bitly
Cookie "_oauth2_proxy" not present and HTTP Error 403 csrf token mismatch potential attack
Hi Folks,
Could you please help me to solve this issue
Nginx Conf
location /oauth2/ {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $request_uri;
}
location / {
auth_request /oauth2/auth;
error_page 401 = /oauth2/start;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
proxy_pass http://upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
OAuth2_Proxy Conf
http_address = "127.0.0.1:4180"
request_logging = true
pass_host_header = true
set-xauthrequest = true
email_domains = [
"domain.com"
]
provider = "google"
client_id = ".apps.googleusercontent.com"
client_secret = ""
ssl_insecure_skip_verify = false
cookie_name = "_oauth2_proxy"
cookie_secret = "$(cat /dev/urandom | env LC_CTYPE=C tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
cookie_domain = ".domain.com"
cookie_expire = "24h"
cookie_refresh = "1h"
cookie_secure = false
cookie_httponly = false
OAuth2_Proxy Log
2017/12/06 14:05:35 oauthproxy.go:157: OAuthProxy configured for Google Client ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.apps.googleusercontent.com
2017/12/06 14:05:35 oauthproxy.go:163: Cookie settings: name:_oauth2_proxy secure(https):false httponly:false expiry:24h0m0s domain:.domain.com refresh:after 1h0m0s
2017/12/06 14:05:35 http.go:49: HTTP: listening on 127.0.0.1:4180
2017/12/06 14:05:39 oauthproxy.go:608: 127.0.0.1:36488 Cookie "_oauth2_proxy" not present
127.0.0.1 - - [06/Dec/2017:14:05:39 -0500] 127.0.0.1:4180 GET - "/oauth2/auth" HTTP/1.0 "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36" 401 21 0.000
140.163.254.156 - - [06/Dec/2017:14:05:39 -0500] sub.domain.com GET - "/oauth2/start" HTTP/1.0 "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36" 302 358 0.000
2017/12/06 14:05:46 oauthproxy.go:552: 127.0.0.1:36494 ("140.140.140.140") csrf token mismatch, potential attack
2017/12/06 14:05:46 oauthproxy.go:351: ErrorPage 403 Permission Denied csrf failed
140.163.254.156 - - [06/Dec/2017:14:05:46 -0500] sub.domain.com GET - "/oauth2/callback?state=464e09f7f73fsdgsdfgsdf28198141bfa7ae%3A%2F&code=4%2FP96FrvbI_fdgssdfgDkgBpKU68hP5VHgFvJUisdfgsdf8" HTTP/1.0 "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36" 403 334 0.192
2017/12/06 14:05:46 oauthproxy.go:608: 127.0.0.1:36498 Cookie "_oauth2_proxy" not present
127.0.0.1 - - [06/Dec/2017:14:05:46 -0500] 127.0.0.1:4180 GET - "/oauth2/auth" HTTP/1.0 "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36" 401 21 0.000
140.163.254.156 - - [06/Dec/2017:14:05:46 -0500] sub.domain.com GET - "/oauth2/start" HTTP/1.0 "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36" 302 358 0.000
2017/12/06 14:05:47 oauthproxy.go:608: 127.0.0.1:36502 Cookie "_oauth2_proxy" not present
127.0.0.1 - - [06/Dec/2017:14:05:47 -0500] 127.0.0.1:4180 GET - "/oauth2/auth" HTTP/1.0 "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36" 401 21 0.000
140.163.254.156 - - [06/Dec/2017:14:05:47 -0500] sub.domain.com GET - "/oauth2/start" HTTP/1.0 "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36" 302 358 0.000
140.163.254.156 - - [06/Dec/2017:14:05:52 -0500] sub.domain.com GET - "/oauth2/sign_in" HTTP/1.0 "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36" 200 2514 0.000
2017/12/06 14:05:52 oauthproxy.go:608: 127.0.0.1:36508 Cookie "_oauth2_proxy" not present
127.0.0.1 - - [06/Dec/2017:14:05:52 -0500] 127.0.0.1:4180 GET - "/oauth2/auth" HTTP/1.0 "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36" 401 21 0.000
140.163.254.156 - - [06/Dec/2017:14:05:52 -0500] sub.domain.com GET - "/oauth2/start" HTTP/1.0 "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36" 302 358 0.000
2017/12/06 14:05:53 oauthproxy.go:608: 127.0.0.1:36512 Cookie "_oauth2_proxy" not present
127.0.0.1 - - [06/Dec/2017:14:05:53 -0500] 127.0.0.1:4180 GET - "/oauth2/auth" HTTP/1.0 "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36" 401 21 0.000
140.163.254.156 - - [06/Dec/2017:14:05:53 -0500] sub.domain.com GET - "/oauth2/start" HTTP/1.0 "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36" 302 358 0.000
2017/12/06 14:06:40 oauthproxy.go:608: 127.0.0.1:36516 Cookie "_oauth2_proxy" not present
Check in your browser's web debugging tools to see what cookies it has for domain.com / sub.domain.com and what cookies it is sending in the requests. It's possible that a cookie was set with a different domain spec when you were testing a slightly different config, and now oauth2_proxy won't clear or replace the older cookies because it uses a slightly different cookie domain.
If you haven't yet, I'd also suggest getting the simplest configuration working first: no subdomains, no websockets, etc.
I have similar issue:
OAuth2_Proxy: https://oauth2.k8s.mydomain.com Dex: https://dex.k8s.mydomain.com Dashboard: https://dashboard.k8s.mydomain.com
Everything went well until user clicked on Dex's confirmation button to grant access. The page was forwarded back to
https://oauth2.k8s.mydomain.com/oauth2/callback?code=rvl6owuv6qmetuh7dghkmakin&state=1400fb49b32e37c3acdcb23e441f6446%3A%2F
LOGS FROM OAUTH2_PROXY POD: 10.233.66.1 - - [06/Dec/2018:16:11:19 +0000] auth.k8s.mydomaincom GET - "/oauth2/callback?code=rvl6owuv6qmetuh7dghkmakin&state=1400fb49b32e37c3acdcb23e441f6446%3A%2F" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0" 403 334 0.226 2018/12/06 16:11:19 oauthproxy.go:668: 10.233.66.4:57922 ("10.233.66.1") csrf token mismatch, potential attack 2018/12/06 16:11:19 oauthproxy.go:447: ErrorPage 403 Permission Denied csrf failed
I looked at browser developer's console/network tab and found 2 _oauth2_proxy_csrfs were sent with Http Request
"cookies": [
{
"name": "_oauth2_proxy_csrf",
"value": "95303367b2f220ab2924792987d984a1"
},
{
"name": "_oauth2_proxy_csrf",
"value": "1400fb49b32e37c3acdcb23e441f6446"
}
How to fix this? Thanks
Args:
--cookie-domain=.mydomain.com --email-domain=* --http-address=0.0.0.0:4180 --oidc-issuer-url=https://dex.k8s.mydomain.com --provider=oidc --redirect-url=https://auth.k8s.mydomain.com/oauth2/callback --set-authorization-header=true --ssl-insecure-skip-verify --upstream=file:///dev/null --whitelist-domain=.mydomain.com --config=/etc/oauth2_proxy/oauth2_proxy.cfg
Environment variables: OAUTH2_PROXY_CLIENT_ID (oauth2-proxy): OAUTH2_PROXY_CLIENT_SECRET (oauth2-proxy): OAUTH2_PROXY_COOKIE_SECRET (oauth2-proxy):
/etc/oauth2_proxy/oauth2_proxy.cfg: request_logging = true