Add passthrough_nonce for some oidc endpoints and migration. nonce oidc check working for headscale/plane via browser

Author: NotChristianGarcia

README.md

@@ -97,12 +97,12 @@ migrations. Here are the steps:
 3. Shut down all the services (``make clean``).
 4. Start up the db containers (``make init_dbs``).
 5. Run the existing migrations (``make migrate.upgrade``).
-6. Exec into a new migrations container:
-   docker run -it --entrypoint=bash --network=authenticator_authenticator tapis/authenticator-migrations
-7. Once inside the container:
-  $ flask db migrate
-  $ flask db upgrade   
-Note that the migrate step should create a new migration Python source file in /home/tapis/migrations/versions/
+6. Exec into a new migrations container:  
+   `docker run -it --entrypoint=bash --network=authenticator_authenticator tapis/authenticator-migrations`
+7. Once inside the container:  
+    1. `flask db migrate`
+    2. `flask db upgrade`
+    3. Note that the migrate step should create a new migration Python source file in /home/tapis/migrations/versions/
 Note also that the upgrade step (that applies the generated file) could fail if, for example, your changes include 
 a new, non-nullable field. For such changes, you will need to make custom changes to the migration Python source
 file. 
@@ -338,12 +338,12 @@ redirecting your user to the /oauth2/authorize URL and passing the following:
 ```
 client_id=<your_client_id>
 redirect_uri=<your_redirect_uri>
-response_tyep=code
+response_type=code
 ```
 
 For example:
 ```
-1) GET http://localhost:5000/v3/oauth2/authorize?client_id=<client_id>&redirect_uri=<redirec_uri>&response_type=code
+1) GET http://localhost:5000/v3/oauth2/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=code
 
 ```
 

migrations/versions/migrations25Q4v2.py

@@ -0,0 +1,35 @@
+"""Migrations for the 2025 Q4 Authenticator release - version 2: adding nonce columns for complex oidc
+
+Revision ID: 25Q4v2
+Revises: 25Q4
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '25Q4v2'
+down_revision = '25Q4'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    with op.batch_alter_table('authorization_codes', schema=None) as batch_op:
+        batch_op.add_column(sa.Column('passthrough_nonce', sa.String(length=200), nullable=True))
+
+    with op.batch_alter_table('device_codes', schema=None) as batch_op:
+        batch_op.add_column(sa.Column('passthrough_nonce', sa.String(length=200), nullable=True))
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    with op.batch_alter_table('device_codes', schema=None) as batch_op:
+        batch_op.drop_column('passthrough_nonce')
+
+    with op.batch_alter_table('authorization_codes', schema=None) as batch_op:
+        batch_op.drop_column('passthrough_nonce')
+
+    # ### end Alembic commands ###

service/controllers.py

@@ -1267,6 +1267,18 @@ def get(self):
         # check if the grant type is supported by this tenant
         config = tenant_configs_cache.get_config(tenant_id)
         allowable_grant_types = json.loads(config.allowable_grant_types)
+
+        ## in case of oidc we save nonce to session for use later
+        nonce = (
+            request.args.get("nonce")
+            or request.form.get("nonce")
+            or request.cookies.get("nonce")
+            or session.get("nonce")
+        )
+        session["nonce"] = nonce  # Always write nonce to session, even if None or empty
+        if session["nonce"]:
+            logger.debug(f"inside of get auth - nonce derived: {nonce}, args: {request.args}, form: {request.form}, cookies: {request.cookies}")
+
         mfa_config = json.loads(config.mfa_config)
         user_code=request.args.get("user_code", None)
 
@@ -1382,6 +1394,7 @@ def get(self):
             "client_state": client_state,
             "device_login": session.get("device_login", None),
             "user_code": user_code,
+            "nonce": nonce,
         }
 
         auto_approve = Users.query.filter_by(username=username, client_id=client_id).first()
@@ -1392,15 +1405,16 @@ def get(self):
         logger.debug(f'Checking for auto approve ... ')
         if auto_approve and not is_device_flow:
             logger.debug(f'Found. Skipping authoriziation page.')
-            generate_authorization_code(tenant_id, username, client_id, client)
+            generate_authorization_code(tenant_id, username, client_id, client, nonce)
             auto_redirect = handle_response_type(
                 response_type,
                 allowable_grant_types,
                 tenant_id,
                 username,
                 client_id,
                 client,
-                client_state
+                client_state,
+                nonce=nonce
             )
             return auto_redirect
         logger.debug(f'Not found. Proceeding to authentication page')
@@ -1481,6 +1495,17 @@ def post(self):
         if mfa_response:
             return mfa_response
 
