Learn more about these different git repos.
Other Git URLs
I'm trying to set up Koji behind an apache web server with OIDC authentication and I've discovered a bug in Koji.
The relevant bits of the apache configuration are configured as follows:
<Location "/login"> Require claim cern_roles:users AuthType openid-connect </Location> <Location "/redirect_uri"> Require claim cern_roles:users AuthType openid-connect </Location> OIDCRedirectURI https://kojitest.cern.ch/redirect_uri
When a user goes to https://kojitest.cern.ch/login without a valid oidc session cookie, they're sent to our SSO server to log in. Once they do, the SSO server redirects them back to https://kojitest.cern.ch/redirect_uri with the application token and the user's information. The HTTP_REFERER at this point is the SSO auth server, as would be expected.
https://kojitest.cern.ch/login
https://kojitest.cern.ch/redirect_uri
/redirect_uri sets the oidc cookies and then redirects to /login. Crucially, the referer is maintained to the previous value, so pointing to the SSO auth server. I haven't dug too deep into this bit, but it seems that whether a 302 redirect should maintain the original referer or not in undefined in the standard. Regardless, the latest versions of Chrome and Firefox seem to maintain it.
/redirect_uri
/login
When the user gets back to /login, this time with a valid oidc cookie, Koji sees the REMOTE_USER the SSO has provided and sets the user cookie. The issue is that now it will try to redirect the user back to where they came from before going to /login. For this, it ends up using the HTTP_REFERER header, which now points to the SSO auth server.
The SSO auth server sees the session cookie is valid and sends the client back to /login, which redirects back to the SSO server, etc. etc. This continues until the browser gives up and displays an error.
Here's a screenshot of this in action: <img alt="Screenshot_2020-09-23_12-10-30.png" src="/koji/issue/raw/files/7f525cba0bd16708da89e55282fa6fdc632f402628695c6f358c352394550f49-Screenshot_2020-09-23_12-10-30.png" /> (https://i.imgur.com/pmycSK4.png)
Here are the relevant headers of the highlighted request:
GET /login HTTP/1.1 Host: kojitest.cern.ch Referer: https://auth.cern.ch/.... Cookie: mod_auth_openidc_session=...
And the response:
HTTP/1.1 302 Found Location: https://auth.cern.ch/... Set-Cookie: user=...
While I've only noticed this now that we're migrating to oidc, it was also happening before with Shibboleth. The reason why it wasn't apparent is because after the first redirect back to the auth server, the auth server would see that the session cookie was valid and it would redirect to https://kojitest.cern.ch instead of back to the referer as our oidc auth server does.
https://kojitest.cern.ch
Metadata Update from @tkopecek: - Custom field Size adjusted to None - Issue set to the milestone: 1.23.1
Metadata Update from @jcupova: - Issue tagged with: testing-ready
PR #2504
Metadata Update from @tkopecek: - Issue untagged with: testing-ready - Issue tagged with: no_qe
Commit a09cacc fixes this issue
Login to comment on this ticket.