Problema CSRF en desarrollo con el plugin 'Discourse OpenID Connect'

wayway_way · 19 Octubre, 2023 12:05

He dedicado cinco o seis semanas a configurar el SSO de Discourse y encontré algunos problemas durante este periodo. Ahora hay un problema que me está bloqueando. Voy a registrar este problema con el mayor detalle posible.

Entorno de desarrollo

Ubuntu 22 en VMware
Discourse 3.2.0.beta2-dev
- el servidor se ejecuta en 127.0.0.1:3000
- ember-cli se ejecuta en 127.0.0.1:4200
- Instalar Discourse en Ubuntu o Debian para desarrollo
- plugins desactivados:
  - presence
  - chat
  - narrative bot
- Uso del plugin Discourse OpenID Connect para conectar Keycloak basado en OIDC, con Keycloak como proveedor de identidad de Discourse
  - Configuración de la conexión OIDC en Discourse OpenID Connect:
    - documento de descubrimiento OpenID Connect: http://127.0.0.1:8080/realms/mediawiki-realm/.well-known/openid-configuration
    - ID de cliente OpenID Connect: mydiscourse
    - secreto del cliente OpenID Connect: O9A8zQuOn1bfpsWD89U8ULwYf6ooDu73
Proveedor SSO: Keycloak 22.0.4
- se ejecuta en 127.0.0.1:8080
- Configuración de la conexión OIDC en Keycloak:
  - URIs de redirección válidas: http://127.0.0.1:3000/auth/oidc/callback
  - Secreto del cliente: O9A8zQuOn1bfpsWD89U8ULwYf6ooDu73
Chrome versión 118.0.5993.70

Proceso de reproducción

Iniciar sesión con OIDC

Discourse redirige a Keycloak; ingresar información del usuario en Keycloak

CSRF

Registros

//

//

//

// Rastreo de la aplicación

lib/middleware/omniauth_bypass_middleware.rb:53:in `call'
lib/content_security_policy/middleware.rb:12:in `call'
lib/middleware/gtm_script_nonce_injector.rb:10:in `call'
config/initializers/100-quiet_logger.rb:20:in `call'
config/initializers/100-silence_logger.rb:29:in `call'
lib/middleware/missing_avatars.rb:22:in `call'
lib/middleware/turbo_dev.rb:31:in `call'

