Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC logon workflow fails when attempted through application proxy with session cookies #1183

Open
2 tasks done
b3rs3rk opened this issue Mar 1, 2025 · 0 comments
Open
2 tasks done

OIDC logon workflow fails when attempted through application proxy with session cookies #1183

b3rs3rk opened this issue Mar 1, 2025 · 0 comments
Labels
enhancement New feature or request

Comments

@b3rs3rk
Copy link

b3rs3rk commented Mar 1, 2025
edited
Loading

Current Behavior

When you enable OIDC in Dependency Track behind an application proxy with session tracking (e.g. F5 BIG-IP APM) OIDC logons do not function properly. This is because the OIDC logon flow invokes the /.well-known/openid-configuration endpoint for the SSO IdP provider URL from the client, but does not include any cookies that the client browser currently has registered for that site.

Background:

I have a domain called example.com. I have dtrack.example.com and I have sso.example.com for Dependency Track and Keycloak respectively. When a user first logs into any application I proxy including Keycloak logons, they are required to fulfill the F5 APM policy evaluation first, which is a redirect to login.example.com/my.policy. Once the policy evaluation succeeds, the client browser is granted a domain cookie called MRHSession that is valid for all example.com access. The logon works without issue, and access to dtrack.example.com is permitted because this MRHSession cookie provided by the F5 is included in all browser requests for the domain example.com once issued. This is called domain cookie-ing. LDAP-based logons through form-based authentication continue to function with this configuration because the browser automatically includes the domain cookie when submitting the form.

Issue:

When OIDC is enabled in Dependency Track, the user gets a new logon option in the form of a button instead of the typical username+password logon form. This button, once pressed, invokes the openid-configuration endpoint from the client to the SSO IdP, which is sent without the domain cookie (MRHSession) that will allow it to bypass the F5 APM logon requirements. So the openid-configuration request gets redirected to the policy evaluation by the F5 as if it were an entirely new client session.

Proposed Behavior

OIDC logon functions correctly, because the openid-configuration endpoint request, and all subsequent requests of this nature, preserve all cookies eligible for the SSO provider URL including ones valid for a lower level domain in the hierarchy.

Checklist
@b3rs3rk b3rs3rk added the enhancement New feature or request label Mar 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@b3rs3rk