harden(oidc): pre-login UA/IP binding (MED-16) — RFC 9700 §4.7.1

Audit 2026-05-10 MED-16 closure. WHAT. Binds the OIDC pre-login row to the (clientIP, userAgent) tuple of the /auth/oidc/login request, and enforces a constant-time compare against the /auth/oidc/callback request at consume time. Defeats replay of a stolen pre-login cookie by a different browser / source — the secondary defense layer recommended by RFC 9700 §4.7.1 when the primary layer (HMAC integrity + Path=/ + SameSite=Lax on the cookie) is bypassed via CSRF / XSS / TLS-termination leak. WHY. Pre-fix, the pre-login cookie's HMAC verified only that 'some' caller of /auth/oidc/login was talking to /auth/oidc/callback; it did not verify that the SAME browser / source was on both sides. An attacker who exfiltrated the cookie value via any vector could replay the bytes through their own user-agent and ride the victim's authorization. RFC 9700 §4.7.1 calls out the gap explicitly and recommends binding state to a user-agent fingerprint + source IP. HOW. Migration: migrations/000044_prelogin_uaip.up.sql ALTER TABLE oidc_pre_login_sessions ADD COLUMN IF NOT EXISTS client_ip TEXT, ADD COLUMN IF NOT EXISTS user_agent TEXT; Both nullable for in-flight rolling-deploy compat — the consume- side check only enforces when both row AND request carry non-empty values for the leg in question. Domain: internal/repository/oidc.go (PreLoginSession) — adds ClientIP + UserAgent fields. Repository: internal/repository/postgres/oidc_prelogin.go — Create persists via sql.NullString (empty → NULL); LookupAndConsume reads back. Re-uses package-local nullableString from discovery.go. Service: internal/auth/oidc/service.go - PreLoginStore.CreatePreLogin signature takes (clientIP, userAgent) as positions 5–6. - PreLoginStore.LookupAndConsume returns (clientIP, userAgent) as positions 5–6. - HandleAuthRequest signature gains (clientIP, userAgent), threaded to the store. - HandleCallback adds Step 1.5 — UA / IP constant-time compare between stored row and incoming request. Per-leg toggles via preLoginRequireUA / preLoginRequireIP service fields. Empty values on either side pass through (rolling-deploy + headless- proxy compat). - New sentinels ErrPreLoginUAMismatch, ErrPreLoginIPMismatch. - SetPreLoginBindingRequirements(requireUA, requireIP) helper for main.go config wiring. Adapter: internal/auth/oidc/prelogin.go — PreLoginAdapter passes the new fields through to the repo row. Handler: internal/api/handler/auth_session_oidc.go - OIDCAuthHandshaker.HandleAuthRequest signature updated. - LoginInitiate captures clientIPFromRequest + r.UserAgent() and passes to the service. - classifyOIDCFailure adds errors.Is dispatch for the two new sentinels → prelogin_ua_mismatch / prelogin_ip_mismatch audit categories. Config: internal/config/config.go + AuthConfig.OIDCPreLoginRequireUA (default true) env CERTCTL_OIDC_PRELOGIN_REQUIRE_UA + AuthConfig.OIDCPreLoginRequireIP (default true) env CERTCTL_OIDC_PRELOGIN_REQUIRE_IP cmd/server/main.go calls oidcService.SetPreLoginBindingRequirements from cfg.Auth.OIDCPreLoginRequire{UA,IP}. Tests (internal/auth/oidc/service_test.go): - TestService_HandleCallback_MED16_UAMismatchRejected - TestService_HandleCallback_MED16_IPMismatchRejected - TestService_HandleCallback_MED16_BothMatch_Succeeds - TestService_HandleCallback_MED16_LegacyRowEmptyValues (rolling- deploy compat — empty stored values pass through) - TestService_HandleCallback_MED16_RequireUAFalse_AllowsMismatch (operator escape-hatch — UA mismatch silently allowed) Mechanical fan-out: - stubPreLogin / stubPreLoginRepo