4 replies

Session params missing for oidc providers using response_mode: form_post (e.g. Azure AD)

I am trying to use the OIDC strategy with Azure AD. Now is Azure requiring to use

response_mode: form_post

response_mode: form_post

. This requires that the POST callback endpoint is not under CSRF protection (similar to how

pow_assent

pow_assent

is doing it).
The issue is that the

user/<strategy>

user/<strategy>

key is not in the session during the callback phase. Am I required to implement a server side session store as

pow

pow

does it?

See the setup below:

defmodule MyApp.Router do
...
  pipeline :browser do
    plug :accepts, ["html"]
    plug :fetch_session
    plug :fetch_live_flash
    plug :put_root_layout, html: {MyAppWeb.Layouts, :root}
    plug :protect_from_forgery
    plug :put_secure_browser_headers
    plug :load_from_session
  end

  pipeline :skip_csrf_protection do
    plug(:accepts, ["html"])
    plug(:fetch_session)
    plug(:fetch_flash)
    plug(:put_secure_browser_headers)
  end

 scope "/", MyAppWeb do
    pipe_through(:skip_csrf_protection)

    auth_routes_for(MyApp.Accounts.User, to: AuthController)
  end

  scope "/", MyAppWeb do
    pipe_through :browser

    sign_in_route()
    sign_out_route(AuthController)

    get "/", PageController, :home
  end
...
end

defmodule MyApp.Router do
...
  pipeline :browser do
    plug :accepts, ["html"]
    plug :fetch_session
    plug :fetch_live_flash
    plug :put_root_layout, html: {MyAppWeb.Layouts, :root}
    plug :protect_from_forgery
    plug :put_secure_browser_headers
    plug :load_from_session
  end

  pipeline :skip_csrf_protection do
    plug(:accepts, ["html"])
    plug(:fetch_session)
    plug(:fetch_flash)
    plug(:put_secure_browser_headers)
  end

 scope "/", MyAppWeb do
    pipe_through(:skip_csrf_protection)

    auth_routes_for(MyApp.Accounts.User, to: AuthController)
  end

  scope "/", MyAppWeb do
    pipe_through :browser

    sign_in_route()
    sign_out_route(AuthController)

    get "/", PageController, :home
  end
...
end

and the strategy

# MyApp.Accounts.User
...
    strategies do
      oidc :azure_ad do
        client_id "***"
        client_secret "***"
        site "https://login.microsoftonline.com/***/v2.0"
        redirect_uri("https://***/auth")

        authorization_params(
          scope: "profile email",
          response_mode: "form_post"
        )

        authorize_url("/authorize")
        token_url("/token")
        client_authentication_method(:client_secret_post)
        nonce(true)
        identity_resource(MyApp.Accounts.UserIdentity)
      end
    end
...

# MyApp.Accounts.User
...
    strategies do
      oidc :azure_ad do
        client_id "***"
        client_secret "***"
        site "https://login.microsoftonline.com/***/v2.0"
        redirect_uri("https://***/auth")

        authorization_params(
          scope: "profile email",
          response_mode: "form_post"
        )

        authorize_url("/authorize")
        token_url("/token")
        client_authentication_method(:client_secret_post)
        nonce(true)
        identity_resource(MyApp.Accounts.UserIdentity)
      end
    end
...

Ash Framework•3y ago•

4 replies

bziegler

Session params missing for oidc providers using response_mode: form_post (e.g. Azure AD)

I am trying to use the OIDC strategy with Azure AD. Now is Azure requiring to use

response_mode: form_post

response_mode: form_post

. This requires that the POST callback endpoint is not under CSRF protection (similar to how

pow_assent

pow_assent

is doing it).
The issue is that the

user/<strategy>

user/<strategy>

key is not in the session during the callback phase. Am I required to implement a server side session store as

pow

pow

does it?

See the setup below:

defmodule MyApp.Router do
...
  pipeline :browser do
    plug :accepts, ["html"]
    plug :fetch_session
    plug :fetch_live_flash
    plug :put_root_layout, html: {MyAppWeb.Layouts, :root}
    plug :protect_from_forgery
    plug :put_secure_browser_headers
    plug :load_from_session
  end

  pipeline :skip_csrf_protection do
    plug(:accepts, ["html"])
    plug(:fetch_session)
    plug(:fetch_flash)
    plug(:put_secure_browser_headers)
  end

 scope "/", MyAppWeb do
    pipe_through(:skip_csrf_protection)

    auth_routes_for(MyApp.Accounts.User, to: AuthController)
  end

  scope "/", MyAppWeb do
    pipe_through :browser

    sign_in_route()
    sign_out_route(AuthController)

    get "/", PageController, :home
  end
...
end

defmodule MyApp.Router do
...
  pipeline :browser do
    plug :accepts, ["html"]
    plug :fetch_session
    plug :fetch_live_flash
    plug :put_root_layout, html: {MyAppWeb.Layouts, :root}
    plug :protect_from_forgery
    plug :put_secure_browser_headers
    plug :load_from_session
  end

  pipeline :skip_csrf_protection do
    plug(:accepts, ["html"])
    plug(:fetch_session)
    plug(:fetch_flash)
    plug(:put_secure_browser_headers)
  end

 scope "/", MyAppWeb do
    pipe_through(:skip_csrf_protection)

    auth_routes_for(MyApp.Accounts.User, to: AuthController)
  end

  scope "/", MyAppWeb do
    pipe_through :browser

    sign_in_route()
    sign_out_route(AuthController)

    get "/", PageController, :home
  end
...
end

and the strategy

# MyApp.Accounts.User
...
    strategies do
      oidc :azure_ad do
        client_id "***"
        client_secret "***"
        site "https://login.microsoftonline.com/***/v2.0"
        redirect_uri("https://***/auth")

        authorization_params(
          scope: "profile email",
          response_mode: "form_post"
        )

        authorize_url("/authorize")
        token_url("/token")
        client_authentication_method(:client_secret_post)
        nonce(true)
        identity_resource(MyApp.Accounts.UserIdentity)
      end
    end
...

# MyApp.Accounts.User
...
    strategies do
      oidc :azure_ad do
        client_id "***"
        client_secret "***"
        site "https://login.microsoftonline.com/***/v2.0"
        redirect_uri("https://***/auth")

        authorization_params(
          scope: "profile email",
          response_mode: "form_post"
        )

        authorize_url("/authorize")
        token_url("/token")
        client_authentication_method(:client_secret_post)
        nonce(true)
        identity_resource(MyApp.Accounts.UserIdentity)
      end
    end
...

Session params missing for oidc providers using response_mode: form_post (e.g. Azure AD)

Session params missing for oidc providers using response_mode: form_post (e.g. Azure AD)

Similar Threads

Similar Threads

Similar Threads