+        ## in case of oidc we save nonce to session for use later
+        nonce = (
+            request.args.get("nonce")
+            or request.form.get("nonce")
+            or request.cookies.get("nonce")
+            or session.get("nonce")
+        )
+        session["nonce"] = nonce  # Always write nonce to session, even if None or empty
+        if session["nonce"]:
+            logger.debug(f"inside of get auth - nonce derived: {nonce}, args: {request.args}, form: {request.form}, cookies: {request.cookies}")
+
         # TODO - Move this to the handle_response_type function
         if client_response_type == "device_code":
             if "device_code" not in allowable_grant_types:
@@ -1580,7 +1605,8 @@ def post(self):
                 username,
                 client_id,
                 client,
-                state
+                state,
+                nonce=nonce
             )
 
 
@@ -1823,13 +1849,15 @@ def _handle_tokens_request(request, oidc=False):
             )
             username = db_code.username
             idp_id = db_code.tapis_idp_id
+            passthrough_nonce = getattr(db_code, "passthrough_nonce", None)
         elif grant_type == "device_code":
             username = db_code.username
             ttl = db_code.access_token_ttl
             idp_id = db_code.tapis_idp_id
+            passthrough_nonce = getattr(db_code, "passthrough_nonce", None)
 
             logger.debug(
-                f"USERNAME: {username}; TTL: {ttl}; idp_id: {db_code.tapis_idp_id}"
+                f"device_code; USERNAME: {username}; TTL: {ttl}; idp_id: {db_code.tapis_idp_id}; passthrough_nonce: {passthrough_nonce}"
             )
 
         elif grant_type == "refresh_token":
@@ -1900,12 +1928,18 @@ def _handle_tokens_request(request, oidc=False):
         if idp_id:
             content["claims"]["tapis/idp_id"] = idp_id
         if oidc:
+            logger.debug('Top of OIDC in handle_token_request - passthrough_nonce', passthrough_nonce)
             if client_id:
                 # bookstack for example requires aud to match client id
                 content["claims"]["aud"] = client_id
             content["claims"]["iat"] = int(time.time())
             content["claims"]["extravar"] = username
             content["claims"]["email"] = username
+            # Set passthrough_nonce from authorization code if available
+            if grant_type == "authorization_code" and passthrough_nonce:
+                content["claims"]["nonce"] = passthrough_nonce
+            else:
+                content["claims"]["nonce"] = ""
 
         # only generate a refresh token when OAuth client is passed
         if client_id and client_key:
@@ -2036,7 +2070,14 @@ def _handle_tokens_request(request, oidc=False):
             raise errors.ResourceError(f"{msg}")
 
         if oidc:
-            logger.info("Token endpoint with OIDC flag set.")
+            logger.info("inside of POST /v3/oauth2/tokens with OIDC flag set")
+            logger.debug(f"request headers: {request.headers}")
+            logger.debug(f"request form: {request.form}")
+            logger.debug(f"request json: {request.json}")
+            logger.debug(f"request data: {request.data}")
+            logger.debug(f"request args: {request.args}")
+            logger.debug(f"request content type: {request.content_type}")
+            logger.debug(f"request base url: {request.base_url}")
             response_json = {
                 "access_token": result["access_token"]["access_token"],
                 "expires_in": result["access_token"]["expires_in"],
@@ -2057,6 +2098,15 @@ def post(self):
 
 class OIDCTokensResource(Resource):
     def post(self):
+        ## print all of flask request to logs
+        logger.info("top of POST /v3/oauth2/tokens with OIDC flag set")
+        logger.debug(f"request headers: {request.headers}")
+        logger.debug(f"request form: {request.form}")
+        logger.debug(f"request json: {request.json}")
+        logger.debug(f"request data: {request.data}")
+        logger.debug(f"request args: {request.args}")
+        logger.debug(f"request content type: {request.content_type}")
+        logger.debug(f"request base url: {request.base_url}")
         return _handle_tokens_request(request, oidc=True)
 