// Rastreo del framework

omniauth (1.9.2) lib/omniauth/failure_endpoint.rb:25:in `raise_out!'
omniauth (1.9.2) lib/omniauth/failure_endpoint.rb:20:in `call'
omniauth (1.9.2) lib/omniauth/failure_endpoint.rb:12:in `call'
omniauth (1.9.2) lib/omniauth/strategy.rb:491:in `fail!'
/home/hardway/Downloads/omniauth-oauth2/lib/omniauth/strategies/oauth2.rb:88:in `callback_phase'
plugins/discourse-openid-connect/lib/omniauth_open_id_connect.rb:142:in `callback_phase'
omniauth (1.9.2) lib/omniauth/strategy.rb:238:in `callback_call'
omniauth (1.9.2) lib/omniauth/strategy.rb:189:in `call!'
omniauth (1.9.2) lib/omniauth/strategy.rb:169:in `call'
omniauth (1.9.2) lib/omniauth/strategy.rb:192:in `call!'
omniauth (1.9.2) lib/omniauth/strategy.rb:169:in `call'
omniauth (1.9.2) lib/omniauth/strategy.rb:192:in `call!'
omniauth (1.9.2) lib/omniauth/strategy.rb:169:in `call'
omniauth (1.9.2) lib/omniauth/strategy.rb:192:in `call!'
omniauth (1.9.2) lib/omniauth/strategy.rb:169:in `call'
omniauth (1.9.2) lib/omniauth/strategy.rb:192:in `call!'
omniauth (1.9.2) lib/omniauth/strategy.rb:169:in `call'
omniauth (1.9.2) lib/omniauth/builder.rb:45:in `call'
rack (2.2.8) lib/rack/tempfile_reaper.rb:15:in `call'
rack (2.2.8) lib/rack/conditional_get.rb:27:in `call'
rack (2.2.8) lib/rack/head.rb:12:in `call'
actionpack (7.0.7) lib/action_dispatch/http/permissions_policy.rb:38:in `call'
rack (2.2.8) lib/rack/session/abstract/id.rb:266:in `context'
rack (2.2.8) lib/rack/session/abstract/id.rb:260:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/cookies.rb:704:in `call'
activerecord (7.0.7) lib/active_record/migration.rb:603:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
activesupport (7.0.7) lib/active_support/callbacks.rb:99:in `run_callbacks'
actionpack (7.0.7) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/actionable_exceptions.rb:17:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/debug_exceptions.rb:28:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/show_exceptions.rb:29:in `call'
logster (2.13.0) lib/logster/middleware/reporter.rb:40:in `call'
railties (7.0.7) lib/rails/rack/logger.rb:40:in `call_app'
railties (7.0.7) lib/rails/rack/logger.rb:27:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/remote_ip.rb:93:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/request_id.rb:26:in `call'
rack (2.2.8) lib/rack/method_override.rb:24:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/static.rb:23:in `call'
rack (2.2.8) lib/rack/sendfile.rb:110:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/host_authorization.rb:137:in `call'
rack-mini-profiler (3.1.1) lib/mini_profiler.rb:413:in `call'
message_bus (4.3.8) lib/message_bus/rack/middleware.rb:60:in `call'
railties (7.0.7) lib/rails/engine.rb:530:in `call'
railties (7.0.7) lib/rails/railtie.rb:226:in `public_send'
railties (7.0.7) lib/rails/railtie.rb:226:in `method_missing'
rack (2.2.8) lib/rack/urlmap.rb:74:in `block in call'
rack (2.2.8) lib/rack/urlmap.rb:58:in `each'
rack (2.2.8) lib/rack/urlmap.rb:58:in `call'
unicorn (6.1.0) lib/unicorn/http_server.rb:634:in `process_client'
unicorn (6.1.0) lib/unicorn/http_server.rb:739:in `worker_loop'
unicorn (6.1.0) lib/unicorn/http_server.rb:547:in `spawn_missing_workers'
unicorn (6.1.0) lib/unicorn/http_server.rb:143:in `start'
unicorn (6.1.0) bin/unicorn:128:in `\u003ctop (required)\u003e'
bin/unicorn:96:in `load'
bin/unicorn:96:in `block in \u003cmain\u003e'
bin/unicorn:95:in `fork'
bin/unicorn:95:in `\u003cmain\u003e'

