Callback handles GET /api/v1/auth/oidc/callback.
(w http.ResponseWriter, r *http.Request)
| 147 | |
| 148 | // Callback handles GET /api/v1/auth/oidc/callback. |
| 149 | func (h *OidcHandler) Callback(w http.ResponseWriter, r *http.Request) { |
| 150 | h.clientMu.RLock() |
| 151 | client := h.client |
| 152 | h.clientMu.RUnlock() |
| 153 | |
| 154 | if client == nil { |
| 155 | http.Redirect(w, r, "/login?error=OIDC+not+enabled", http.StatusFound) |
| 156 | return |
| 157 | } |
| 158 | q := r.URL.Query() |
| 159 | code := q.Get("code") |
| 160 | state := q.Get("state") |
| 161 | errParam := q.Get("error") |
| 162 | if errParam != "" { |
| 163 | if h.log != nil { |
| 164 | h.log.Error("oidc idp error", "error", errParam, "description", q.Get("error_description")) |
| 165 | } |
| 166 | http.Redirect(w, r, "/login?error=Authentication+failed", http.StatusFound) |
| 167 | return |
| 168 | } |
| 169 | if state == "" { |
| 170 | if h.log != nil { |
| 171 | h.log.Error("oidc callback missing state") |
| 172 | } |
| 173 | http.Redirect(w, r, "/login?error=Invalid+authentication+response", http.StatusFound) |
| 174 | return |
| 175 | } |
| 176 | if code == "" { |
| 177 | if h.log != nil { |
| 178 | h.log.Error("oidc callback missing code") |
| 179 | } |
| 180 | http.Redirect(w, r, "/login?error=Invalid+authentication+response", http.StatusFound) |
| 181 | return |
| 182 | } |
| 183 | // Double-submit cookie check: the oidc_state cookie MUST be present and match. |
| 184 | // A missing cookie used to be accepted (only mismatches were rejected), which |
| 185 | // allowed a login-CSRF / forced-login attack where an attacker who captured a |
| 186 | // valid state+code pair could trick a victim (whose browser has no oidc_state |
| 187 | // cookie for this flow) into completing the callback and getting auth cookies |
| 188 | // for the attacker's account. We now require cookie presence AND a match, in |
| 189 | // addition to the server-side state store GetAndDelete below. |
| 190 | cookieState, _ := r.Cookie("oidc_state") |
| 191 | if cookieState == nil { |
| 192 | if h.log != nil { |
| 193 | h.log.Error("oidc state cookie missing", "state_present", state != "") |
| 194 | } |
| 195 | http.Redirect(w, r, "/login?error=Invalid+authentication+response", http.StatusFound) |
| 196 | return |
| 197 | } |
| 198 | if cookieState.Value != state { |
| 199 | if h.log != nil { |
| 200 | h.log.Error("oidc state mismatch") |
| 201 | } |
| 202 | http.Redirect(w, r, "/login?error=Invalid+authentication+response", http.StatusFound) |
| 203 | return |
| 204 | } |
| 205 | sessionData, err := h.oidcStore.GetAndDelete(r.Context(), state) |
| 206 | if err != nil || sessionData == nil { |
nothing calls this directly
no test coverage detected