gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-14 05:58:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

harden(oidc): pre-login UA/IP binding (MED-16) — RFC 9700 §4.7.1

Browse Source 
Audit 2026-05-10 MED-16 closure.

WHAT.

Binds the OIDC pre-login row to the (clientIP, userAgent) tuple of
the /auth/oidc/login request, and enforces a constant-time compare
against the /auth/oidc/callback request at consume time. Defeats
replay of a stolen pre-login cookie by a different browser /
source — the secondary defense layer recommended by RFC 9700 §4.7.1
when the primary layer (HMAC integrity + Path=/ + SameSite=Lax on
the cookie) is bypassed via CSRF / XSS / TLS-termination leak.

WHY.

Pre-fix, the pre-login cookie's HMAC verified only that 'some'
caller of /auth/oidc/login was talking to /auth/oidc/callback; it
did not verify that the SAME browser / source was on both sides.
An attacker who exfiltrated the cookie value via any vector could
replay the bytes through their own user-agent and ride the victim's
authorization. RFC 9700 §4.7.1 calls out the gap explicitly and
recommends binding state to a user-agent fingerprint + source IP.

HOW.

Migration:
  migrations/000044_prelogin_uaip.up.sql
    ALTER TABLE oidc_pre_login_sessions
      ADD COLUMN IF NOT EXISTS client_ip   TEXT,
      ADD COLUMN IF NOT EXISTS user_agent  TEXT;
  Both nullable for in-flight rolling-deploy compat — the consume-
  side check only enforces when both row AND request carry non-empty
  values for the leg in question.

Domain:
  internal/repository/oidc.go (PreLoginSession) — adds ClientIP +
    UserAgent fields.

Repository:
  internal/repository/postgres/oidc_prelogin.go — Create persists
    via sql.NullString (empty → NULL); LookupAndConsume reads back.
    Re-uses package-local nullableString from discovery.go.

Service:
  internal/auth/oidc/service.go
    - PreLoginStore.CreatePreLogin signature takes (clientIP,
      userAgent) as positions 5–6.
    - PreLoginStore.LookupAndConsume returns (clientIP, userAgent)
      as positions 5–6.
    - HandleAuthRequest signature gains (clientIP, userAgent),
      threaded to the store.
    - HandleCallback adds Step 1.5 — UA / IP constant-time compare
      between stored row and incoming request. Per-leg toggles via
      preLoginRequireUA / preLoginRequireIP service fields. Empty
      values on either side pass through (rolling-deploy + headless-
      proxy compat).
    - New sentinels ErrPreLoginUAMismatch, ErrPreLoginIPMismatch.
    - SetPreLoginBindingRequirements(requireUA, requireIP) helper
      for main.go config wiring.

Adapter:
  internal/auth/oidc/prelogin.go — PreLoginAdapter passes the new
    fields through to the repo row.

Handler:
  internal/api/handler/auth_session_oidc.go
    - OIDCAuthHandshaker.HandleAuthRequest signature updated.
    - LoginInitiate captures clientIPFromRequest + r.UserAgent()
      and passes to the service.
    - classifyOIDCFailure adds errors.Is dispatch for the two new
      sentinels → prelogin_ua_mismatch / prelogin_ip_mismatch
      audit categories.

Config:
  internal/config/config.go
    + AuthConfig.OIDCPreLoginRequireUA (default true)
      env CERTCTL_OIDC_PRELOGIN_REQUIRE_UA
    + AuthConfig.OIDCPreLoginRequireIP (default true)
      env CERTCTL_OIDC_PRELOGIN_REQUIRE_IP
  cmd/server/main.go calls oidcService.SetPreLoginBindingRequirements
    from cfg.Auth.OIDCPreLoginRequire{UA,IP}.

Tests (internal/auth/oidc/service_test.go):
  - TestService_HandleCallback_MED16_UAMismatchRejected
  - TestService_HandleCallback_MED16_IPMismatchRejected
  - TestService_HandleCallback_MED16_BothMatch_Succeeds
  - TestService_HandleCallback_MED16_LegacyRowEmptyValues  (rolling-
    deploy compat — empty stored values pass through)
  - TestService_HandleCallback_MED16_RequireUAFalse_AllowsMismatch
    (operator escape-hatch — UA mismatch silently allowed)

Mechanical fan-out:
  - stubPreLogin / stubPreLoginRepo signatures updated.
  - All existing call sites in service_test.go (~40), prelogin_test.go,
    bench_test.go, logging_test.go, provider_enabled_test.go,
    integration_keycloak_test.go, integration_okta_smoke_test.go,
    auth_session_oidc_test.go updated to pass empty strings for the
    new params — pre-existing tests do not exercise UA/IP binding
    semantics.

VERIFY.

