diff options
author | Matthias Benkard <matthias.benkard@egym.de> | 2015-04-14 08:39:27 +0000 |
---|---|---|
committer | Matthias Andreas Benkard <code@mail.matthias.benkard.de> | 2015-04-23 21:55:02 +0200 |
commit | ba65cc50b7b468f0738398312a468ea413727bdc (patch) | |
tree | 19749bd8803a2f718013cf8901c04ea658f98731 /www/authenticate.pl | |
parent | faea34e5c94922645b337bdeb5db32871eb1fde9 (diff) |
QT-1900 Add a CSRF token to the OIDC login flow.
This improves security by generating a CSRF token, passing it to the
OIDC IdP, and validating it afterwards. The token is stored in
a cookie reverse-encrypted with MulkyID's private key.
Diffstat (limited to 'www/authenticate.pl')
-rwxr-xr-x | www/authenticate.pl | 28 |
1 files changed, 16 insertions, 12 deletions
diff --git a/www/authenticate.pl b/www/authenticate.pl index 3c865ac..b2bd43f 100755 --- a/www/authenticate.pl +++ b/www/authenticate.pl @@ -13,6 +13,8 @@ use CGI::Fast; use OIDC::Lite; use OIDC::Lite::Client::WebServer; +use Bytes::Random::Secure qw(random_bytes_base64); + do "common.pl"; while (my $cgi = new CGI::Fast) { @@ -35,18 +37,20 @@ while (my $cgi = new CGI::Fast) { authorize_uri => 'https://accounts.google.com/o/oauth2/auth', access_token_uri => 'https://accounts.google.com/o/oauth2/token' ); - # FIXME: Make `state` a unique, random session token! (Maybe a - # signed, timestamped web token, so stateless?) - print $cgi->redirect($oidc_client->uri_to_redirect( - redirect_uri => reluri($cgi, 'login.pl'), - scope => 'openid email', - state => '', - extra => { - access_type => 'online', - login_hint => $claimed_email, - response_type => 'code' - } - )); + my $csrf_token = random_bytes_base64(32); #256 bits + my $csrf_token_cookie = make_cookie('mulkyid_csrf_token', $csrf_token); + print $cgi->redirect( + -cookie => $csrf_token_cookie, + -url => $oidc_client->uri_to_redirect( + redirect_uri => reluri($cgi, 'login.pl'), + scope => 'openid email', + state => $csrf_token, + extra => { + access_type => 'online', + login_hint => $claimed_email, + response_type => 'code' + }) + ); } default { die "Invalid auth_type! " . $::MULKONF->{auth_type}; |