enhancement: same site strict cookies (#8716)

To enhance the security of our application and prevent Cross-Site Request Forgery (CSRF) attacks, we have updated the SameSite attribute of the build in Identity Provider (IDP) cookies to Strict.
2026-01-06 12:19:37 -06:00 · 2024-03-25 10:16:10 +01:00
parent b65dbd28cd
commit f04be9f870
18 changed files with 136 additions and 56 deletions
--- a/services/idp/pkg/backends/cs3/bootstrap/cs3.go
+++ b/services/idp/pkg/backends/cs3/bootstrap/cs3.go
@@ -25,6 +25,7 @@ import (
 	"github.com/libregraph/lico/identifier"
 	"github.com/libregraph/lico/identity"
 	"github.com/libregraph/lico/identity/managers"
+
 	cs3 "github.com/owncloud/ocis/v2/services/idp/pkg/backends/cs3/identifier"
 )

@@ -88,12 +89,18 @@ func NewIdentityManager(bs bootstrap.Bootstrap) (identity.Manager, error) {
 	activeIdentifier, err := identifier.NewIdentifier(&identifier.Config{
 		Config: config.Config,

-		BaseURI:         config.IssuerIdentifierURI,
-		PathPrefix:      bs.MakeURIPath(bootstrap.APITypeSignin, ""),
-		StaticFolder:    config.IdentifierClientPath,
-		LogonCookieName: "__Secure-KKT", // Kopano-Konnect-Token
-		ScopesConf:      config.IdentifierScopesConf,
-		WebAppDisabled:  config.IdentifierClientDisabled,
+		BaseURI:        config.IssuerIdentifierURI,
+		PathPrefix:     bs.MakeURIPath(bootstrap.APITypeSignin, ""),
+		StaticFolder:   config.IdentifierClientPath,
+		ScopesConf:     config.IdentifierScopesConf,
+		WebAppDisabled: config.IdentifierClientDisabled,
+
+		LogonCookieName:     "__Secure-KKT", // Kopano-Konnect-Token
+		LogonCookieSameSite: config.CookieSameSite,
+
+		ConsentCookieSameSite: config.CookieSameSite,
+
+		StateCookieSameSite: config.CookieSameSite,

 		AuthorizationEndpointURI: fullAuthorizationEndpointURL,
 		SignedOutEndpointURI:     fullSignedOutEndpointURL,
--- a/services/idp/pkg/config/config.go
+++ b/services/idp/pkg/config/config.go
@@ -2,6 +2,7 @@ package config

 import (
 	"context"
+	"net/http"

 	"github.com/owncloud/ocis/v2/ocis-pkg/shared"
 )
@@ -112,6 +113,7 @@ type Settings struct {

 	CookieBackendURI string
 	CookieNames      []string
+	CookieSameSite   http.SameSite

 	AccessTokenDurationSeconds        uint64 `yaml:"access_token_duration_seconds" env:"IDP_ACCESS_TOKEN_EXPIRATION" desc:"'Access token lifespan in seconds (time before an access token is expired).'" introductionVersion:"pre5.0"`
 	IDTokenDurationSeconds            uint64 `yaml:"id_token_duration_seconds" env:"IDP_ID_TOKEN_EXPIRATION" desc:"ID token lifespan in seconds (time before an ID token is expired)." introductionVersion:"pre5.0"`
--- a/services/idp/pkg/config/defaults/defaultconfig.go
+++ b/services/idp/pkg/config/defaults/defaultconfig.go
@@ -1,6 +1,7 @@
 package defaults

 import (
+	"net/http"
 	"path/filepath"
 	"strings"

@@ -64,6 +65,7 @@ func DefaultConfig() *config.Config {
 			ValidationKeysPath:                "",
 			CookieBackendURI:                  "",
 			CookieNames:                       nil,
+			CookieSameSite:                    http.SameSiteStrictMode,
 			AccessTokenDurationSeconds:        60 * 5,            // 5 minutes
 			IDTokenDurationSeconds:            60 * 5,            // 5 minutes
 			RefreshTokenDurationSeconds:       60 * 60 * 24 * 30, // 30 days