Comments (6)
Thanks for commenting!
@JPFrancoia thank you for sharing your workaround, I also thought about it but decided to avoid it, because usually the state it's just a csrf token which is coming from the frontend side, and when we custom this, we can break a default behavior of the frameworks..
In my case the state is entirely controlled by the backend, the frontend just triggers the flow but I get your point.
and for sharing data between different PODs, your implementation should be based on not the default cookie store, but on the Redis key-value storage for example.
Yep, makes sense. Another pro for using the state
parameter in my case, because then I don't really need the store and I can just rely on the data in the request. Right now I have my backend running with 3 replicas and it works.
from goth.
Also faced this problem with the same usecase.
I believe at this point the content of the session is overwritten? Does the call to StoreInSession wipe out the relevant info?
Yes, you are right, just have a look: https://github.com/markbates/goth/blob/master/gothic/gothic.go#L311-L312
I tried a lot of ways to find the workaround but found nothing. And finally, I found the moment when it possibility had been broken: #217
PS:
Looks like it can be reached only with a custom Store
from goth.
I ultimately found a solution to this problem. I'm not sure it's pretty though.
With OAUth flow, there is a state
parameter that is used to prevent attacks by making the url hard to guess: https://auth0.com/docs/secure/attack-protection/state-parameters. It's basically a random string.
I'm kinda hijacking that at the moment:
...
// Add any data to the state, we can decode this data later in the auth callback.
// - add is_web (bool) to check if the client is a web browser
authState := AuthState{IsWeb: loginQuery.IsWeb, Rand: generateRandomState()}
q.Add("state", authState.ToStateString())
c.Request.URL.RawQuery = q.Encode()
logger.Debug("Starting auth flow")
url, err := gothic.GetAuthURL(c.Writer, c.Request)
if err != nil {
c.AbortWithError(http.StatusInternalServerError, err)
}
logger.Debug("Auth url generated, redirecting")
c.Redirect(http.StatusFound, url)
This can be later decoded in the auth callback. From what I understand, the only thing to watch out for is that the state parameter is still random and unguessable, but technically it's possible to shove some custom data in there.
I'd be happy to see a better solution though. Also, if the session approach can be fixed, I'd have one question: how does the session work in the case where my app is deployed on kubernetes with several replicas? Is the session stored in each replica?
from goth.
@JPFrancoia thank you for sharing your workaround, I also thought about it but decided to avoid it, because usually the state it's just a csrf token which is coming from the frontend side, and when we custom this, we can break a default behavior of the frameworks..
But anyway, I think your solution is totally legal(cos you include the random string in your state object too), cos Google, for example, says that the state parameter can be used for saving application custom data
how does the session work in the case where my app is deployed on kubernetes with several replicas?
I think, to cover these needs you should implement your own Store and directly set it this way:
gothic.Store = redisStore
and for sharing data between different PODs, your implementation should be based on not the default cookie store, but on the Redis key-value storage for example.
from goth.
How do you know the state you get back is the state value you sent?
from goth.
I don't, but in my case I don't care. I'm just storing the is_web
flag in the state. It's used for displaying behaviour. If someone decides to mess around with it, the only thing they'll achieve is getting a bad display
from goth.
Related Issues (20)
- StoreInSession calls Store.New creating a new session every time HOT 1
- Support for non-global set of providers HOT 4
- Apple should get team id, key id, client id and pem as input
- Google authorization claiming "Bad Request" when I include scopes
- reddit provider not found
- Bitrix24 Provider HOT 1
- Logging in without reauthentication in example code doesn't work HOT 6
- Can't retrieve openidConnect PreferredUsername from User object
- Apple login fails if user decides not to share Apple ID
- Remove link to "maintainer needed"
- No documentation on why there is a defer logout HOT 2
- Updating dependencies breaks login: securecookie: hash key is not set
- Panic using openidConnect provider
- You must select a provider (gin router issue) HOT 3
- Modrinth provider
- Add EmailVerified field in Apple Session
- microsoftonline appears broken HOT 3
- Empty claims with OIDC provider on Authentik HOT 1
- Using the example app (with just Google auth) - "could not find a matching session for this request" HOT 8
- Session returns empty array HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from goth.