signatures updated. - All existing call sites in service_test.go (~40), prelogin_test.go, bench_test.go, logging_test.go, provider_enabled_test.go, integration_keycloak_test.go, integration_okta_smoke_test.go, auth_session_oidc_test.go updated to pass empty strings for the new params — pre-existing tests do not exercise UA/IP binding semantics. VERIFY. - go vet ./internal/auth/oidc/... ./internal/api/handler/... ./internal/config/... PASS - go test -short -count=1 -run MED16 ./internal/auth/oidc/... PASS (5/5) - go test -short -count=1 ./internal/auth/oidc/... PASS (4.6s) - go test -short -count=1 ./internal/api/handler/... PASS (4.3s) - go test -short -count=1 ./internal/config/... PASS Refs: cowork/auth-bundles-audit-2026-05-10.md MED-16 cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md item 6 RFC 9700 §4.7.1 — OAuth 2.0 Security Best Current Practice
2026-06-14 15:38:51 +00:00 · 2026-05-10 23:18:23 +00:00
parent 2cd2a5c52f
commit 2a1a0b347c
18 changed files with 441 additions and 103 deletions
@@ -196,7 +196,7 @@ func TestPreLoginAdapter_CreatePreLogin_GetActiveFailure(t *testing.T) {
 	keys := newStubSigningKeyLookup(nil)
 	keys.getActErr = errors.New("postgres unavailable")
 	a := NewPreLoginAdapter(repo, keys, "t-default", "")
-	_, _, err := a.CreatePreLogin(context.Background(), "op-x", "s", "n", "v")
+	_, _, err := a.CreatePreLogin(context.Background(), "op-x", "s", "n", "v", "", "")
 	if err == nil || !strings.Contains(err.Error(), "get active signing key") {
 		t.Errorf("err = %v, want wrapped 'get active signing key'", err)
 	}
@@ -210,7 +210,7 @@ func TestPreLoginAdapter_CreatePreLogin_DecryptFailure(t *testing.T) {
 	key.KeyMaterialEncrypted = []byte{0x03, 0x00, 0x01, 0x02} // bogus v3 blob
 	keys := newStubSigningKeyLookup(key)
 	a := NewPreLoginAdapter(repo, keys, "t-default", "passphrase-set")
-	_, _, err := a.CreatePreLogin(context.Background(), "op-x", "s", "n", "v")
+	_, _, err := a.CreatePreLogin(context.Background(), "op-x", "s", "n", "v", "", "")
 	if err == nil || !strings.Contains(err.Error(), "decrypt active key") {
 		t.Errorf("err = %v, want wrapped 'decrypt active key'", err)
 	}
@@ -223,7 +223,7 @@ func TestPreLoginAdapter_CreatePreLogin_RNGFailure(t *testing.T) {
 	a.SetRandReaderForTest(func(_ []byte) (int, error) {
 		return 0, errors.New("RNG drained")
 	})
-	_, _, err := a.CreatePreLogin(context.Background(), "op-x", "s", "n", "v")
+	_, _, err := a.CreatePreLogin(context.Background(), "op-x", "s", "n", "v", "", "")
 	if err == nil || !strings.Contains(err.Error(), "generate id") {
 		t.Errorf("err = %v, want wrapped 'generate id'", err)
 	}
@@ -234,7 +234,7 @@ func TestPreLoginAdapter_CreatePreLogin_PersistFailure(t *testing.T) {
 	repo.createErr = errors.New("FK violation")
 	keys := newStubSigningKeyLookup(activeKeyForTest(t, "sk-1"))
 	a := NewPreLoginAdapter(repo, keys, "t-default", "")
-	_, _, err := a.CreatePreLogin(context.Background(), "op-x", "s", "n", "v")
+	_, _, err := a.CreatePreLogin(context.Background(), "op-x", "s", "n", "v", "", "")
 	if err == nil || !strings.Contains(err.Error(), "persist row") {
 		t.Errorf("err = %v, want wrapped 'persist row'", err)
 	}
@@ -247,7 +247,7 @@ func TestPreLoginAdapter_CreatePreLogin_HappyPath(t *testing.T) {
 	repo := newStubPreLoginRepo()
 	keys := newStubSigningKeyLookup(activeKeyForTest(t, "sk-1"))
 	a := NewPreLoginAdapter(repo, keys, "t-default", "")
-	cookie, sid, err := a.CreatePreLogin(context.Background(), "op-x", "the-state", "the-nonce", "verifier-xxx")
+	cookie, sid, err := a.CreatePreLogin(context.Background(), "op-x", "the-state", "the-nonce", "verifier-xxx", "", "")