- go vet ./internal/auth/oidc/... ./internal/api/handler/...
  ./internal/config/...                                       PASS
- go test -short -count=1 -run MED16 ./internal/auth/oidc/... PASS (5/5)
- go test -short -count=1 ./internal/auth/oidc/...            PASS (4.6s)
- go test -short -count=1 ./internal/api/handler/...          PASS (4.3s)
- go test -short -count=1 ./internal/config/...               PASS

Refs: cowork/auth-bundles-audit-2026-05-10.md MED-16
      cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md item 6
      RFC 9700 §4.7.1 — OAuth 2.0 Security Best Current Practice
This commit is contained in:
shankar0123
2026-05-10 23:18:23 +00:00
parent ecef8295bb
commit cb73547af5
18 changed files with 441 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/auth/oidc/prelogin.go
+18 -10
View File
@@ -87,9 +87,12 @@ func (a *PreLoginAdapter) SetRandReaderForTest(r func([]byte) (int, error)) {
// value under the active SessionSigningKey, persists the row, and
// returns the cookie value + the row id.
//
// Audit 2026-05-10 MED-16 — clientIP + userAgent are persisted into
// the row for the callback-time UA/IP binding check.
//
// Implements the Phase 3 OIDCService.PreLoginStore.CreatePreLogin
// interface signature.
func (a *PreLoginAdapter) CreatePreLogin(ctx context.Context, providerID, state, nonce, verifier string) (cookieValue, sessionID string, err error) {
func (a *PreLoginAdapter) CreatePreLogin(ctx context.Context, providerID, state, nonce, verifier, clientIP, userAgent string) (cookieValue, sessionID string, err error) {
active, err := a.keys.GetActive(ctx, a.tenantID)
if err != nil {
return "", "", fmt.Errorf("pre-login: get active signing key: %w", err)
@@ -110,6 +113,8 @@ func (a *PreLoginAdapter) CreatePreLogin(ctx context.Context, providerID, state,
State: state,
Nonce: nonce,
PKCEVerifier: verifier,
ClientIP: clientIP,
UserAgent: userAgent,
}
if err := a.repo.Create(ctx, row); err != nil {
return "", "", fmt.Errorf("pre-login: persist row: %w", err)
@@ -132,25 +137,28 @@ func (a *PreLoginAdapter) CreatePreLogin(ctx context.Context, providerID, state,
// - Row found but past 10-minute TTL -> ErrPreLoginExpired (row is
// deleted at the repo layer regardless).
//
// Audit 2026-05-10 MED-16 — also returns the row's stored clientIP +
// userAgent so the service-layer caller can enforce the UA/IP binding.
//
// Implements the Phase 3 OIDCService.PreLoginStore.LookupAndConsume
// interface signature.
func (a *PreLoginAdapter) LookupAndConsume(ctx context.Context, cookieValue string) (providerID, state, nonce, verifier string, err error) {
func (a *PreLoginAdapter) LookupAndConsume(ctx context.Context, cookieValue string) (providerID, state, nonce, verifier, clientIP, userAgent string, err error) {
plID, signingKeyID, providedHMAC, perr := session.ParseCookieValue(cookieValue, "pl-")
if perr != nil {
return "", "", "", "", ErrPreLoginNotFound
return "", "", "", "", "", "", ErrPreLoginNotFound
}
signingKey, kerr := a.keys.Get(ctx, signingKeyID)
if kerr != nil {
return "", "", "", "", ErrPreLoginNotFound
return "", "", "", "", "", "", ErrPreLoginNotFound
}
hmacKey, derr := session.DecryptKeyMaterial(signingKey.KeyMaterialEncrypted, a.encryptionKey)
if derr != nil {
return "", "", "", "", ErrPreLoginNotFound
return "", "", "", "", "", "", ErrPreLoginNotFound
}
expectedHMAC := session.ComputeCookieHMAC(plID, signingKeyID, hmacKey)
if subtle.ConstantTimeCompare(expectedHMAC, providedHMAC) != 1 {
return "", "", "", "", ErrPreLoginNotFound
return "", "", "", "", "", "", ErrPreLoginNotFound
}
row, lerr := a.repo.LookupAndConsume(ctx, plID)
@@ -159,15 +167,15 @@ func (a *PreLoginAdapter) LookupAndConsume(ctx context.Context, cookieValue stri
// the OIDC service consumes; the audit row distinguishes via
// the wrapped error from the repo (which the handler logs).
if errors.Is(lerr, repository.ErrPreLoginNotFound) {
return "", "", "", "", ErrPreLoginNotFound
return "", "", "", "", "", "", ErrPreLoginNotFound
}
if errors.Is(lerr, repository.ErrPreLoginExpired) {
return "", "", "", "", ErrPreLoginNotFound
return "", "", "", "", "", "", ErrPreLoginNotFound
}
return "", "", "", "", fmt.Errorf("pre-login: lookup_and_consume: %w", lerr)
return "", "", "", "", "", "", fmt.Errorf("pre-login: lookup_and_consume: %w", lerr)
}
return row.OIDCProviderID, row.State, row.Nonce, row.PKCEVerifier, nil
return row.OIDCProviderID, row.State, row.Nonce, row.PKCEVerifier, row.ClientIP, row.UserAgent, nil
}
// newID returns `pl-<base64url-no-pad>` with 16 bytes of entropy.