feat(authProviders): add SESSION_COOKIE_DOMAIN for cross-subdomain OIDC#10929
Open
MichaelUray wants to merge 2 commits into
Open
feat(authProviders): add SESSION_COOKIE_DOMAIN for cross-subdomain OIDC#10929MichaelUray wants to merge 2 commits into
MichaelUray wants to merge 2 commits into
Conversation
…n OIDC koa-session defaults the cookie domain to the request host. OIDC flows that start on one subdomain (dev.example.com) and get the callback on another (app.example.com, the host registered with the IdP) lose the Passport state — the cookie set on dev isn't sent to app, so the callback handler errors with 'did not find expected authorization request details in session'. SESSION_COOKIE_DOMAIN=.example.com scopes the cookie to the parent domain so both subdomains share it. Empty / unset preserves the prior behaviour for setups that only use a single host. Signed-off-by: Michael Uray <michaeluray@users.noreply.github.com>
|
Connected to Huly®: UBERF-16532 |
…n-cookie-domain Signed-off-by: Michael Uray <michaeluray@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
koa-sessiondefaults the cookie domain to the request host. For OIDC flows that start on one subdomain (e.g.dev.example.com) and receive the callback on a different subdomain (e.g.app.example.com, the host registered with the IdP) the Passport authentication-request state is lost — the session cookie set ondevis not sent toapp, so the callback handler errors out withdid not find expected authorization request details in session.This PR adds an opt-in
SESSION_COOKIE_DOMAINenvironment variable. When set, the value is forwarded tokoa-sessionso the cookie scope is widened to the configured parent domain (e.g..example.com), allowing both subdomains to share the OIDC state cookie.Default behavior unchanged
If
SESSION_COOKIE_DOMAINis unset or empty, the cookie configuration is identical to today —koa-sessiondefaults apply, the cookie remains scoped to the request host. Single-host deployments require no action.Security considerations (please review)
Widening cookie scope to a parent domain shares the cookie with every host under that parent. Operators must only enable this when all hosts under the configured domain are under the same trust boundary (operated by the same team, with the same security posture, same authentication realm).
Concrete guidance to add to the deployment doc:
SESSION_COOKIE_DOMAIN=.internal.example.comwhen only the operator's own services live under.internal.example.com.SESSION_COOKIE_DOMAIN=.example.comif third parties or customer-controlled subdomains exist under.example.com— they could read or set the session cookie.The cookie continues to be marked
HttpOnlyandSecure(where the original config has them); this change only affectsDomainattribute scope.Behavioural matrix
SESSION_COOKIE_DOMAIN.example.com.example.comVerification
SESSION_COOKIE_DOMAINpreserves today's host-scoped cookie behaviour.SESSION_COOKIE_DOMAIN=.example.com, the OIDC session cookie is emitted withDomain=.example.com.DCO
Signed-off-by Michael Uray.
maintainer_can_modify=true.