// Rastreo completo

omniauth (1.9.2) lib/omniauth/failure_endpoint.rb:25:in `raise_out!'
omniauth (1.9.2) lib/omniauth/failure_endpoint.rb:20:in `call'
omniauth (1.9.2) lib/omniauth/failure_endpoint.rb:12:in `call'
omniauth (1.9.2) lib/omniauth/strategy.rb:491:in `fail!'
/home/hardway/Downloads/omniauth-oauth2/lib/omniauth/strategies/oauth2.rb:88:in `callback_phase'
plugins/discourse-openid-connect/lib/omniauth_open_id_connect.rb:142:in `callback_phase'
omniauth (1.9.2) lib/omniauth/strategy.rb:238:in `callback_call'
omniauth (1.9.2) lib/omniauth/strategy.rb:189:in `call!'
omniauth (1.9.2) lib/omniauth/strategy.rb:169:in `call'
omniauth (1.9.2) lib/omniauth/strategy.rb:192:in `call!'
omniauth (1.9.2) lib/omniauth/strategy.rb:169:in `call'
omniauth (1.9.2) lib/omniauth/strategy.rb:192:in `call!'
omniauth (1.9.2) lib/omniauth/strategy.rb:169:in `call'
omniauth (1.9.2) lib/omniauth/strategy.rb:192:in `call!'
omniauth (1.9.2) lib/omniauth/strategy.rb:169:in `call'
omniauth (1.9.2) lib/omniauth/strategy.rb:192:in `call!'
omniauth (1.9.2) lib/omniauth/strategy.rb:169:in `call'
omniauth (1.9.2) lib/omniauth/builder.rb:45:in `call'
lib/middleware/omniauth_bypass_middleware.rb:53:in `call'
rack (2.2.8) lib/rack/tempfile_reaper.rb:15:in `call'
rack (2.2.8) lib/rack/conditional_get.rb:27:in `call'
rack (2.2.8) lib/rack/head.rb:12:in `call'
actionpack (7.0.7) lib/action_dispatch/http/permissions_policy.rb:38:in `call'
lib/content_security_policy/middleware.rb:12:in `call'
lib/middleware/gtm_script_nonce_injector.rb:10:in `call'
rack (2.2.8) lib/rack/session/abstract/id.rb:266:in `context'
rack (2.2.8) lib/rack/session/abstract/id.rb:260:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/cookies.rb:704:in `call'
activerecord (7.0.7) lib/active_record/migration.rb:603:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
activesupport (7.0.7) lib/active_support/callbacks.rb:99:in `run_callbacks'
actionpack (7.0.7) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/actionable_exceptions.rb:17:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/debug_exceptions.rb:28:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/show_exceptions.rb:29:in `call'
logster (2.13.0) lib/logster/middleware/reporter.rb:40:in `call'
railties (7.0.7) lib/rails/rack/logger.rb:40:in `call_app'
railties (7.0.7) lib/rails/rack/logger.rb:27:in `call'
config/initializers/100-quiet_logger.rb:20:in `call'
config/initializers/100-silence_logger.rb:29:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/remote_ip.rb:93:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/request_id.rb:26:in `call'
rack (2.2.8) lib/rack/method_override.rb:24:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/static.rb:23:in `call'
rack (2.2.8) lib/rack/sendfile.rb:110:in `call'
actionpack (7.0.7) lib/action_dispatch/middleware/host_authorization.rb:137:in `call'
lib/middleware/missing_avatars.rb:22:in `call'
lib/middleware/turbo_dev.rb:31:in `call'
rack-mini-profiler (3.1.1) lib/mini_profiler.rb:413:in `call'
message_bus (4.3.8) lib/message_bus/rack/middleware.rb:60:in `call'
railties (7.0.7) lib/rails/engine.rb:530:in `call'
railties (7.0.7) lib/rails/railtie.rb:226:in `public_send'
railties (7.0.7) lib/rails/railtie.rb:226:in `method_missing'
rack (2.2.8) lib/rack/urlmap.rb:74:in `block in call'
rack (2.2.8) lib/rack/urlmap.rb:58:in `each'
rack (2.2.8) lib/rack/urlmap.rb:58:in `call'
unicorn (6.1.0) lib/unicorn/http_server.rb:634:in `process_client'
unicorn (6.1.0) lib/unicorn/http_server.rb:739:in `worker_loop'
unicorn (6.1.0) lib/unicorn/http_server.rb:547:in `spawn_missing_workers'
unicorn (6.1.0) lib/unicorn/http_server.rb:143:in `start'
unicorn (6.1.0) bin/unicorn:128:in `\u003ctop (required)\u003e'
bin/unicorn:96:in `load'
bin/unicorn:96:in `block in \u003cmain\u003e'
bin/unicorn:95:in `fork'
bin/unicorn:95:in `\u003cmain\u003e'

Posible causa

Orientación o consejos que necesito

¿Cómo funciona la autenticación en Discourse?
¿Cómo utiliza Discourse la sesión?
Mecanismo de mensajería de Discourse
Sería ideal si pudieran indicarme directamente la solución

simon · 19 Octubre, 2023 19:34

Posiblemente no relacionado, pero ¿cambia algo al configurar las URIs de redirección válidas a http://127.0.0.1:4200/auth/oidc/callback?

