OAuth redirect form posts to HTTP

[ZuhaibT]

When handling the OAuth redirect, the application returns an auto-submitting HTML form that posts to an http:// endpoint:

<form action="http://faction.sld.com/oauth" name="f" method="post">
  <input type="hidden" name="username" value="john" />
  <input type="hidden" name="password" value="" />
  <input value="POST" type="submit" />
</form>
<script type="text/javascript">
  document.forms['f'].submit();
</script>

Because the form action uses http://, It could potentially leak JSESSIONID and other cookies. While modern browsers may automatically upgrade requests to HTTPS when Strict HTTPS-Only mode is enabled, the initial use of HTTP can still trigger warnings that undermine user trust and disrupt the OAuth flow.

[summitt]

This does not happen on my instance as shown below. I believe this URL comes from the context path. Does your server happen to have both http and https endpoints?

[ZuhaibT]

Hi, thanks for looking into this!

Here's our setup for context:

• Faction is running behind an nginx reverse proxy that terminates SSL
• nginx forwards traffic to Faction over plain HTTP internally
• Port 80 returns a 301 redirect to HTTPS, so Faction is only publicly accessible over HTTPS
• When the OAuth flow is triggered, the POST goes to http:// as described in the issue
• nginx is not currently setting X-Forwarded-Proto in the proxy config but sending the header directly from the browser didn't change the form action to https://

[SDugo]

Hello:

Same issue here, using docker for the Faction instance and a load balancer in front of it. I also noticed that if you intercept the request to "POST /saml2/callback?client_name=SAML2Client" and remove the "JSESSIONID" cookie, then the form is not presented but a normal redirection like this and the login goes smoothly:

HTTP/2 303 See Other
Content-Type: text/html
Content-Length: 0
Access-Control-Allow-Methods: GET
Access-Control-Allow-Headers: *
Set-Cookie: JSESSIONID=XXXXX; Path=/; HttpOnly
Location: /saml2

[summitt]

@SDugo @ZuhaibT , try the latest release. It should mitigate this issue: https://github.com/factionsecurity/faction/releases/tag/1.7.6

[summitt]

@ZuhaibT we found in testing that this did not fix the issue if using OIDC. It does fix it for SAML @SDugo

[summitt]

OIDC is now fixed in this release: https://github.com/factionsecurity/faction/releases/tag/1.7.7

[ZuhaibT]

I’ve tested the changes on my end and can confirm that the issue is now resolved. Thanks for the quick response and fix! 🚀

[SDugo]

Same here! Thanks so much for the fix! 😃