 	if err != nil {
 		t.Fatalf("CreatePreLogin: %v", err)
 	}
@@ -279,7 +279,7 @@ func TestPreLoginAdapter_CreatePreLogin_HappyPath(t *testing.T) {
 func TestPreLoginAdapter_LookupAndConsume_MalformedCookie(t *testing.T) {
 	a := NewPreLoginAdapter(newStubPreLoginRepo(),
 		newStubSigningKeyLookup(activeKeyForTest(t, "sk-1")), "t-default", "")
-	_, _, _, _, err := a.LookupAndConsume(context.Background(), "definitely-not-a-cookie")
+	_, _, _, _, _, _, err := a.LookupAndConsume(context.Background(), "definitely-not-a-cookie")
 	if !errors.Is(err, ErrPreLoginNotFound) {
 		t.Errorf("err = %v, want ErrPreLoginNotFound", err)
 	}
@@ -292,14 +292,14 @@ func TestPreLoginAdapter_LookupAndConsume_UnknownSigningKey(t *testing.T) {
 	createKey := activeKeyForTest(t, "sk-1")
 	createKeys := newStubSigningKeyLookup(createKey)
 	createAdapter := NewPreLoginAdapter(repo, createKeys, "t-default", "")
-	cookie, _, err := createAdapter.CreatePreLogin(context.Background(), "op-x", "s", "n", "v")
+	cookie, _, err := createAdapter.CreatePreLogin(context.Background(), "op-x", "s", "n", "v", "", "")
 	if err != nil {
 		t.Fatalf("CreatePreLogin: %v", err)
 	}

 	emptyKeys := newStubSigningKeyLookup(nil) // sk-1 is not in this lookup
 	consumeAdapter := NewPreLoginAdapter(repo, emptyKeys, "t-default", "")
-	_, _, _, _, err = consumeAdapter.LookupAndConsume(context.Background(), cookie)
+	_, _, _, _, _, _, err = consumeAdapter.LookupAndConsume(context.Background(), cookie)
 	if !errors.Is(err, ErrPreLoginNotFound) {
 		t.Errorf("err = %v, want ErrPreLoginNotFound (unknown signing key)", err)
 	}
@@ -312,7 +312,7 @@ func TestPreLoginAdapter_LookupAndConsume_DecryptKeyFailure(t *testing.T) {
 	createKey := activeKeyForTest(t, "sk-1")
 	createKeys := newStubSigningKeyLookup(createKey)
 	createAdapter := NewPreLoginAdapter(repo, createKeys, "t-default", "")
-	cookie, _, err := createAdapter.CreatePreLogin(context.Background(), "op-x", "s", "n", "v")
+	cookie, _, err := createAdapter.CreatePreLogin(context.Background(), "op-x", "s", "n", "v", "", "")
 	if err != nil {
 		t.Fatalf("CreatePreLogin: %v", err)
 	}
@@ -322,7 +322,7 @@ func TestPreLoginAdapter_LookupAndConsume_DecryptKeyFailure(t *testing.T) {
 	corruptedKey.KeyMaterialEncrypted = []byte{0x03, 0x00, 0x01, 0x02} // bogus v3
 	corruptedKeys := newStubSigningKeyLookup(&corruptedKey)
 	consumeAdapter := NewPreLoginAdapter(repo, corruptedKeys, "t-default", "passphrase-set")
-	_, _, _, _, err = consumeAdapter.LookupAndConsume(context.Background(), cookie)
+	_, _, _, _, _, _, err = consumeAdapter.LookupAndConsume(context.Background(), cookie)
 	if !errors.Is(err, ErrPreLoginNotFound) {
 		t.Errorf("err = %v, want ErrPreLoginNotFound (decrypt failure → uniform sentinel)", err)
 	}
@@ -336,7 +336,7 @@ func TestPreLoginAdapter_LookupAndConsume_HMACMismatch(t *testing.T) {
 	createKey := activeKeyForTest(t, "sk-1")
 	createKeys := newStubSigningKeyLookup(createKey)
 	createAdapter := NewPreLoginAdapter(repo, createKeys, "t-default", "")
-	cookie, _, err := createAdapter.CreatePreLogin(context.Background(), "op-x", "s", "n", "v")
+	cookie, _, err := createAdapter.CreatePreLogin(context.Background(), "op-x", "s", "n", "v", "", "")
 	if err != nil {
 		t.Fatalf("CreatePreLogin: %v", err)
 	}
@@ -349,7 +349,7 @@ func TestPreLoginAdapter_LookupAndConsume_HMACMismatch(t *testing.T) {
 	swapped.KeyMaterialEncrypted = swappedMaterial
 	swappedKeys := newStubSigningKeyLookup(&swapped)
 	consumeAdapter := NewPreLoginAdapter(repo, swappedKeys, "t-default", "")
