Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1823762

Summary: Backport SameSite=None cookie from mod_auth_openidc upstream to support latest browsers [rhel-7.9.z]
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: mod_auth_openidcAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.7CC: aogburn, jreznik, spoore, sssd-qe, tscherf
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: mod_auth_openidc-1.8.8-9.el7_9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1823756 Environment:
Last Closed: 2020-11-10 13:11:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1823756    
Bug Blocks:    
Attachments:
Description Flags
chrome session cookie with samesite=none enabled
none
chrome session cookie with samesite=none NOT enabled none

Description Jakub Hrozek 2020-04-14 12:45:38 UTC 
+++ This bug was initially created as a clone of Bug #1823756 +++

Description of problem:

With one of upcoming Chrome versions (used to be 80, but the change was rolled back in the meantime), Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies with the SameSite=None; Secure setting will be available for external access, provided they are being accessed from secure connections.


Version-Release number of selected component (if applicable):
mod_auth_openidc-2.3.7-3

How reproducible:
always

Steps to Reproduce:
1. inspect the HTTP headers
2. by default the headers must include SameSite=None
3. if http:// is used and not https:// you will get a 500 server error

Actual results:


Expected results:


Additional info:

--- Additional comment from Jakub Hrozek on 2020-04-14 12:44:21 UTC ---

Looking at the git history, we should backport the following commits:

https://github.com/zmartzone/mod_auth_openidc/commit/a326dbe843a755124ecee883db52dcdc26284c26
https://github.com/zmartzone/mod_auth_openidc/commit/5aa73817172acbb9e86287a54bc4532af7e394ee
https://github.com/zmartzone/mod_auth_openidc/commit/3b4770f49cc67b9b0ae8732e9908895683ea556c
https://github.com/zmartzone/mod_auth_openidc/commit/f6798246abc8fd8f865db313439882ac9f5771f3
Comment 2 Jakub Hrozek 2020-08-20 10:52:11 UTC 
*** Bug 1870325 has been marked as a duplicate of this bug. ***
Comment 15 Scott Poore 2020-10-12 17:29:07 UTC 
Verified.

Version ::

mod_auth_openidc-1.8.8-9.el7_9.x86_64


Results :: 

Basic Regression tests run with no issues found.

Settup with SameSite=None enabled:

[root@web1 httpd]# cat /etc/httpd/conf.d/example_app_openidc.conf 
OIDCCryptoPassphrase a-random-secret-used-by-apache-oidc-and-balancer
OIDCProviderMetadataURL https://keycloak.kite.test:8443/auth/realms/master/.well-known/openid-configuration
OIDCClientID web1.kite.test
OIDCClientSecret <scrubbed>
OIDCRedirectURI https://web1.kite.test:60443/private/redirect_uri
OIDCRemoteUserClaim preferred_username
OIDCSSLValidateServer Off
OIDCCookieSameSiteNone On

<Location /private>
    AuthType openid-connect
    Require valid-user
</Location>

Using Firefox [firefox-68.12.0-1.el7_8.x86_64] on RHEL 7.8:

HTTP/1.1 302 Found
Date: Mon, 12 Oct 2020 17:17:03 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
Set-Cookie: mod_auth_openidc_state_TSBfAXjjAxZc5xbwf-_5ljhXmKs=;Path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT;Secure;HttpOnly
Set-Cookie: mod_auth_openidc_session=1cd6cb27-c5b7-4fce-9215-bd4a5a401f7d;Path=/;Secure;HttpOnly; SameSite=None
Location: https://web1.kite.test:60443/private/
Content-Length: 221
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

Using Chrome [google-chrome-stable-85.0.4183.121-1.x86_64] to verify the options set in the cookies:

Shows secure checked and SameSite None.  Attaching image after this.

Default behavior:

[root@web1 httpd]# vim /etc/httpd/conf.d/example_app_openidc.conf 
[root@web1 httpd]# grep -i samesite /etc/httpd/conf.d/example_app_openidc.conf
# OIDCCookieSameSiteNone On
[root@web1 httpd]# systemctl restart httpd

Firefox:

HTTP/1.1 302 Found
Date: Mon, 12 Oct 2020 17:25:17 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
Set-Cookie: mod_auth_openidc_state_LPc5Bq8kNmi85m5tQLVdd_Lctvs=;Path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT;Secure;HttpOnly
Set-Cookie: mod_auth_openidc_session=5526cca8-c28b-494c-b2de-89dd0b7a072f;Path=/;Secure;HttpOnly
Location: https://web1.kite.test:60443/private/
Content-Length: 221
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

Chrome:

Shows nothing checked and nothing in SameSite field for session cookie.
Comment 16 Scott Poore 2020-10-12 17:30:14 UTC 
Created attachment 1721012 [details]
chrome session cookie with samesite=none enabled
Comment 17 Scott Poore 2020-10-12 17:31:06 UTC 
Created attachment 1721014 [details]
chrome session cookie with samesite=none NOT enabled
Comment 23 errata-xmlrpc 2020-11-10 13:11:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (mod_auth_openidc security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5035