Además, actualmente está sucediendo algo extraño con el entorno de desarrollo de Ubuntu/Debian, donde el sitio se puede acceder en localhost:4200 o 127.0.0.1:4200. Cada uno de esos dominios crea una sesión separada. Probablemente no esté relacionado con tu problema, pero tal vez sea algo que pueda causar problemas para el desarrollo local. Siempre uso el dominio localhost:4200. Parece que es lo que se espera.

david · 19 Octubre, 2023 22:17

Sí, este sería mi primer pensamiento también. Es importante que el flujo de autenticación comience y termine en el mismo puerto, de lo contrario, la sesión puede ser diferente.

Si inicias Rails y Ember-CLI juntos a través de bin/ember-cli -u, entonces todo debería configurarse automáticamente para ti. Pero si los inicias por separado, asegúrate de establecer el entorno DISCOURSE_PORT=4200 en el servidor Rails para que todo coincida correctamente.

wayway_way · 20 Octubre, 2023 03:57

Intenté, pero aparece “Parámetro no válido: redirect_uri” en Keycloak.

Arranca Rails y Ember-CLI juntos a través de bin/ember-cli -u

Establece las URI de redirección válidas en http://127.0.0.1:4200/auth/oidc/callback.

wayway_way · 20 Octubre, 2023 06:57

Parece que la causa es una discrepancia entre las URI de redirección válidas en Keycloak y las URI que se muestran en la siguiente ilustración.

La URI que se muestra en la imagen es

http://127.0.0.1:8080/realms/mediawiki-realm/protocol/openid-connect/auth?client_id=mydiscourse&nonce=dce3dd8bccb09b25f88d1645d26b9d20b58e3d2ff3804f83ed79098c793a5ae2&redirect_uri=http%3A%2F%2F127.0.0.1%3A3000%2Fauth%2Foidc%2Fcallback&response_type=code&scope=openid+profile+email&state=7fd712dd2b28c8264eac170721b898b26ae8fb2edb9a2e9f

Al decodificar la ‘redirect_uri’, su equivalencia a

http://127.0.0.1:3000/auth/oidc/callback

¿Cuál debería ser, de hecho, la ‘redirect_uri’ correcta?

wayway_way · 20 Octubre, 2023 14:07

¿Sería tan amable de divulgar la plataforma utilizada para la verificación de identidad durante la creación de este plugin?

wayway_way · 23 Octubre, 2023 03:25

Gracias, funciona.
Mi solución alternativa fue abrir discourse usando 127.0.0.1:4200 en lugar de localhost:4200

simon · 28 Octubre, 2023 07:34

No lo recomiendo, pero para el desarrollo local adopté el enfoque algo brutal de editar el método callback_url del plugin: discourse-openid-connect/lib/omniauth_open_id_connect.rb at main · discourse/discourse-openid-connect · GitHub.

     def callback_url
        full_host = 'http://localhost:4200'
        full_host + script_name + callback_path
      end

De esa manera, siempre devuelve http://localhost:4200/auth/oidc/callback

Sin ese cambio, no pude encontrar una manera de que la parte del host de la URL se estableciera en algo que no fuera http://127.0.0.1:3000

Tema		Respuestas	Vistas
OpenID Connect extension not creating new Discourse users Support	20	4570	11 Febrero 2019
Redirecting from Keycloak to discourse with OIDC SSO	1	977	16 Diciembre 2021
Error using discourse-oauth2-basic plugin with NeonCRM SSO oauth2	28	4775	12 Febrero 2020
Discourse OpenID Connect (OIDC) Plugin official , included-in-core , auth-plugins , openid-connect	48	49126	27 Mayo 2026
Discourse ID fails to activate on my instance SSO discourse-id , unsupported-install	26	598	22 Octubre 2025