-based CSRF protection #15227
Labels
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
status: duplicate
A duplicate of another issue
type: bug
A general bug
Uh oh!
There was an error while loading. Please reload this page.
Describe the bug
I'm trying to configure Back-Channel Logout on an OAuth2 BFF: a reactive Spring Cloud Gateway instance configured with
oauth2Login
and theTokenRelay=
filter.As this BFF is used with single-page applications, CSRF protection is cookie-based (and this works for the RP-Initiated Logout: the POST request to
/logout
is correctly protected in this case).During Back-Channel Logout, the internal request to
/logout
fails with 403 FORBIDDEN due to CSRF authorization failure.Note that the Back-Channel Logout is successful as soon as:
POST
,PUT
,PATCH
&DELETE
requests from single-page & mobile apps).This makes Back-Channel Logout unusable in production with single-page & mobile apps.
To Reproduce
Enable cookie-based protection against CSRF and then initiate a Back-Channel Logout.
Expected behavior
The Back-Channel Logout should be successful, whatever store is used for the CSRF token.
Why should the CSRF protection be enforced in a flow where the user agent is not involved?
Sample
Pre-requisites:
git clone https://github.com/ch4mpy/quiz.git cd quiz sh ./build.sh
This builds and composes all the services in docker.
Frontend URI is logged at the end of the build script (it contain the building machine hostname):
http://hostname/ui/
Frontend users in
quiz
realm arech4mp
,moderator
,trainee
, andtrainer
. All havesecret
as secret.To trigger a Back-Channel Logout, visit the Keycloak user account in the
quiz
realm and click the logout button from the top right corner:http://hostname/auth/realms/quiz/account/
To debug the OAuth2 client, stop the
quiz.bff
Docker container and start theapi/bff
Spring Boot project in debug mode with your favorite IDE.Switching the CSRF protection strategy is just a matter of editing the
com.c4-soft.springaddons.oidc.client.csrf
property in the BFFapplication.yml
.Keycloak admin account is
admin
/admin
:http://hostname/auth/admin/master/console/#/quiz
Possible fix?
Maybe
OidcBackChannelServerLogoutHandler::eachLogout
could be changed to something like that?With this, I expect that a CSRF token is generated and added in a cookie, but only in the case where the CSRF token repo is cookie-based.
Maybe is it acceptable to generate and save a CSRF token whatever the token repo is?
The text was updated successfully, but these errors were encountered: