From 4a5f8e30a806db188c73447434905722cbd3c0fd Mon Sep 17 00:00:00 2001 From: aram price Date: Wed, 9 Dec 2020 17:24:12 -0800 Subject: [PATCH] Use distinct `Encoder` for state and csrf data --- internal/oidc/provider/manager/manager.go | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/internal/oidc/provider/manager/manager.go b/internal/oidc/provider/manager/manager.go index 7e8cd6d7..7fdce529 100644 --- a/internal/oidc/provider/manager/manager.go +++ b/internal/oidc/provider/manager/manager.go @@ -90,8 +90,12 @@ func (m *Manager) SetProviders(oidcProviders ...*provider.OIDCProvider) { // 3. we would like *all* downstream providers to use the *same* signing key for the CSRF cookie (which doesn't need to be encrypted) because cookies are sent per-domain and our issuers can share a domain name (but have different paths) var encoderHashKey = []byte("fake-hash-secret") // TODO replace this secret var encoderBlockKey = []byte("16-bytes-aaaaaaa") // TODO replace this secret - var encoder = securecookie.New(encoderHashKey, encoderBlockKey) - encoder.SetSerializer(securecookie.JSONEncoder{}) + + var upstreamStateEncoder = securecookie.New(encoderHashKey, encoderBlockKey) + upstreamStateEncoder.SetSerializer(securecookie.JSONEncoder{}) + + var csrfCookieEncoder = securecookie.New(encoderHashKey, encoderBlockKey) + csrfCookieEncoder.SetSerializer(securecookie.JSONEncoder{}) m.providerHandlers[(issuerHostWithPath + oidc.WellKnownEndpointPath)] = discovery.NewHandler(issuer) @@ -104,15 +108,15 @@ func (m *Manager) SetProviders(oidcProviders ...*provider.OIDCProvider) { csrftoken.Generate, pkce.Generate, nonce.Generate, - encoder, - encoder, + upstreamStateEncoder, + csrfCookieEncoder, ) m.providerHandlers[(issuerHostWithPath + oidc.CallbackEndpointPath)] = callback.NewHandler( m.idpListGetter, oauthHelperWithKubeStorage, - encoder, - encoder, + upstreamStateEncoder, + csrfCookieEncoder, issuer+oidc.CallbackEndpointPath, )