Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKCE flow leaves out state required by Okta #17217

Closed
3 tasks done
js3692 opened this issue Feb 15, 2024 · 4 comments · Fixed by #17235
Closed
3 tasks done

PKCE flow leaves out state required by Okta #17217

js3692 opened this issue Feb 15, 2024 · 4 comments · Fixed by #17235
Labels
bug Something isn't working

Comments

@js3692
Copy link
Contributor

js3692 commented Feb 15, 2024

Checklist:

  • I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I've included steps to reproduce the bug.
  • I've pasted the output of argocd version.

Describe the bug

The current PKCE flow introduced in #15889 does not set the state parameter (thank you very much for the feature @Marvin9 🙏).

This results in a 400 when using Okta as the provider because state is a required parameter.

In their docs (https://developer.okta.com/docs/reference/api/oidc/#parameter-details):

Okta requires the OAuth 2.0 state parameter on all requests to the /authorize endpoint to prevent cross-site request forgery (CSRF). The OAuth 2.0 specification requires (opens new window) that clients protect their redirect URIs against CSRF by sending a value in the authorize request that binds the request to the user-agent's authenticated state. Using the state parameter is also a countermeasure to several other known attacks as outlined in OAuth 2.0 Threat Model and Security Considerations (opens new window).

To Reproduce

Enable PKCE flow using enablePKCEAuthentication & hook it up to your Okta instance. Start login flow from the Argo main page, and you will see a 400 with message "authentication request has an invalid 'state' parameter".

Expected behavior

Login flow completes successfully.

Screenshots

(sorry this was on another person's laptop)

Version

argocd: v2.10.1+a79e0ea.dirty
  BuildDate: 2024-02-14T22:23:04Z
  GitCommit: a79e0eaca415461dc36615470cecc25d6d38cefb
  GitTreeState: dirty
  GoVersion: go1.21.7
  Compiler: gc
  Platform: darwin/arm64
argocd-server: v2.10.1+a79e0ea

Logs

-
@js3692 js3692 added the bug Something isn't working label Feb 15, 2024
@Marvin9
Copy link
Contributor

Marvin9 commented Feb 16, 2024

@js3692 can you confirm that Okta setup is as mentioned here where redirect URI is set as https://<argocd-host>/pkce/verify

@js3692
Copy link
Contributor Author

js3692 commented Feb 16, 2024

Yes, the redirect URI is set to that, but it fails before getting to that step

@js3692
Copy link
Contributor Author

js3692 commented Feb 18, 2024

Let me know what you think #17235 (happy to close it if you want to open/re-open one)

@js3692 js3692 mentioned this issue Feb 21, 2024
Merged
14 tasks
@js3692
Copy link
Contributor Author

js3692 commented Feb 21, 2024

Okay, I'll take that as a green light 🙂.

I've checked off the rest of the items - lmk if there's anything else to add!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(ui): add state parameter in the pkce flow js3692/argo-cd
2 participants
@js3692 @Marvin9