Skip to content

Support Sign in with Apple #3521

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Nov 22, 2024
Merged

Support Sign in with Apple #3521

merged 7 commits into from
Nov 22, 2024

Conversation

sandhose
Copy link
Member

@sandhose sandhose commented Nov 15, 2024
edited
Loading

Fixes #2119

This can be reviewed commit-by-commit.

This does three things:

  1. support the weird auth mode SiWA uses
  2. support the form_post response mode
  3. record extra parameters we got from the callback and expose them in the mapping templates, as SiWA will give the user display name through that

@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

cloudflare-workers-and-pages bot commented Nov 15, 2024
edited
Loading

Deploying matrix-authentication-service-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: 04e6960
Status: ✅  Deploy successful!
Preview URL: https://1adae9d0.matrix-authentication-service-docs.pages.dev
Branch Preview URL: https://quenting-siwa.matrix-authentication-service-docs.pages.dev

View logs

@sandhose sandhose mentioned this pull request Nov 18, 2024
Merged
@sandhose sandhose marked this pull request as ready for review November 18, 2024 15:41
@sandhose sandhose requested a review from reivilibre November 18, 2024 15:41
@sandhose
Pass claims as context instead of globals during attr mapping
ac70632 
This is in preparation for also fetching the claims from the userinfo
endpoint
reivilibre
reivilibre requested changes Nov 20, 2024
View reviewed changes
Copy link
Contributor

@reivilibre reivilibre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this all seems reasonable overall, albeit a lot of code for supporting one vendor (:/ :apple:...)!

Only thing giving me pause is losing the SameSite=Lax constraint on the cookies. When I was doing research into modern-day CSRF about a year ago, SameSite=Lax is probably the most important modern development for CSRF protection that prevents some types of attacks (called Session Fixation attacks or similar).

Losing that protection would be a shame, and I'd prefer to ask the security team before we did.
But I suspect we can find a workaround, which may or may not be palatable.

I haven't tried this myself, but it sounds like a client-side redirect (NOT server-side AFAICT) can let you bypass a SameSite restriction, so if we did that to intentionally bypass SameSite only for the types of requests we care about, I think that would be better for security?

crates/cli/src/sync.rs
}
};

let token_endpoint_auth_method = match provider.token_endpoint_auth_method {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe this would be better suited as an .into() implementation if that's not impossible due to the crates being different

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The crates where both structures are defined don't depend on each other, which is why we can't implement it

@sandhose sandhose requested a review from reivilibre November 21, 2024 13:36
@sandhose
Copy link
Member Author

this all seems reasonable overall, albeit a lot of code for supporting one vendor (:/ :apple:...)!

For the record, most of it is generic and reusable/useful for other providers! The form_post thing is not widely used but standard. Supporting different response_mode is standard as well. Being able to cache extra parameters on the way back could also be useful with other providers. The only real part that is very non-standard, is how they want you to craft a JWT for the client credentials

reivilibre
reivilibre approved these changes Nov 21, 2024
View reviewed changes
@sandhose sandhose merged commit 7296364 into main Nov 22, 2024
19 checks passed
@sandhose sandhose deleted the quenting/siwa branch November 22, 2024 07:48
FullStackSimon
FullStackSimon reviewed Nov 28, 2024
View reviewed changes
crates/axum-utils/src/cookies.rs
} else {
SameSite::Lax
});
cookie.set_same_site(SameSite::Lax);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi. With this change it doesn't seem to allow auth when element-web (and mas login) are iframed from a different origin.

For example, while developing locally, I have a Vue app at http://localhost:3000. I have element-web running locally via docker at https://foo.bar.

When I access the chat component in my Vue app (where element-web is iframed) I can see the login screen etc jst fine. However, when I POST to the login endpoint, I get a 500 response as the cookie is not honoured with this change in place.

curl 'https://auth.foo.bar/login?kind=continue_authorization_grant&id=01JDSK1J6KSAZER4X4PJG6KKKM' \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' \ -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \ -H 'Cache-Control: no-cache' \ -H 'Connection: keep-alive' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -H 'Origin: https://auth.foo.bar' \ -H 'Pragma: no-cache' \ -H 'Referer: https://auth.foo.bar/login?kind=continue_authorization_grant&id=01JDSK1J6KSAZER4X4PJG6KKKM' \ -H 'Sec-Fetch-Dest: iframe' \ -H 'Sec-Fetch-Mode: navigate' \ -H 'Sec-Fetch-Site: same-origin' \ -H 'Sec-Fetch-User: ?1' \ -H 'Upgrade-Insecure-Requests: 1' \ -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36' \ -H 'sec-ch-ua: "Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"' \ -H 'sec-ch-ua-mobile: ?0' \ -H 'sec-ch-ua-platform: "macOS"' \ --data-raw 'csrf=vrgo4jxAFbaTvA-OKXjX2pMNCFt_rCtC2SCf3G04Yow&username=simon&password=xxxxxxxx'

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you happen to know of any workaround?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was a temporary change in this PR, which ended up getting reverted. Is the flow working as intended on a known-good client? You should try with:

I'd suggest opening a discussion or joining #matrix-auth:matrix.org for further help on troubleshooting

@sandhose sandhose added the A-Upstream-OAuth Related to login via upstream OAuth 2.0 providers label Nov 29, 2024
@sandhose sandhose mentioned this pull request Nov 29, 2024
Closed
@sandhose sandhose added the T-Enhancement New feature of request label Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reivilibre reivilibre reivilibre approved these changes

+1 more reviewer

@FullStackSimon FullStackSimon FullStackSimon left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

A-Upstream-OAuth Related to login via upstream OAuth 2.0 providers T-Enhancement New feature of request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support what "sign-in with Apple" is doing for client auth

3 participants

@sandhose @reivilibre @FullStackSimon