 

service/helpers.py

@@ -12,7 +12,7 @@
 DEFAULT_DEVICE_CODE_TOKEN_TTL = 30
 
 
-def generate_authorization_code(tenant_id, username, client_id, client):
+def generate_authorization_code(tenant_id, username, client_id, client, nonce=None):
     """
     Generates an authorization code and saves it to the database.
     """
@@ -25,6 +25,7 @@ def generate_authorization_code(tenant_id, username, client_id, client):
         redirect_url=client.callback_url,
         code=AuthorizationCode.generate_code(),
         expiry_time=AuthorizationCode.compute_expiry(),
+        passthrough_nonce=nonce,
     )
     try:
         db.session.add(authz_code)
@@ -39,7 +40,7 @@ def generate_authorization_code(tenant_id, username, client_id, client):
     return authz_code
 
 
-def handle_response_type(response_type, allowable_grant_types, tenant_id, username, client_id, client, state, **kwargs):
+def handle_response_type(response_type, allowable_grant_types, tenant_id, username, client_id, client, state, nonce=None, **kwargs):
     if response_type == "token":
         if "implicit" not in allowable_grant_types:
             raise errors.ResourceError(
@@ -91,8 +92,12 @@ def handle_response_type(response_type, allowable_grant_types, tenant_id, userna
                 f"tenant. Allowable grant types: {allowable_grant_types}"
             )
 
+        # create the authorization code for the client and handle nonce if needed.
+        if nonce:
+            logger.debug(f"inside of handle response - nonce found: {nonce}")
+
         authz_code = generate_authorization_code(
-            tenant_id, username, client_id, client
+            tenant_id, username, client_id, client, nonce=nonce
         )
 
         # Redirect to the client's callback URL with the authorization code

service/models.py

@@ -393,6 +393,8 @@ class AuthorizationCode(db.Model):
     # metadata about whether an MFA was performed and if so, how recently 
     # currently not implemented 
     tapis_mfa = db.Column(db.String(200), unique=False, nullable=True)
+    # If /authorize is called with ?nonce=value, we store the value so we can return it on token to mitigate replay attacks.
+    passthrough_nonce = db.Column(db.String(200), unique=False, nullable=True)
 
     def __repr__(self):
         return f'{self.code}'
@@ -485,6 +487,8 @@ class DeviceCode(db.Model):
     # metadata about whether an MFA was performed and if so, how recently 
     # currently not implemented 
     tapis_mfa = db.Column(db.String(200), unique=False, nullable=True)
+    # If /authorize is called with ?nonce=value, we store the value so we can return it on token to mitigate replay attacks.
+    passthrough_nonce = db.Column(db.String(200), unique=False, nullable=True)
 
     def __repr__(self):
         return f'{self.code}'

service/session.py

@@ -13,7 +13,7 @@ def clear_orig_client_data():
     session.pop("orig_client_redirect_uri", None)
     session.pop("orig_client_response_type", None)
     session.pop("orig_client_state", None)
-
+    session.pop("nonce", None)
 
 def logout_from_webapp():
     """

service/tests/basic_test.py

@@ -1018,7 +1018,7 @@ def test_get_profile(client, tapis_jwt):
 def test_authorization_code(client, init_db):
     # simulate the authorization approval -
     with client:
-        # use hte session_transaction to enable modification of the session object:
+        # use the session_transaction to enable modification of the session object:
         # cf., https://flask.palletsprojects.com/en/1.1.x/testing/#accessing-and-modifying-sessions
         with client.session_transaction() as sess:
             sess["username"] = TEST_USERNAME
@@ -1035,6 +1035,7 @@ def test_authorization_code(client, init_db):
             },
         )
         print(response)
+        print(f"DEBUG: got response string: {response.data.decode('utf-8')}")
         assert response.status_code == 302
         # note: response.data is a raw bytes object containing the full HTML returned from the page.
         # try this if you want to debug ===>  print(response.data)