SSO/OIDC with redirect and nextcloud's form-action CSP do not play nice together #29317
Labels
0. Needs triage
Pending check for reproducibility or if it fits our roadmap
25-feedback
bug
feature: authentication
needs review
Needs review to determine if still applicable
How to use GitHub
Explanation
This issue is related to #16711 from @rullzer
Background: You will remember (:roll_eyes: ) that Chrome and Firefox apply the
form-action
CSP differently when the response to a form request is a redirect. This is currently undefined behavior and the W3C has not yet decided what to do about it. Firefox does not apply the form-action CSP, but Chrome does.The above merged PR from @rullzer fixes the case where Nextcloud responds to the
POST /login/flow
request with a303
redirect to the OIDC callback url. This is working fine.However... what happens when the service being redirected to itself issues a redirect to a different origin (that wasn't in the original allowed
form-action
source list?Well for Firefox this works just fine as it doesn't keep the
form-action
CSP around.On Chrome/Edge, the "Grant Access" button just spins for a long time and if you open the console you see:
Refused to send form data to 'ORIGINAL <NC>/login/flow' because it violates the following Content Security Policy directive: "form-action 'self' https://oidc-callback-url".
The solution is to ensure that the domain for the 2nd redirect is included in the original form-action CSP.
I was able to manually add this by editing
lib/public/AppFramework/Http/ContentSecurityPolicy.php
and appending my extra domain to the$allowedFormActionDomains
array.I'm not sure what the proper solution is here. As a nextcloud administrator I need to have some way to allow certain domains in the
form-action
policy. But the workaround in the previous paragraph is NOT a good solution as it applies to every form in the application, whereas it is only required for thePOST /login/flow
during the oauth/oidc workflow.Maybe the "OAuth 2.0 clients" feature should allow additional URIs?
Steps to reproduce
This is rather cumbersome to reproduce as you will need a third-party software authenticating to nextclouds oidc provider.
Expected behaviour
The oauth login flow should complete without error
Actual behaviour
Firefox : Everything works fine
Chrome/Edge: The login flow fails after pressing the "Grant Access" button in nextcloud.
Given:
Then the
POST https://nextcloud.example.com/login/flow
returns303
redirect withLocation: https://matrix.example.com/_synapse/client/oidc/callback
, and this also returns a302
redirect tohttps://chat.example.com/something/something
So from Chrome's point of view all three domains must exist in the
form-action
CSP, but only the first two are included.Server configuration
Operating system: linux
Web server: apache
Database: postgres
PHP version: 21.0.5
Nextcloud version: 21.0.5
Updated from an older Nextcloud/ownCloud or fresh install: no
Where did you install Nextcloud from: official docker image
21-apache
tagSigning status:
Signing status
List of activated apps:
App list
Nextcloud configuration:
Config report
Are you using external storage, if yes which one: local + sftp
Are you using encryption: no
Are you using an external user-backend, if yes which one: no
Client configuration
Browser: Chrome + Firefox
Operating system: Windows + Linux + Mac
Logs
Refused to send form data to 'ORIGINAL <NC>/login/flow' because it violates the following Content Security Policy directive: "form-action 'self' https://oidc-callback-url".
The text was updated successfully, but these errors were encountered: