[Fixes #1133] Limit the path on the nonce and correlation id cookies

Author: javiercn

src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs

@@ -332,7 +332,18 @@ protected override async Task HandleChallengeAsync(AuthenticationProperties prop
             if (Options.ProtocolValidator.RequireNonce)
             {
                 message.Nonce = Options.ProtocolValidator.GenerateNonce();
-                WriteNonceCookie(message.Nonce);
+                var cookieOptions = new CookieOptions
+                {
+                    HttpOnly = true,
+                    SameSite = Http.SameSiteMode.None,
+                    Path = OriginalPathBase + Options.CallbackPath,
+                    Secure = Request.IsHttps,
+                    Expires = Clock.UtcNow.Add(Options.ProtocolValidator.NonceLifetime)
+                };
+
+                Options.ConfigureNonceCookie?.Invoke(Context, cookieOptions);
+
+                WriteNonceCookie(message.Nonce, cookieOptions);
             }
 
             GenerateCorrelationId(properties);
@@ -877,9 +888,10 @@ private void SaveTokens(AuthenticationProperties properties, OpenIdConnectMessag
         /// Adds the nonce to <see cref="HttpResponse.Cookies"/>.
         /// </summary>
         /// <param name="nonce">the nonce to remember.</param>
+        /// <param name="options">The options for the cookie.</param>
         /// <remarks><see cref="M:IResponseCookies.Append"/> of <see cref="HttpResponse.Cookies"/> is called to add a cookie with the name: 'OpenIdConnectAuthenticationDefaults.Nonce + <see cref="M:ISecureDataFormat{TData}.Protect"/>(nonce)' of <see cref="OpenIdConnectOptions.StringDataFormat"/>.
         /// The value of the cookie is: "N".</remarks>
-        private void WriteNonceCookie(string nonce)
+        private void WriteNonceCookie(string nonce, CookieOptions options)
         {
             if (string.IsNullOrEmpty(nonce))
             {
@@ -889,13 +901,7 @@ private void WriteNonceCookie(string nonce)
             Response.Cookies.Append(
                 OpenIdConnectDefaults.CookieNoncePrefix + Options.StringDataFormat.Protect(nonce),
                 NonceProperty,
-                new CookieOptions
-                {
-                    HttpOnly = true,
-                    SameSite = Http.SameSiteMode.None,
-                    Secure = Request.IsHttps,
-                    Expires = Clock.UtcNow.Add(Options.ProtocolValidator.NonceLifetime)
-                });
+                options);
         }
 
         /// <summary>

src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectOptions.cs

@@ -262,5 +262,11 @@ public override void Validate()
         /// remote OpenID Connect provider as an authorization/logout request parameter.
         /// </summary>
         public bool DisableTelemetry { get; set; }
+
+        /// <summary>
+        /// Gets or sets an action that can override the nonce cookie options before the
+        /// cookie gets added to the response.
+        /// </summary>
+        public Action<HttpContext, CookieOptions> ConfigureNonceCookie { get; set; }
     }
 }

src/Microsoft.AspNetCore.Authentication/RemoteAuthenticationHandler.cs

@@ -205,9 +205,12 @@ protected virtual void GenerateCorrelationId(AuthenticationProperties properties
                 HttpOnly = true,
                 SameSite = SameSiteMode.None,
                 Secure = Request.IsHttps,
+                Path = OriginalPathBase + Options.CallbackPath,
                 Expires = Clock.UtcNow.Add(Options.RemoteAuthenticationTimeout),
             };
 
+            Options.ConfigureCorrelationIdCookie?.Invoke(Context, cookieOptions);
+
             properties.Items[CorrelationProperty] = correlationId;
 
             var cookieName = CorrelationPrefix + Scheme.Name + "." + correlationId;

src/Microsoft.AspNetCore.Authentication/RemoteAuthenticationOptions.cs

@@ -87,5 +87,11 @@ public override void Validate()
         /// the size of the final authentication cookie.
         /// </summary>
         public bool SaveTokens { get; set; }
+
+        /// <summary>
+        /// Gets or sets an action that can override the correlation id cookie options before the
+        /// cookie gets added to the response.
+        /// </summary>
+        public Action<HttpContext, CookieOptions> ConfigureCorrelationIdCookie { get; set; }
     }
 }

test/Microsoft.AspNetCore.Authentication.Test/OAuthTests.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Net;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
@@ -165,6 +166,70 @@ public async Task ThrowsIfSignInSchemeMissing()
             Assert.Equal(HttpStatusCode.OK, transaction.Response.StatusCode);
         }
 
+        [Fact]
+        public async Task RedirectToIdentityProvider_SetsCorrelationIdCookiePath_ToCallBackPath()
+        {
+            var server = CreateServer(
+                app => { },
+                s => s.AddOAuthAuthentication(
+                    "Weblie",
+                    opt =>
+                    {
+                        opt.ClientId = "Test Id";
+                        opt.ClientSecret = "secret";
+                        opt.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+                        opt.AuthorizationEndpoint = "https://example.com/provider/login";
+                        opt.TokenEndpoint = "https://example.com/provider/token";
+                        opt.CallbackPath = "/oauth-callback";
+                    }),
+                ctx =>
+                {
+                    ctx.ChallengeAsync("Weblie").ConfigureAwait(false).GetAwaiter().GetResult();
+                    return true;
+                });
+
+            var transaction = await server.SendAsync("https://www.example.com/challenge");
+            var res = transaction.Response;
+
+            Assert.Equal(HttpStatusCode.Redirect, res.StatusCode);
+            Assert.NotNull(res.Headers.Location);
+            var setCookie = Assert.Single(res.Headers, h => h.Key == "Set-Cookie");
+            var correlation = Assert.Single(setCookie.Value, v => v.StartsWith(".AspNetCore.Correlation."));
+            Assert.Contains("path=/oauth-callback", correlation);
+        }
+
+        [Fact]
+        public async Task RedirectToAuthorizeEndpoint_CorrelationIdCookieOptions_CanBeOverriden()
+        {
+            var server = CreateServer(
+                app => { },
+                s => s.AddOAuthAuthentication(
+                    "Weblie",
+                    opt =>
+                    {
+                        opt.ClientId = "Test Id";
+                        opt.ClientSecret = "secret";
+                        opt.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+                        opt.AuthorizationEndpoint = "https://example.com/provider/login";
+                        opt.TokenEndpoint = "https://example.com/provider/token";
+                        opt.CallbackPath = "/oauth-callback";
+                        opt.ConfigureCorrelationIdCookie = (ctx, options) => options.Path = "/";
+                    }),
+                ctx =>
+                {
+                    ctx.ChallengeAsync("Weblie").ConfigureAwait(false).GetAwaiter().GetResult();
+                    return true;
+                });
+
+            var transaction = await server.SendAsync("https://www.example.com/challenge");
+            var res = transaction.Response;
+
+            Assert.Equal(HttpStatusCode.Redirect, res.StatusCode);
+            Assert.NotNull(res.Headers.Location);
+            var setCookie = Assert.Single(res.Headers, h => h.Key == "Set-Cookie");
+            var correlation = Assert.Single(setCookie.Value, v => v.StartsWith(".AspNetCore.Correlation."));
+            Assert.Contains("path=/", correlation);
+        }
 
         private static TestServer CreateServer(Action<IApplicationBuilder> configure, Action<IServiceCollection> configureServices, Func<HttpContext, bool> handler)
         {

test/Microsoft.AspNetCore.Authentication.Test/OpenIdConnect/OpenIdConnectTests.cs

@@ -60,6 +60,108 @@ public async Task SignOutSettingMessage()
                 OpenIdConnectParameterNames.VersionTelemetry);
         }
 
