bziegler
bziegler
PostsComments
AEAsh Elixir
Created by bziegler on 8/7/2023 in #support
Session params missing for oidc providers using response_mode: form_post (e.g. Azure AD)
So, I changed the session store to an ETS table now and all works as intended. The remaining question would be why in a cookie session setup the session_params isn't stored or fetched correctly. Any idea?
5 replies
AEAsh Elixir
Created by bziegler on 8/7/2023 in #support
Session params missing for oidc providers using response_mode: form_post (e.g. Azure AD)
Totally agree that it is a bit confusing and sorry for the poor explanation. Let me try to pin point the issue a bit better. AshAuthentication.Strategy.OAuth2.Plug.request puts the session_params under the session_key in the :plug_session (it's private), e.g. 
%Plug.Conn{
  ...
  private: %{
    ...
    :plug_session => %{
      "_csrf_token" => "...",
      "user/azure_ad" => %{
        state: "....",
        nonce: "...."
      },
      ... 
    }
  }
}
%Plug.Conn{
  ...
  private: %{
    ...
    :plug_session => %{
      "_csrf_token" => "...",
      "user/azure_ad" => %{
        state: "....",
        nonce: "...."
      },
      ... 
    }
  }
}
And that is all fine. The issue is that :plug_session is empty when AshAuthentication.Strategy.OAuth2.Plug.callback gets called and therefore session_params cannot be loaded into the config anymore (used by assent to do the nonce and state checks). I created a little hack to save the :session_params in a file and load during the callback. With that in place, the assent strategy works but it's of course not the path to go. I don't think the config_for can help us here as the required session_params are not in the :strategy part of the conn. As I understand the pow implementation correct, they are storing the session_params in an ETS or Mnesia store which I mimic with my hacky file implementation. I also checked my setup with the Github strategy and all works there as expected (only GET requests in the OIDC/Oauth2 strategy). I hope this makes it a bit easier to understand. I am also happy to contribute with a PR but would like your opinion on the matter first. While on it, I thought of doing one PR for an AzureAD strategy to handle tenant_id via the DSL and to add a convenience function for creating the POST callback endpoints to be placed in a :skip_csrf_protection scope (you can check the pow_assent docs, where they have a similar helper function called pow_assent_authorization_post_callback_routes).
5 replies