Skip to content

Commit 42ac602

Browse files
zhaohuabingzhaohuabing
authored
Use base64url encoding for oauth2 state parameter (#342)
Signed-off-by: Huabing Zhao <[email protected]>
1 parent 10492c2 commit 42ac602

File tree

1 file changed

+31
-29
lines changed

1 file changed

+31
-29
lines changed

single-page-app/verify.sh

+31-29
Original file line numberDiff line numberDiff line change
@@ -118,65 +118,67 @@ test_auth () {
118118
"${proxy_scheme}://localhost:${proxy_port}" \
119119
"${curl_args[@]}"
120120

121-
# To enhance security,the nonce will always be used in the OAuth2 flow once PR https://github.com/envoyproxy/envoy/pull/35919 is merged.
122-
# Nonce-less verification will remain for backward compatibility with previous releases.
123-
# TODO: zhaohuabing - Remove the nonce-less verification after a reasonable transition period, such as one year.
124-
run_log "Check whether the nonce is used in the OAuth2 filter"
125-
SUPPORT_NONCE="false"
121+
# State has been changed to be a base64url encoded json object in #37473.
122+
# TODO(zhaohuabing): Remove the following code after #37473 is merged and become stable.
123+
run_log "Check whether the state is a base64url encoded json object"
124+
BASE64URL_PREFIX="eyJ1cmwiOi" # The state is prefixed with this string when it is a base64url encoded json object ({"url":)
125+
STATE_BASE64URL_ENCODE="false" # Whether the state is a base64url encoded json object
126126
LOCATION=$(_curl "${curl_args[@]}" --head "${proxy_scheme}://localhost:${proxy_port}/login" | grep location)
127-
if [[ "$LOCATION" == *"nonce%3D"* ]]; then
128-
SUPPORT_NONCE="true"
127+
if [[ "$LOCATION" == *"$BASE64URL_PREFIX"* ]]; then
128+
STATE_BASE64URL_ENCODE="true"
129129
fi
130130

131131
run_log "Inititiate login"
132132
responds_with_header \
133133
"HTTP/1.1 302 Found" \
134134
"${proxy_scheme}://localhost:${proxy_port}/login" \
135135
"${curl_args[@]}"
136-
if [[ "$SUPPORT_NONCE" == "true" ]]; then
136+
if [[ "$STATE_BASE64URL_ENCODE" == "true" ]]; then
137137
responds_with_header \
138-
"location: http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D" \
139-
"${proxy_scheme}://localhost:${proxy_port}/login" \
140-
"${curl_args[@]}"
141-
responds_with_header \
142-
"set-cookie: OauthNonce=" \
138+
"location: http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${BASE64URL_PREFIX}" \
143139
"${proxy_scheme}://localhost:${proxy_port}/login" \
144140
"${curl_args[@]}"
145141
else
146142
responds_with_header \
147-
"location: http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Flogin" \
143+
"location: http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D" \
148144
"${proxy_scheme}://localhost:${proxy_port}/login" \
149145
"${curl_args[@]}"
150146
fi
147+
responds_with_header \
148+
"set-cookie: OauthNonce=" \
149+
"${proxy_scheme}://localhost:${proxy_port}/login" \
150+
"${curl_args[@]}"
151+
152+
encoded_state=$(echo -n "{\"url\":\"${proxy_scheme}://localhost:${proxy_port}/login\",\"nonce\":\"12345678\"}" | basenc --base64url --wrap=0 | sed 's/=//g')
151153

152154
run_log "Fetch the myhub authorization page"
153-
if [[ "$SUPPORT_NONCE" == "true" ]]; then
155+
if [[ "$STATE_BASE64URL_ENCODE" == "true" ]]; then
154156
responds_with_header \
155157
"HTTP/1.1 302 Found" \
156-
"http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D12345678" \
158+
"http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${encoded_state}" \
157159
"${curl_args[@]}"
158160
responds_with_header \
159161
"Location: ${proxy_scheme}://localhost:${proxy_port}/authorize?code=" \
160-
"http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D12345678" \
162+
"http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${encoded_state}" \
161163
"${curl_args[@]}"
162164
else
163165
responds_with_header \
164166
"HTTP/1.1 302 Found" \
165-
"http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Flogin" \
167+
"http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D12345678" \
166168
"${curl_args[@]}"
167169
responds_with_header \
168170
"Location: ${proxy_scheme}://localhost:${proxy_port}/authorize?code=" \
169-
"http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Flogin" \
171+
"http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D12345678" \
170172
"${curl_args[@]}"
171173
fi
172174

