Magic links don't work when Outlook "safe links" are enabled

[eirikur-grid]

Magic links don't work when Outlook "safe links" are enabled

Description

Outlook will rewrite email links to direct them towards https://*.safelinks.protection.outlook.com/ with the original url encoded as a query parameter, when a feature named "safe links" is enabled. In our testing, this appears to break magic links.

Using the standard email templates, we got a rather cryptic error message, stating that the redirect_uri was missing. By tweaking the email template to include the client_id and redirect_uri, we get a different error, stating that the magic link is invalid or expired.

Steps to reproduce

Steps to reproduce the behavior:

1. Create an email account on outlook.com
2. Register a user with the @outlook.com (or @hotmail.com) email address
3. Ask for a magic link to be delivered to the outlook email address
4. Click the link

Expected behavior

The magic link works and the user is authenticated

Screenshots

Platform

(Please complete the following information)

• Device: MacBook Pro
• OS: macos
• Browser: Chrome 81
• FusionAuth version: 1.15.5

Additional context

The "safe-links" feature can be turned off (see the last screenshot). If we do, then the magic links work as expected.

We have two hypothesis as to what might be causing this:
a) The passwordless code is somehow distorted as it is URL path encoded and decoded by the safe-links mechanism.
b) The safe-links mechanism makes a GET request to the magic link, thus using the code and making it invalid for future requests.

[robotdan]

Interesting, your b) hypothesis seems plausible.

Reading through this: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/how-atp-safe-links-works?view=o365-worldwide

It isn't clear if they are making a GET request to the URL ahead of time, but it seems likely they would have to do that in order to perform necessary checks.

One way to confirm this - in our updated templates, we are using a two prong approach to preserve the necessary information to complete login. The first is that we save off all of the state and then look it up with the passwordless code at the time of use. This is happening today, and if the code is used, and then on a second request the code is invalid we cannot lookup the state to complete login, hence the error you're seeing about an invalid redirect_uri (I think).

In the new templates, we are jamming all of the values on the URL as well so that if the code is expired, we can in most cases allow you to restart the workflow.

If you want to update your template to add these additional parameters as outlined in the stock template example and then retry, I would expect it to fail as it does now, but with a different error. Such as 'your code has expired'.

https://fusionauth.io/docs/v1/tech/email-templates/email-templates#passwordless-login

[steinnes]

We did some tests and noticed a preceding HTTP HEAD request with a User-Agent of Go-http-client/1.1, which we believe to be the safelinks service.

Does the OTP get invalidated by a HEAD request?

[eirikur-grid]

If you want to update your template to add these additional parameters as outlined in the stock template example and then retry, I would expect it to fail as it does now, but with a different error. Such as 'your code has expired'.

We can confirm that we get a "Your link has expired or is invalid" message after having updated the email template.

[robotdan]

@steinnes I'd have to look at the w3 spec to see if we are doing this correctly, but in our MVC we treat a HEAD request just like a GET and then only stop short by not writing the response body after we've written the response headers.

So in this particular case if a HEAD request is being made with the URL, this indeed will "use" the code and then it will be invalid when subsequent GET request is made.

@eirikur-grid great, that confirms that we do put up the "correct" message thinking that the code has already been used.

I'll have to think about this more, I don't know if there is anything we can do about this or not. I suppose in theory we could analyze the User-Agent string when we see a HEAD request and then no-op the request. I don't know what the security risks of that would be, the User-Agent string is not secure, it can be set or modified easily. But if we just no-op the request it may be safe.

I wonder how many other services this type of "safe link" feature breaks.

[robotdan]

We could re-work this request to use a POST binding of sorts. In this scenario we'd respond to GET and only render a minimal form that we would then submit via JavaScript as a POST request to complete the action.

<script>
window.onload = function () { document.forms[0].submit(); }
</script>
<form method="POST" action="/oauth2/passwordless">
  <input type="hidden" name="code" />
</form>

I think this would make us immune to strategies such as the SafeLink feature.

[fdlk]

Same thing happens for Email Verification

[eirikur-grid]

@robotdan The solution method that you propose looks good to me

If there's any chance this could be prioritized, then that would be appreciated. We do not feel comfortable with enabling magic links for our users while this issue persists.

[robotdan]

I do want to get to this one, we have several large projects underway at the moment.

[shortstack]

+1 for this!

it keeps us from being able to use passwordless logins for a large percentage of clients :(