Validate that the "/web/sso_confirm" redirect URL is only used for MFA ceremonies#56006
Merged
Validate that the "/web/sso_confirm" redirect URL is only used for MFA ceremonies#56006
Conversation
…so/redirector.go * Replace binary ssoTestFlow boolean with ceremony type to incorporate MFA ceremonies * Validate that "/web/sso_confirm" is only used for MFA ceremonies
Joerger
added
the
no-changelog
zmb3
reviewed
Jun 23, 2025
Collaborator
zmb3
left a comment
zmb3
left a comment
There was a problem hiding this comment.
Should we also move the tests to redirector_test.go?
zmb3
reviewed
Jun 23, 2025
| } | ||
| if q, err := url.ParseQuery(u.RawQuery); err != nil { | ||
| return trace.Wrap(err, "parsing query in client redirect URL") | ||
| } else if len(q) != 1 || len(q["secret_key"]) != 1 { |
Collaborator
There was a problem hiding this comment.
Is it correct that the secret_key query parameter doesn't need to be validated for SSO MFA?
Contributor
Author
There was a problem hiding this comment.
Yes, the secret_key is not used for the web SSO MFA flow. For non web SSO flows, the secret_key is required on the server side to encode the response:
Lines 2333 to 2348 in e71690a
If a non-web client tried to abuse this by setting the path to /web/sso_confirm and not setting a secret_key, it would fail thanks to the previous fix enforcing the use of a relative URL on the server side.
rosstimothy
approved these changes
Jun 25, 2025
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
Contributor
Author
|
@hugoShaka @vapopov Friendly ping to review |
vapopov
approved these changes
Jul 1, 2025
public-teleport-github-review-bot
Bot
removed the request for review
from hugoShaka
Joerger
added a commit
that referenced
this pull request
Jul 10, 2025
…A ceremonies (#56006) * * Move ValidateClientRedirect from lib/auth/github.go to lib/client/sso/redirector.go * Replace binary ssoTestFlow boolean with ceremony type to incorporate MFA ceremonies * Validate that "/web/sso_confirm" is only used for MFA ceremonies * Address comments. * Add warning comment; Update error message. * Update/Add tests. * Require channel_id as exclusive query parameter for sso mfa web redirect. * Update lib/client/sso/redirector.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
This was referenced Jul 10, 2025
Merged
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jul 14, 2025
…A ceremonies (#56006) (#56648) * * Move ValidateClientRedirect from lib/auth/github.go to lib/client/sso/redirector.go * Replace binary ssoTestFlow boolean with ceremony type to incorporate MFA ceremonies * Validate that "/web/sso_confirm" is only used for MFA ceremonies * Address comments. * Add warning comment; Update error message. * Update/Add tests. * Require channel_id as exclusive query parameter for sso mfa web redirect. * Update lib/client/sso/redirector.go --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow up to #55398
This change does not have any known security impact, but it adds some better partitioning between SSO ceremony types to ensure that using the Web MFA specific redirect URL "/web/sso_confirm" can not even be attempted outside of MFA flows.
I also moved the function out of
lib/auth/github.gotolib/client/sso/redirector.gosince it is not github specific, and updated the comment for readability.