173175
run_log "Return to the app and receive creds"
174-
if [[ "$SUPPORT_NONCE" == "true" ]]; then
176+
if [[ "$STATE_BASE64URL_ENCODE" == "true" ]]; then
177+
CODE=$(_curl "${curl_args[@]}" --head "http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${encoded_state}" | grep Location | cut -d= -f2 | cut -d\& -f1)
178+
RESPONSE=$(_curl "${curl_args[@]}" --cookie "OauthNonce=12345678" --head "${proxy_scheme}://localhost:${proxy_port}/authorize?code=$CODE&state=${encoded_state}")
179+
else
175180
CODE=$(_curl "${curl_args[@]}" --head "http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D12345678" | grep Location | cut -d= -f2 | cut -d\& -f1)
176181
RESPONSE=$(_curl "${curl_args[@]}" --cookie "OauthNonce=12345678" --head "${proxy_scheme}://localhost:${proxy_port}/authorize?code=$CODE&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D12345678")
177-
else
178-
CODE=$(_curl "${curl_args[@]}" --head "http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Flogin" | grep Location | cut -d= -f2 | cut -d\& -f1)
179-
RESPONSE=$(_curl "${curl_args[@]}" --head "${proxy_scheme}://localhost:${proxy_port}/authorize?code=$CODE&state=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Flogin")
180182
fi
181183
echo "$RESPONSE" | grep "HTTP/1.1 302 Found"
182184
echo "$RESPONSE" | grep "location: ${proxy_scheme}://localhost:${proxy_port}/login"
@@ -326,16 +328,16 @@ run_log "Inititiate dev login (Github)"
326328
responds_with_header \
327329
"HTTP/1.1 302 Found" \
328330
"http://localhost:${PORT_DEV_PROXY}/login"
329-
if [[ "$SUPPORT_NONCE" == "true" ]]; then
331+
if [[ "$STATE_BASE64URL_ENCODE" == "true" ]]; then
330332
responds_with_header \
331-
"location: https://github.com/login/oauth/authorize?client_id=XXX&redirect_uri=http%3A%2F%2Flocalhost%3A${PORT_DEV_PROXY}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3Dhttp%253A%252F%252Flocalhost%253A${PORT_DEV_PROXY}%252Flogin%26nonce%3D" \
333+
"location: https://github.com/login/oauth/authorize?client_id=XXX&redirect_uri=http%3A%2F%2Flocalhost%3A${PORT_DEV_PROXY}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${BASE64URL_PREFIX}" \
332334
"http://localhost:${PORT_DEV_PROXY}/login"
333335
responds_with_header \
334336
"set-cookie: OauthNonce=" \
335337
"http://localhost:${PORT_DEV_PROXY}/login"
336338
else
337339
responds_with_header \
338-
"location: https://github.com/login/oauth/authorize?client_id=XXX&redirect_uri=http%3A%2F%2Flocalhost%3A${PORT_DEV_PROXY}%2Fauthorize&response_type=code&scope=user%3Aemail&state=http%3A%2F%2Flocalhost%3A${PORT_DEV_PROXY}%2Flogin" \
340+
"location: https://github.com/login/oauth/authorize?client_id=XXX&redirect_uri=http%3A%2F%2Flocalhost%3A${PORT_DEV_PROXY}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3Dhttp%253A%252F%252Flocalhost%253A${PORT_DEV_PROXY}%252Flogin%26nonce%3D" \
339341
"http://localhost:${PORT_DEV_PROXY}/login"
340342
fi
341343

@@ -344,9 +346,9 @@ responds_with \
344346
"Envoy single page app example" \
345347
"https://localhost:${PORT_PROXY}" \
346348
-k
347-
if [[ "$SUPPORT_NONCE" == "true" ]]; then
349+
if [[ "$STATE_BASE64URL_ENCODE" == "true" ]]; then
348350
responds_with_header \
349-
"location: https://github.com/login/oauth/authorize?client_id=XXX&redirect_uri=https%3A%2F%2Flocalhost%3A${PORT_PROXY}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3Dhttps%253A%252F%252Flocalhost%253A${PORT_PROXY}%252Flogin%26nonce%3D" \
351+
"location: https://github.com/login/oauth/authorize?client_id=XXX&redirect_uri=https%3A%2F%2Flocalhost%3A${PORT_PROXY}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${BASE64URL_PREFIX}" \
350352
"https://localhost:${PORT_PROXY}/login" \
351353
-k
352354
responds_with_header \
@@ -355,7 +357,7 @@ if [[ "$SUPPORT_NONCE" == "true" ]]; then
355357
-k
356358
else
357359
responds_with_header \
358-
"location: https://github.com/login/oauth/authorize?client_id=XXX&redirect_uri=https%3A%2F%2Flocalhost%3A${PORT_PROXY}%2Fauthorize&response_type=code&scope=user%3Aemail&state=https%3A%2F%2Flocalhost%3A${PORT_PROXY}%2Flogin" \
360+
"location: https://github.com/login/oauth/authorize?client_id=XXX&redirect_uri=https%3A%2F%2Flocalhost%3A${PORT_PROXY}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3Dhttps%253A%252F%252Flocalhost%253A${PORT_PROXY}%252Flogin%26nonce%3D" \
359361
"https://localhost:${PORT_PROXY}/login" \
360362
-k
361363
fi

0 commit comments

Comments
 (0)