-	_, _, _, _, err = consumeAdapter.LookupAndConsume(context.Background(), cookie)
+	_, _, _, _, _, _, err = consumeAdapter.LookupAndConsume(context.Background(), cookie)
 	if !errors.Is(err, ErrPreLoginNotFound) {
 		t.Errorf("err = %v, want ErrPreLoginNotFound (HMAC mismatch)", err)
 	}
@@ -368,7 +368,7 @@ func TestPreLoginAdapter_LookupAndConsume_RepoNotFound(t *testing.T) {
 	plID := "pl-orphan-id"
 	cookie := session.SignCookieValue(plID, keys.active.ID, hmacKey)

-	_, _, _, _, err := a.LookupAndConsume(context.Background(), cookie)
+	_, _, _, _, _, _, err := a.LookupAndConsume(context.Background(), cookie)
 	if !errors.Is(err, ErrPreLoginNotFound) {
 		t.Errorf("err = %v, want ErrPreLoginNotFound (repo miss)", err)
 	}
@@ -378,12 +378,12 @@ func TestPreLoginAdapter_LookupAndConsume_RepoExpired(t *testing.T) {
 	repo := newStubPreLoginRepo()
 	keys := newStubSigningKeyLookup(activeKeyForTest(t, "sk-1"))
 	a := NewPreLoginAdapter(repo, keys, "t-default", "")
-	cookie, _, err := a.CreatePreLogin(context.Background(), "op-x", "s", "n", "v")
+	cookie, _, err := a.CreatePreLogin(context.Background(), "op-x", "s", "n", "v", "", "")
 	if err != nil {
 		t.Fatalf("CreatePreLogin: %v", err)
 	}
 	repo.expireOnNext = true
-	_, _, _, _, err = a.LookupAndConsume(context.Background(), cookie)
+	_, _, _, _, _, _, err = a.LookupAndConsume(context.Background(), cookie)
 	if !errors.Is(err, ErrPreLoginNotFound) {
 		t.Errorf("err = %v, want ErrPreLoginNotFound (expired → uniform sentinel)", err)
 	}
@@ -393,13 +393,13 @@ func TestPreLoginAdapter_LookupAndConsume_RepoOtherError(t *testing.T) {
 	repo := newStubPreLoginRepo()
 	keys := newStubSigningKeyLookup(activeKeyForTest(t, "sk-1"))
 	a := NewPreLoginAdapter(repo, keys, "t-default", "")
-	cookie, _, err := a.CreatePreLogin(context.Background(), "op-x", "s", "n", "v")
+	cookie, _, err := a.CreatePreLogin(context.Background(), "op-x", "s", "n", "v", "", "")
 	if err != nil {
 		t.Fatalf("CreatePreLogin: %v", err)
 	}
 	// Inject a non-NotFound, non-Expired error to exercise the wrap branch.
 	repo.wrappedErr = errors.New("postgres dropped connection")
-	_, _, _, _, err = a.LookupAndConsume(context.Background(), cookie)
+	_, _, _, _, _, _, err = a.LookupAndConsume(context.Background(), cookie)
 	if errors.Is(err, ErrPreLoginNotFound) {
 		t.Error("err must NOT be ErrPreLoginNotFound for non-sentinel repo failure")
 	}
@@ -412,11 +412,11 @@ func TestPreLoginAdapter_LookupAndConsume_HappyPath(t *testing.T) {
 	repo := newStubPreLoginRepo()
 	keys := newStubSigningKeyLookup(activeKeyForTest(t, "sk-1"))
 	a := NewPreLoginAdapter(repo, keys, "t-default", "")
-	cookie, _, err := a.CreatePreLogin(context.Background(), "op-okta", "the-state-42", "the-nonce-42", "the-verifier-42")
+	cookie, _, err := a.CreatePreLogin(context.Background(), "op-okta", "the-state-42", "the-nonce-42", "the-verifier-42", "", "")
 	if err != nil {
 		t.Fatalf("CreatePreLogin: %v", err)
 	}
-	pid, st, nn, vf, err := a.LookupAndConsume(context.Background(), cookie)
+	pid, st, nn, vf, _, _, err := a.LookupAndConsume(context.Background(), cookie)
 	if err != nil {
 		t.Fatalf("LookupAndConsume: %v", err)
 	}
@@ -425,7 +425,7 @@ func TestPreLoginAdapter_LookupAndConsume_HappyPath(t *testing.T) {
 	}

 	// Single-use: second consume returns ErrPreLoginNotFound.
-	_, _, _, _, err = a.LookupAndConsume(context.Background(), cookie)
+	_, _, _, _, _, _, err = a.LookupAndConsume(context.Background(), cookie)
 	if !errors.Is(err, ErrPreLoginNotFound) {
 		t.Errorf("second consume err = %v, want ErrPreLoginNotFound (single-use violated)", err)
 	}