Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
2.23.0
-
Unknown
-
Description
We are experiencing a "Race Condition in Parallel Auth Flows" bug such that a user attempting to return to their work after their session expires, with multiple windows open, the last xwiki window to trigger an OIDC Authz redirect will overwrite previous windows PROP_STATE in session, so only the last window can successfully complete Auth Code Flow.
Steps to reproduce:
1. Open multiple windows to xWiki, walk away and let the session expire.
2. Return to work / log in to desktop.
3. Window A loads, user is unauthorized, state is written to session, browser redirected.
4. Window B loads, user is unauthorized, state is written to session (over A), browser redirected.
5. Window A loads the OP first, so the user authenticates and is redirected back to xwiki Authz Callback.
6. xWiki loads the session state (B's), and compares this against the state returned via callback args. This does not match, triggering this error.
Mediation of this could be accomplished by storing PROP_STATE as a collection of acceptable state values and performing a lookup, or to make PROP_STATE parameterized by the state; eg.
String PROP_STATE_FMT = "oidc.state.%s";
...
public String getSessionState(String provided_state)
...
(and subsequently changing the logic in https://github.com/xwiki-contrib/oidc/blob/master/oidc-authenticator/src/main/java/org/xwiki/contrib/oidc/auth/internal/endpoint/CallbackOIDCEndpoint.java#L145-L162