From ba65cc50b7b468f0738398312a468ea413727bdc Mon Sep 17 00:00:00 2001 From: Matthias Benkard Date: Tue, 14 Apr 2015 08:39:27 +0000 Subject: QT-1900 Add a CSRF token to the OIDC login flow. This improves security by generating a CSRF token, passing it to the OIDC IdP, and validating it afterwards. The token is stored in a cookie reverse-encrypted with MulkyID's private key. --- www/authenticate.pl | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) (limited to 'www/authenticate.pl') diff --git a/www/authenticate.pl b/www/authenticate.pl index 3c865ac..b2bd43f 100755 --- a/www/authenticate.pl +++ b/www/authenticate.pl @@ -13,6 +13,8 @@ use CGI::Fast; use OIDC::Lite; use OIDC::Lite::Client::WebServer; +use Bytes::Random::Secure qw(random_bytes_base64); + do "common.pl"; while (my $cgi = new CGI::Fast) { @@ -35,18 +37,20 @@ while (my $cgi = new CGI::Fast) { authorize_uri => 'https://accounts.google.com/o/oauth2/auth', access_token_uri => 'https://accounts.google.com/o/oauth2/token' ); - # FIXME: Make `state` a unique, random session token! (Maybe a - # signed, timestamped web token, so stateless?) - print $cgi->redirect($oidc_client->uri_to_redirect( - redirect_uri => reluri($cgi, 'login.pl'), - scope => 'openid email', - state => '', - extra => { - access_type => 'online', - login_hint => $claimed_email, - response_type => 'code' - } - )); + my $csrf_token = random_bytes_base64(32); #256 bits + my $csrf_token_cookie = make_cookie('mulkyid_csrf_token', $csrf_token); + print $cgi->redirect( + -cookie => $csrf_token_cookie, + -url => $oidc_client->uri_to_redirect( + redirect_uri => reluri($cgi, 'login.pl'), + scope => 'openid email', + state => $csrf_token, + extra => { + access_type => 'online', + login_hint => $claimed_email, + response_type => 'code' + }) + ); } default { die "Invalid auth_type! " . $::MULKONF->{auth_type}; -- cgit v1.2.3