Bug 1823756

Summary: Backport SameSite=None cookie from mod_auth_openidc upstream to support latest browsers [rhel-8]
Product: Red Hat Enterprise Linux 8 Reporter: Jakub Hrozek <jhrozek>
Component: mod_auth_openidcAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.1CC: kkufova, sssd-qe
Target Milestone: rcKeywords: Triaged
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: mod_auth_openidc-2.3.7-8.module+el8.4.0+9707+f2438af7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1823762 (view as bug list) Environment:
Last Closed: 2021-05-18 16:13:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1823762    

Description Jakub Hrozek 2020-04-14 12:27:11 UTC 
Description of problem:

With one of upcoming Chrome versions (used to be 80, but the change was rolled back in the meantime), Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies with the SameSite=None; Secure setting will be available for external access, provided they are being accessed from secure connections.


Version-Release number of selected component (if applicable):
mod_auth_openidc-2.3.7-3

How reproducible:
always

Steps to Reproduce:
1. inspect the HTTP headers
2. by default the headers must include SameSite=None
3. if http:// is used and not https:// you will get a 500 server error

Actual results:


Expected results:


Additional info:
Comment 1 Jakub Hrozek 2020-04-14 12:44:21 UTC 
Looking at the git history, we should backport the following commits:

https://github.com/zmartzone/mod_auth_openidc/commit/a326dbe843a755124ecee883db52dcdc26284c26
https://github.com/zmartzone/mod_auth_openidc/commit/5aa73817172acbb9e86287a54bc4532af7e394ee
https://github.com/zmartzone/mod_auth_openidc/commit/3b4770f49cc67b9b0ae8732e9908895683ea556c
https://github.com/zmartzone/mod_auth_openidc/commit/f6798246abc8fd8f865db313439882ac9f5771f3
Comment 8 Scott Poore 2021-02-02 22:40:33 UTC 
Verified.

Version ::

mod_auth_openidc-2.3.7-8.module+el8.4.0+9707+f2438af7.x86_64

Results ::

OIDCClientID oidc_server.example.test-example_app
OIDCProviderMetadataURL https://oidc_server.example.test:8443/auth/realms/master/.well-known/openid-configuration
OIDCCryptoPassphrase a6efadba683c
OIDCClientSecret 7bff71d5ceb9
OIDCRedirectURI https://oidc_server.example.test:60443/private/redirect_uri
OIDCRemoteUserClaim preferred_username
OIDCSSLValidateServer Off
OIDCCookieSameSite Off

<Location /private>
    AuthType openid-connect
    Require valid-user
</Location>


<Location /oauth>
    AuthType oauth20
    Require claim email:testuser@master
</Location>

# Substitute the IDP name and the realm name. My realm is called federation.test. The rest is a well-known URI
OIDCOAuthIntrospectionEndpoint https://oidc_server.example.test:8443/auth/realms/master/protocol/openid-connect/token/introspect
# We'll be verifying the access token against the keycloak introspection point
OIDCOAuthIntrospectionEndpointParams token_type_hint=access_token
# This must match the client ID as set on the keycloak side
OIDCOAuthClientID oidc_server.example.test-example_app
# Grab the secret from the credentials tab of the client settings in keycloak
OIDCOAuthClientSecret 7bff71d5ceb9
# Otherwise the KC-issued JWT tokens are too large for the cache
OIDCCacheEncrypt On


Firefox:

HTTP/1.1 302 Found
Date: Tue, 02 Feb 2021 18:03:44 GMT 
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1g
Set-Cookie: mod_auth_openidc_state_u46beWlfearTUpU2sSO8HYwlW8M=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=None
Set-Cookie: mod_auth_openidc_session=8c5a08d1-381d-4a4e-8234-262ebfd5fd79; Path=/; Secure; HttpOnly; SameSite=None
Location: https://oidc_server.example.test:60443/private/
Content-Length: 255 
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Accept text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding gzip, deflate, br
Accept-Language en-US,en;q=0.5
Cache-Control no-cache
Connection keep-alive
Cookie experimentation_subject_id=ImI0MTViYzJ...
DNT 1
Host oidc_server.example.test:60443
Pragma no-cache
Upgrade-Insecure-Requests 1
User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0


Chrome shows checked box for Secure and SameSite shows None when option Off and shows LAX when option On.
Comment 12 errata-xmlrpc 2021-05-18 16:13:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (mod_auth_openidc:2.3  bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1933