Skip to content

Fix the etcd PKCE AuthCode deserialization #1908

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sagikazarmark merged 2 commits into from
Jan 13, 2021
Merged

Fix the etcd PKCE AuthCode deserialization #1908

sagikazarmark merged 2 commits into from
Jan 13, 2021

Conversation

@bnu0
Copy link
Contributor

@bnu0 bnu0 commented Jan 5, 2021
edited
Loading

Overview

This change fixes a bug in the PKCE implementation when using etcd as the storage engine. As of v2.27.0, this combination is broken and a code_verifier cannot be used to request a token.

Specifically, you will get an errant error No PKCE flow started. Cannot check code_verifier error when requesting /token despite the fact that a code_challenge and code_challenge_method were indeed provided to /auth.

This PR also adds a PKCE AuthCode round-trip check to the storage conformance tests. Indeed that test fails on v2.27, and now it passes 🙏 .

What this PR does / why we need it

  • In CreateAuthCode, the etcd storage implementation uses fromStorageAuthCode() to convert a storage.AuthCode into the etcd variant.
  • In GetAuthCode, however, the implementation attempts to directly unmarshal the json into the storage.AuthCode without the etcd intermediate.
  • This is wrong! Specifically, the PKCE data is inline in the etcd AuthCode struct, but is nested in the storage.AuthCode struct.
  • So as a result, it kind of works because most fields line up, but the CodeChallenge is always the empty string.
  • Therefore, handlers.go:820 always gets codeChallengeFromStorage = "" and falls into the error condition.
  • This PR adds the toStorageAuthCode equivalent to correctly deserialize, and uses it.

Special notes for your reviewer

Enjoy! 💖

Does this PR introduce a user-facing change?

NONE

komapa
komapa approved these changes Jan 5, 2021
View reviewed changes
Copy link

@komapa komapa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bnu0
Copy link
Contributor Author

bnu0 commented Jan 5, 2021

CC @HEllRZA @sagikazarmark as participants in the original PKCE implementation over in #1784

sagikazarmark
sagikazarmark approved these changes Jan 13, 2021
View reviewed changes
Copy link
Member

@sagikazarmark sagikazarmark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@sagikazarmark sagikazarmark added this to the v2.28.0 milestone Jan 13, 2021
@sagikazarmark sagikazarmark merged commit 1fbfaa9 into dexidp:master Jan 13, 2021
xtremerui pushed a commit to concourse/dex that referenced this pull request Mar 16, 2021
upstream dex release: v2.28.0
ef54461 
The official docker release for this release can be pulled from

```
ghcr.io/dexidp/dex:v2.28.0
```

**Features:**

- Add c_hash to id_token, issued on /auth endpoint, when in hybrid flow (dexidp#1773, @HEllRZA)
- Allow configuration of returned auth proxy header (dexidp#1839, @seuf)
- Allow to disable os.ExpandEnv for storage + connector configs by env variable DEX_EXPAND_ENV = false (dexidp#1902, @heidemn-faro)
- Added the possibility to activate lowercase for UPN-Strings (dexidp#1888, @VF-mbrauer)
- Add "Cache-control: no-store" and "Pragma: no-cache" headers to token responses (dexidp#1948, @nabokihms)
- Add gomplate to the docker image (dexidp#1893, @nabokihms)
- Graceful shutdown (dexidp#1963, @nabokihms)
- Allow public clients created with API to have no client_secret (dexidp#1871, @spohner)

**Bugfixes:**

- Fix the etcd PKCE AuthCode deserialization (dexidp#1908, @bnu0)
- Fix garbage collection logging of device codes and device request (dexidp#1918, @nabokihms)
- Discovery endpoint contains updated claims and auth methods (dexidp#1951, @nabokihms)
- Return invalid_grant error if auth code is invalid or expired (dexidp#1952, @nabokihms)
- Return an error to auth requests with the "request" parameter (dexidp#1956, @nabokihms)

**Minor changes:**

- Change default themes to light/dark (dexidp#1858, @nabokihms)
- Various developer experience improvements
- Dependency upgrades
- Tons of small fixes and changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sagikazarmark sagikazarmark sagikazarmark approved these changes

+1 more reviewer

@komapa komapa komapa approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

kind/bug

Projects

None yet

Milestone

v2.28.0

Development

Successfully merging this pull request may close these issues.

3 participants

@bnu0 @komapa @sagikazarmark