studio/tuwunel
2
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Add config option to bypass cookie checking on SSO callback.

Browse Source 
Signed-off-by: Jason Volk <jason@zemos.net>
This commit is contained in:
Jason Volk
2026-02-26 05:00:42 +00:00
parent 9e09162817
commit 99bbcb34b6
3 changed files with 35 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
src/api/client/session/sso.rs
View File

@@ -301,24 +301,28 @@ pub(crate) async fn sso_callback_route(
return Err!(Request(Unauthorized("Authorization grant session has expired."))); return Err!(Request(Unauthorized("Authorization grant session has expired.")));
} }
let cookie = body if provider.check_cookie {
.cookie let cookie = body
.get(GRANT_SESSION_COOKIE) .cookie
.map(Cookie::value) .get(GRANT_SESSION_COOKIE)
.map(serde_html_form::from_str::<GrantCookie<'_>>) .map(Cookie::value)
.transpose()? .map(serde_html_form::from_str::<GrantCookie<'_>>)
.ok_or_else(|| err!(Request(Unauthorized("Missing cookie {GRANT_SESSION_COOKIE:?}"))))?; .transpose()?
.ok_or_else(|| {
err!(Request(Unauthorized("Missing cookie {GRANT_SESSION_COOKIE:?}")))
})?;
if cookie.client_id.as_ref() != client_id.as_str() { if cookie.client_id.as_ref() != client_id.as_str() {
return Err!(Request(Unauthorized("Client ID {client_id:?} cookie mismatch."))); return Err!(Request(Unauthorized("Client ID {client_id:?} cookie mismatch.")));
} }
if Some(cookie.nonce.as_ref()) != session.cookie_nonce.as_deref() { if Some(cookie.nonce.as_ref()) != session.cookie_nonce.as_deref() {
return Err!(Request(Unauthorized("Cookie nonce does not match session state."))); return Err!(Request(Unauthorized("Cookie nonce does not match session state.")));
} }
if cookie.state.as_ref() != sess_id { if cookie.state.as_ref() != sess_id {
return Err!(Request(Unauthorized("Session ID {sess_id:?} cookie mismatch."))); return Err!(Request(Unauthorized("Session ID {sess_id:?} cookie mismatch.")));
}
} }
// Request access token. // Request access token.

9
src/core/config/mod.rs
View File

@@ -2768,6 +2768,15 @@ pub struct IdentityProvider {
/// default: 300 /// default: 300
#[serde(default = "default_sso_grant_session_duration")] #[serde(default = "default_sso_grant_session_duration")]
pub grant_session_duration: Option<u64>, pub grant_session_duration: Option<u64>,
/// Whether to check the redirect cookie during the callback. This is a
/// security feature and should remain enabled. This is available for
/// developers or deployments which cannot tolerate cookies and are willing
/// to tolerate the risks.
///
/// default: true
#[serde(default = "true_fn")]
pub check_cookie: bool,
} }
impl IdentityProvider { impl IdentityProvider {

7
tuwunel-example.toml
View File

@@ -2378,6 +2378,13 @@
# #
#grant_session_duration = 300 #grant_session_duration = 300
# Whether to check the redirect cookie during the callback. This is a
# security feature and should remain enabled. This is available for
# developers or deployments which cannot tolerate cookies and are willing
# to tolerate the risks.
#
#check_cookie = true
#[global.appservice.<ID>] #[global.appservice.<ID>]