Bug 1823756
Summary: | Backport SameSite=None cookie from mod_auth_openidc upstream to support latest browsers [rhel-8] | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Jakub Hrozek <jhrozek> | |
Component: | mod_auth_openidc | Assignee: | Jakub Hrozek <jhrozek> | |
Status: | CLOSED ERRATA | QA Contact: | Scott Poore <spoore> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 8.1 | CC: | kkufova, sssd-qe | |
Target Milestone: | rc | Keywords: | Triaged | |
Target Release: | 8.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | sync-to-jira | |||
Fixed In Version: | mod_auth_openidc-2.3.7-8.module+el8.4.0+9707+f2438af7 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1823762 (view as bug list) | Environment: | ||
Last Closed: | 2021-05-18 16:13:32 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1823762 |
Description
Jakub Hrozek
2020-04-14 12:27:11 UTC
Looking at the git history, we should backport the following commits: https://github.com/zmartzone/mod_auth_openidc/commit/a326dbe843a755124ecee883db52dcdc26284c26 https://github.com/zmartzone/mod_auth_openidc/commit/5aa73817172acbb9e86287a54bc4532af7e394ee https://github.com/zmartzone/mod_auth_openidc/commit/3b4770f49cc67b9b0ae8732e9908895683ea556c https://github.com/zmartzone/mod_auth_openidc/commit/f6798246abc8fd8f865db313439882ac9f5771f3 Verified. Version :: mod_auth_openidc-2.3.7-8.module+el8.4.0+9707+f2438af7.x86_64 Results :: OIDCClientID oidc_server.example.test-example_app OIDCProviderMetadataURL https://oidc_server.example.test:8443/auth/realms/master/.well-known/openid-configuration OIDCCryptoPassphrase a6efadba683c OIDCClientSecret 7bff71d5ceb9 OIDCRedirectURI https://oidc_server.example.test:60443/private/redirect_uri OIDCRemoteUserClaim preferred_username OIDCSSLValidateServer Off OIDCCookieSameSite Off <Location /private> AuthType openid-connect Require valid-user </Location> <Location /oauth> AuthType oauth20 Require claim email:testuser@master </Location> # Substitute the IDP name and the realm name. My realm is called federation.test. The rest is a well-known URI OIDCOAuthIntrospectionEndpoint https://oidc_server.example.test:8443/auth/realms/master/protocol/openid-connect/token/introspect # We'll be verifying the access token against the keycloak introspection point OIDCOAuthIntrospectionEndpointParams token_type_hint=access_token # This must match the client ID as set on the keycloak side OIDCOAuthClientID oidc_server.example.test-example_app # Grab the secret from the credentials tab of the client settings in keycloak OIDCOAuthClientSecret 7bff71d5ceb9 # Otherwise the KC-issued JWT tokens are too large for the cache OIDCCacheEncrypt On Firefox: HTTP/1.1 302 Found Date: Tue, 02 Feb 2021 18:03:44 GMT Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1g Set-Cookie: mod_auth_openidc_state_u46beWlfearTUpU2sSO8HYwlW8M=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=None Set-Cookie: mod_auth_openidc_session=8c5a08d1-381d-4a4e-8234-262ebfd5fd79; Path=/; Secure; HttpOnly; SameSite=None Location: https://oidc_server.example.test:60443/private/ Content-Length: 255 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Accept text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding gzip, deflate, br Accept-Language en-US,en;q=0.5 Cache-Control no-cache Connection keep-alive Cookie experimentation_subject_id=ImI0MTViYzJ... DNT 1 Host oidc_server.example.test:60443 Pragma no-cache Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Chrome shows checked box for Secure and SameSite shows None when option Off and shows LAX when option On. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (mod_auth_openidc:2.3 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1933 |