Skip to content
Open
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,17 @@ _other Sign In with Apple guides:_
pem: ENV['APPLE_P8_FILE_CONTENT_WITH_EXTRA_NEWLINE']
}
```

## Nonce handling

As Apple returns to the omniauth callback with a **POST** request, the session values that previously where set are not
Comment thread
bvogel marked this conversation as resolved.
Outdated
available for `SameSite` cookie strategies other than `:none`. When `:strict` or `:lax` are used (recommended settings)
the returning nonce validation, that uses the default `nonce` setting `nonce: :session` will fail. To mitigate this,
there are two options:
* setting `nonce: :local` which will set a short-lived, encrypted cookie with `SameSite: :none` policy to enable nonce
validation without compromising session security.
* setting `nonce: :ignore` will completely skip `nonce` validation, however this isn't recommended as it opens CSRF
attack possibilities

## Contributing

Expand Down
26 changes: 22 additions & 4 deletions lib/omniauth/strategies/apple.rb
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ class Apple < OmniAuth::Strategies::OAuth2
response_mode: 'form_post',
scope: 'email name'
option :authorized_client_ids, []
# one of :session (default), :local, :ignore
option :nonce, :session

uid { id_info[:sub] }

Expand Down Expand Up @@ -56,7 +58,8 @@ def is_private_email
end

def authorize_params
super.merge(nonce: new_nonce)
params = super
options[:nonce] != :ignore ? params.merge(nonce: new_nonce) : params
end

def callback_url
Expand All @@ -66,11 +69,26 @@ def callback_url
private

def new_nonce
session['omniauth.nonce'] = SecureRandom.urlsafe_base64(16)
nonce = SecureRandom.urlsafe_base64(16)
if options[:nonce] == :local
cookies.encrypted[:omniauth_apple_store] =
{ same_site: :none, expires: 1.hour.from_now, secure: true, value: nonce }
else
session['omniauth.nonce'] = nonce
end
nonce
end

def stored_nonce
session.delete('omniauth.nonce')
return session.delete("omniauth.nonce") unless options[:nonce] == :local

nonce = cookies.encrypted[:omniauth_apple_store]
cookies.delete :omniauth_apple_store
nonce
end

def cookies
request.env["action_dispatch.cookies"]
end

def id_info
Expand Down Expand Up @@ -105,7 +123,7 @@ def verify_claims!(id_token)
verify_aud!(id_token)
verify_iat!(id_token)
verify_exp!(id_token)
verify_nonce!(id_token) if id_token[:nonce_supported]
verify_nonce!(id_token) if id_token[:nonce_supported] && options[:nonce] != :ignore

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out of curiosity, have you considered applying the suggestion made by @btalbot in #102 and just avoid verifying a blank nonce ?

Suggested change
verify_nonce!(id_token) if id_token[:nonce_supported] && options[:nonce] != :ignore
verify_nonce!(id_token) if id_token[:nonce_supported] && id_token[:nonce].present?

If so then may I ask why you decided not to use this solution ? It seems to work for me and requires a lot less changes in the code.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because this would pass even if nonce is required but nor returned, which I would consider a security risk.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My bad, what I meant was to update verify_nonce like this

      def verify_nonce!(id_token)
        invalid_claim! :nonce unless id_token[:nonce] == stored_nonce
      end

From my understanding stored_nonce will always be defined when the nonce is required and will not be defined when it's not so only checking that the token's nonce equals the stored_nonce would result in either checking whether "nonce is optional" or "nonce is required and it matches", wouldn't it ?

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bvogel do you think that solution could work in the end ?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, as the stored_nonce is taken from the session that isn't present anymore if any SameSite strategy other then :none is used, the reason why I introduces the change in the first place

end

def verify_iss!(id_token)
Expand Down
1 change: 1 addition & 0 deletions omniauth-apple.gemspec
Original file line number Diff line number Diff line change
Expand Up @@ -43,4 +43,5 @@ Gem::Specification.new do |spec|
spec.add_development_dependency "rspec", "~> 3.9"
spec.add_development_dependency "webmock", "~> 3.8"
spec.add_development_dependency "simplecov", "~> 0.18"
spec.add_development_dependency "actionpack", ">= 4.2"
end
File renamed without changes.
72 changes: 72 additions & 0 deletions spec/omniauth/strategies/apple_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -290,6 +290,78 @@
end
end

context 'nonce with local store' do
let(:cookies) { ActionDispatch::Cookies::CookieJar.new(request) }

before do
subject.options.nonce = :local
allow(cookies).to receive(:encrypted).and_return(cookies)
allow(cookies).to receive(:handle_options)
request.env["action_dispatch.cookies"] = cookies
# required to proof that we actually fail on the local store
strategy.authorize_params
subject.session['omniauth.nonce'] = id_token_payload['nonce']
end

context 'when in store succeeds' do
before do
cookies.encrypted[:omniauth_apple_store] =
{ same_site: :none, expires: 1.hour.from_now, secure: true, value: id_token_payload['nonce'] }
end

it do
expect { subject.info }.not_to raise_error
end
end

context 'when differs from store fails' do
before do
cookies.encrypted[:omniauth_apple_store] =
{ same_site: :none, expires: 1.hour.from_now, secure: true, value: 'abd' }
end

it do
expect { subject.info }.to raise_error(
OmniAuth::Strategies::OAuth2::CallbackError, 'id_token_claims_invalid | nonce invalid'
)
end
end

context 'when missing from store fails' do
before do
cookies.encrypted[:omniauth_apple_store] = nil
end

it do
expect { subject.info }.to raise_error(
OmniAuth::Strategies::OAuth2::CallbackError, 'id_token_claims_invalid | nonce invalid'
)
end
end
end

context 'ignores nonce' do
context 'when differs from session' do
before do
subject.options.nonce = :ignore
subject.session['omniauth.nonce'] = 'abc'
end
it do
expect { subject.info }.not_to raise_error
end
end

context 'when missing from session' do
before do
subject.options.nonce = :ignore
subject.session.delete('omniauth.nonce')
end
it do
expect { subject.info }.not_to raise_error
end
end
end

context 'with a spoofed email in the user payload' do
before do
request.params['user'] = {
Expand Down
1 change: 1 addition & 0 deletions spec/spec_helper.rb
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

require File.join('bundler', 'setup')
require 'rspec'
require 'action_dispatch'
require 'simplecov'
SimpleCov.start('test_frameworks')

Expand Down