+        [Fact]
+        public async Task RedirectToIdentityProvider_SetsNonceCookiePath_ToCallBackPath()
+        {
+            var setting = new TestSettings(opt =>
+            {
+                opt.ClientId = "Test Id";
+                opt.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+                opt.Configuration = new OpenIdConnectConfiguration
+                {
+                    AuthorizationEndpoint = "https://example.com/provider/login"
+                };
+            });
+
+            var server = setting.CreateTestServer();
+
+            var transaction = await server.SendAsync(DefaultHost + TestServerBuilder.Challenge);
+            var res = transaction.Response;
+
+            Assert.Equal(HttpStatusCode.Redirect, res.StatusCode);
+            Assert.NotNull(res.Headers.Location);
+            var setCookie = Assert.Single(res.Headers, h => h.Key == "Set-Cookie");
+            var nonce = Assert.Single(setCookie.Value, v => v.StartsWith(OpenIdConnectDefaults.CookieNoncePrefix));
+            Assert.Contains("path=/signin-oidc", nonce);
+        }
+
+        [Fact]
+        public async Task RedirectToIdentityProvider_NonceCookieOptions_CanBeOverriden()
+        {
+            var setting = new TestSettings(opt =>
+            {
+                opt.ClientId = "Test Id";
+                opt.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+                opt.Configuration = new OpenIdConnectConfiguration
+                {
+                    AuthorizationEndpoint = "https://example.com/provider/login"
+                };
+                opt.ConfigureNonceCookie = (ctx, options) => options.Path = "/";
+            });
+
+            var server = setting.CreateTestServer();
+
+            var transaction = await server.SendAsync(DefaultHost + TestServerBuilder.Challenge);
+            var res = transaction.Response;
+
+            Assert.Equal(HttpStatusCode.Redirect, res.StatusCode);
+            Assert.NotNull(res.Headers.Location);
+            var setCookie = Assert.Single(res.Headers, h => h.Key == "Set-Cookie");
+            var nonce = Assert.Single(setCookie.Value, v => v.StartsWith(OpenIdConnectDefaults.CookieNoncePrefix));
+            Assert.Contains("path=/", nonce);
+        }
+
+        [Fact]
+        public async Task RedirectToIdentityProvider_SetsCorrelationIdCookiePath_ToCallBackPath()
+        {
+            var setting = new TestSettings(opt =>
+            {
+                opt.ClientId = "Test Id";
+                opt.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+                opt.Configuration = new OpenIdConnectConfiguration
+                {
+                    AuthorizationEndpoint = "https://example.com/provider/login"
+                };
+            });
+
+            var server = setting.CreateTestServer();
+
+            var transaction = await server.SendAsync(DefaultHost + TestServerBuilder.Challenge);
+            var res = transaction.Response;
+
+            Assert.Equal(HttpStatusCode.Redirect, res.StatusCode);
+            Assert.NotNull(res.Headers.Location);
+            var setCookie = Assert.Single(res.Headers, h => h.Key == "Set-Cookie");
+            var correlation = Assert.Single(setCookie.Value, v => v.StartsWith(".AspNetCore.Correlation."));
+            Assert.Contains("path=/signin-oidc", correlation);
+        }
+
+        [Fact]
+        public async Task RedirectToIdentityProvider_CorrelationIdCookieOptions_CanBeOverriden()
+        {
+            var setting = new TestSettings(opt =>
+            {
+                opt.ClientId = "Test Id";
+                opt.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+                opt.Configuration = new OpenIdConnectConfiguration
+                {
+                    AuthorizationEndpoint = "https://example.com/provider/login"
+                };
+                opt.ConfigureCorrelationIdCookie = (ctx, options) => options.Path = "/";
+            });
+
+            var server = setting.CreateTestServer();
+
+            var transaction = await server.SendAsync(DefaultHost + TestServerBuilder.Challenge);
+            var res = transaction.Response;
+
+            Assert.Equal(HttpStatusCode.Redirect, res.StatusCode);
+            Assert.NotNull(res.Headers.Location);
+            var setCookie = Assert.Single(res.Headers, h => h.Key == "Set-Cookie");
+            var correlation = Assert.Single(setCookie.Value, v => v.StartsWith(".AspNetCore.Correlation."));
+            Assert.Contains("path=/", correlation);
+        }
+
         [Fact]
         public async Task EndSessionRequestDoesNotIncludeTelemetryParametersWhenDisabled()
         {
@@ -173,7 +275,8 @@ public async Task SignOutWith_Specific_RedirectUri_From_Authentication_Properite
         [Fact]
         public async Task SignOut_WithMissingConfig_Throws()
         {
-            var setting = new TestSettings(opt => {
+            var setting = new TestSettings(opt =>
+            {
                 opt.ClientId = "Test Id";
                 opt.Configuration = new OpenIdConnectConfiguration();
             });