#2503 Kojiweb not redirecting properly when behind SSO
Closed: Fixed 2 years ago by tkopecek. Opened 2 years ago by alexi.

I'm trying to set up Koji behind an apache web server with OIDC authentication and I've discovered a bug in Koji.

The relevant bits of the apache configuration are configured as follows:

 <Location "/login">
    Require claim cern_roles:users
    AuthType openid-connect

  <Location "/redirect_uri">
    Require claim cern_roles:users
    AuthType openid-connect

OIDCRedirectURI https://kojitest.cern.ch/redirect_uri

When a user goes to https://kojitest.cern.ch/login without a valid oidc session cookie, they're sent to our SSO server to log in. Once they do, the SSO server redirects them back to https://kojitest.cern.ch/redirect_uri with the application token and the user's information. The HTTP_REFERER at this point is the SSO auth server, as would be expected.

/redirect_uri sets the oidc cookies and then redirects to /login. Crucially, the referer is maintained to the previous value, so pointing to the SSO auth server. I haven't dug too deep into this bit, but it seems that whether a 302 redirect should maintain the original referer or not in undefined in the standard. Regardless, the latest versions of Chrome and Firefox seem to maintain it.

When the user gets back to /login, this time with a valid oidc cookie, Koji sees the REMOTE_USER the SSO has provided and sets the user cookie. The issue is that now it will try to redirect the user back to where they came from before going to /login. For this, it ends up using the HTTP_REFERER header, which now points to the SSO auth server.

The SSO auth server sees the session cookie is valid and sends the client back to /login, which redirects back to the SSO server, etc. etc. This continues until the browser gives up and displays an error.

Here's a screenshot of this in action:

Here are the relevant headers of the highlighted request:

GET /login HTTP/1.1
Host: kojitest.cern.ch
Referer: https://auth.cern.ch/....
Cookie: mod_auth_openidc_session=...

And the response:

HTTP/1.1 302 Found
Location: https://auth.cern.ch/...
Set-Cookie: user=...

While I've only noticed this now that we're migrating to oidc, it was also happening before with Shibboleth. The reason why it wasn't apparent is because after the first redirect back to the auth server, the auth server would see that the session cookie was valid and it would redirect to https://kojitest.cern.ch instead of back to the referer as our oidc auth server does.

Metadata Update from @tkopecek:
- Custom field Size adjusted to None
- Issue set to the milestone: 1.23.1

2 years ago

Metadata Update from @jcupova:
- Issue tagged with: testing-ready

2 years ago

Metadata Update from @tkopecek:
- Issue untagged with: testing-ready
- Issue tagged with: no_qe

2 years ago

Login to comment on this ticket.

Attachments 1
Related Pull Requests
  • #2504 Merged 2 years ago