djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
014d760f3d
ContainerImage.Pinniped/internal
History
Matt Moyer f0ebd808d7
Switch CSRF cookie from Same-Site=Strict to Same-Site=Lax. 
This CSRF cookie needs to be included on the request to the callback endpoint triggered by the redirect from the OIDC upstream provider. This is not allowed by `Same-Site=Strict` but is allowed by `Same-Site=Lax` because it is a "cross-site top-level navigation" [1].

We didn't catch this earlier with our Dex-based tests because the upstream and downstream issuers were on the same parent domain `*.svc.cluster.local` so the cookie was allowed even with `Strict` mode.

[1]: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00#section-3.2

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-03 21:30:00 -06:00
..
certauthority Add a CA.Pool() method to ./internal/certauthority. 2020-12-02 15:55:34 -06:00
client Split the config CRDs into two API groups. 2020-10-30 19:22:46 -05:00
concierge Temporarily disable max inflight checks for mutating requests 2020-11-19 21:21:10 -05:00
config Add log level support 2020-11-10 10:22:27 -05:00
constable Save 2 lines by using inline-style comments for Copyright 2020-09-16 10:35:19 -04:00
controller Save an http.Client with each upstreamoidc.ProviderConfig object. 2020-12-02 15:55:33 -06:00
controllerlib Reduce log spam 2020-11-10 10:22:27 -05:00
controllermanager Rename CredentialIssuerConfig to CredentialIssuer. 2020-11-02 17:39:42 -06:00
crud Remove a couple of todos that will be resolved in Slack conversations 2020-12-02 14:20:18 -08:00
downward Save 2 lines by using inline-style comments for Copyright 2020-09-16 10:35:19 -04:00
dynamiccert internal/provider -> internal/dynamiccert 2020-09-23 08:29:35 -04:00
fositestorage Back-fill some more unit tests on authorizationcode_test.go 2020-12-02 14:20:18 -08:00
here Save 2 lines by using inline-style comments for Copyright 2020-09-16 10:35:19 -04:00
httputil Implement the rest of an OIDC client CLI library. 2020-10-12 16:41:46 -05:00
mocks Add a redirectURI parameter to ExchangeAuthcodeAndValidateTokens() method. 2020-12-02 15:55:33 -06:00
multierror Backfill tests to OIDCProviderConfig controller 2020-10-09 10:39:17 -04:00
oidc Switch CSRF cookie from Same-Site=Strict to Same-Site=Lax. 2020-12-03 21:30:00 -06:00
plog Finish the WIP from the previous commit for saving authorize endpoint state 2020-11-11 12:29:14 -08:00
registry/credentialrequest Merge pull request #213 from mattmoyer/more-categories 2020-11-13 15:51:42 -05:00
testutil Merge remote-tracking branch 'origin/main' into callback-endpoint 2020-12-02 16:09:08 -06:00
upstreamoidc Add a redirectURI parameter to ExchangeAuthcodeAndValidateTokens() method. 2020-12-02 15:55:33 -06:00