NUKIB/misp

OAuth Azure AD/OIDC authentication issue SOLUTION

GuillaumeBrn opened this issue · 0 comments

Hello,

The purpose of this issue is to avoid other people wasting as much time that I've waste investigating on an issue related to AzureAD authentication. I hope posting like this respect the rules ; otherwise sorry for that.
First of all, note that I've been enabling AAD through an integration for which I've created a pull request but that hasn't been accepted for the moment - still it definitely works. It implements the Azure AD plugin from official MISP repo. But it could also been happening with the OIDC auth provided by NUKIB, so either you are going for AAD or OIDC, I want to provide the workaround for this issue - I hope it will benefits at least someone.

The problem for me was about Session ID. It is actually stored in the browser in the MISP-session-xxxx cookie. The issue is that when you are going to the login.microsoftonline.com thing and you are sent back to MISP, the cookie is disappearing and Session ID is renewed. Because of this, MISP is never able to validate the authentication workflow. Indeed, this condition in the source-code of AAD plugin is never satisfied, and so you are never asking for a token, and so never logged in.

The workaround for this is REALLY EASY, but it took me so long to figure out what was the source of the problem (all this Session ID and cookie things). The problem is actually that this MISP-session-xxxxx cookie has its SameSite set to Strict which makes that as soon as you're leaving MISP to go into Microsoft workflow, you are loosing the cookie. This explains why the workflow is either not working at all, or sometimes you have to press the "Login with Azure AD" button twice.

The solution is: setting this cookie to have SameSite=Lax (PHP_SESSIONS_COOKIE_SAMESITE: "Lax" in docker-compose.yml). What is strange is that NUKIB as actually an environment variable for this (PHP_SESSIONS_COOKIE_SAMESITE) but never explains that it's mandatory... Maybe I've been missing or misunderstanding something.

Hope it will help someone.