OpenStack Keystone SAML Mellon Charm

mellon 0.18+ does not work on chromium-based browsers

Bug #2068654 reported by Rodrigo Barbieri
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Keystone SAML Mellon Charm
Fix Committed
Medium
Rodrigo Barbieri

Bug Description

Since commit [1] mellon changed the default behavior of cross-site cookies by allowing all if unset.

Some IDP providers use cross-site cookies to authenticate. Chromium-based browsers reject insecure cross-site cookies.

It is necessary to add the following parameters to mellon apache config file so it can use secure HTTPS cookies to be compatible with chromium-based browsers:

MellonSecureCookie On
MellonCookieSameSite None

[1] https://github.com/latchset/mod_auth_mellon/commit/5a629a1

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-keystone-saml-mellon (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/charm-keystone-saml-mellon/+/921472

Changed in charm-keystone-saml-mellon:
status: New → In Progress
Myles Penner (mylesjp)
Changed in charm-keystone-saml-mellon:
importance: Undecided → Medium
Revision history for this message
Alex Kavanagh (ajkavanagh) wrote :

I assigned you, Rodrigo, to the bug as you created the review. Hope that's okay.

Changed in charm-keystone-saml-mellon:
assignee: nobody → Rodrigo Barbieri (rodrigo-barbieri2010)
Revision history for this message
Rodrigo Barbieri (rodrigo-barbieri2010) wrote :

Thanks Alex! Apparently the Closes-bug gerrit tag didn't do its job this time.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-keystone-saml-mellon (master)

Reviewed: https://review.opendev.org/c/openstack/charm-keystone-saml-mellon/+/921472
Committed: https://opendev.org/openstack/charm-keystone-saml-mellon/commit/8c973aaed370e37e38a57b9566bb83ffc7b80656
Submitter: "Zuul (22348)"
Branch: master

commit 8c973aaed370e37e38a57b9566bb83ffc7b80656
Author: Rodrigo Barbieri <email address hidden>
Date: Thu Jun 6 13:09:14 2024 -0300

    Improve compatibility with Chromium-based browsers

    Since commit [1] mellon changed the default behavior
    of cross-site cookies by allowing all if unset.
    Some IDP providers use cross-site cookies to
    authenticate. Chromium-based browsers reject insecure
    cross-site cookies.

    Adding config option to optioanlly enable
    Secure HTTPS cookies so it can work with
    Chromium-based browsers as long as the
    IDP connection is HTTPS.

    [1] https://github.com/latchset/mod_auth_mellon/commit/5a629a1

    Closes-bug: #2068654
    Change-Id: Ied65c3dc87e3ebb599b446cc72ce3c6adac74e08

Changed in charm-keystone-saml-mellon:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-keystone-saml-mellon (stable/2024.1)

Fix proposed to branch: stable/2024.1
Review: https://review.opendev.org/c/openstack/charm-keystone-saml-mellon/+/922495

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-keystone-saml-mellon (stable/2024.1)

Reviewed: https://review.opendev.org/c/openstack/charm-keystone-saml-mellon/+/922495
Committed: https://opendev.org/openstack/charm-keystone-saml-mellon/commit/ffcb4348ef47c70934b58f2f34f058c5e7ae29f0
Submitter: "Zuul (22348)"
Branch: stable/2024.1

commit ffcb4348ef47c70934b58f2f34f058c5e7ae29f0
Author: Rodrigo Barbieri <email address hidden>
Date: Thu Jun 6 13:09:14 2024 -0300

    Improve compatibility with Chromium-based browsers

    Since commit [1] mellon changed the default behavior
    of cross-site cookies by allowing all if unset.
    Some IDP providers use cross-site cookies to
    authenticate. Chromium-based browsers reject insecure
    cross-site cookies.

    Adding config option to optioanlly enable
    Secure HTTPS cookies so it can work with
    Chromium-based browsers as long as the
    IDP connection is HTTPS.

    [1] https://github.com/latchset/mod_auth_mellon/commit/5a629a1

    Closes-bug: #2068654
    Change-Id: Ied65c3dc87e3ebb599b446cc72ce3c6adac74e08
    (cherry picked from commit 8c973aaed370e37e38a57b9566bb83ffc7b80656)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-keystone-saml-mellon (stable/2023.2)

Fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/charm-keystone-saml-mellon/+/922633

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-keystone-saml-mellon (stable/2023.2)

Reviewed: https://review.opendev.org/c/openstack/charm-keystone-saml-mellon/+/922633
Committed: https://opendev.org/openstack/charm-keystone-saml-mellon/commit/28207fa4f244dd4d02e33e8d858e6295308175da
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit 28207fa4f244dd4d02e33e8d858e6295308175da
Author: Rodrigo Barbieri <email address hidden>
Date: Thu Jun 6 13:09:14 2024 -0300

    Improve compatibility with Chromium-based browsers

    Since commit [1] mellon changed the default behavior
    of cross-site cookies by allowing all if unset.
    Some IDP providers use cross-site cookies to
    authenticate. Chromium-based browsers reject insecure
    cross-site cookies.

    Adding config option to optioanlly enable
    Secure HTTPS cookies so it can work with
    Chromium-based browsers as long as the
    IDP connection is HTTPS.

    [1] https://github.com/latchset/mod_auth_mellon/commit/5a629a1

    Closes-bug: #2068654
    Change-Id: Ied65c3dc87e3ebb599b446cc72ce3c6adac74e08
    (cherry picked from commit 8c973aaed370e37e38a57b9566bb83ffc7b80656)
    (cherry picked from commit ffcb4348ef47c70934b58f2f34f058c5e7ae29f0)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-keystone-saml-mellon (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/charm-keystone-saml-mellon/+/923177

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-keystone-saml-mellon (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/charm-keystone-saml-mellon/+/923673

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-keystone-saml-mellon (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/charm-keystone-saml-mellon/+/923177
Committed: https://opendev.org/openstack/charm-keystone-saml-mellon/commit/35646986a284a342f59ad711e28cb9205e336249
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 35646986a284a342f59ad711e28cb9205e336249
Author: Rodrigo Barbieri <email address hidden>
Date: Thu Jun 6 13:09:14 2024 -0300

    Improve compatibility with Chromium-based browsers

    Since commit [1] mellon changed the default behavior
    of cross-site cookies by allowing all if unset.
    Some IDP providers use cross-site cookies to
    authenticate. Chromium-based browsers reject insecure
    cross-site cookies.

    Adding config option to optioanlly enable
    Secure HTTPS cookies so it can work with
    Chromium-based browsers as long as the
    IDP connection is HTTPS.

    [1] https://github.com/latchset/mod_auth_mellon/commit/5a629a1

    Closes-bug: #2068654
    Change-Id: Ied65c3dc87e3ebb599b446cc72ce3c6adac74e08
    (cherry picked from commit 8c973aaed370e37e38a57b9566bb83ffc7b80656)
    (cherry picked from commit ffcb4348ef47c70934b58f2f34f058c5e7ae29f0)
    (cherry picked from commit 28207fa4f244dd4d02e33e8d858e6295308175da)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-keystone-saml-mellon (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/charm-keystone-saml-mellon/+/923673
Committed: https://opendev.org/openstack/charm-keystone-saml-mellon/commit/0e2386f35db451da5429cde8ee68691254aa6639
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 0e2386f35db451da5429cde8ee68691254aa6639
Author: Rodrigo Barbieri <email address hidden>
Date: Thu Jun 6 13:09:14 2024 -0300

    Improve compatibility with Chromium-based browsers

    Since commit [1] mellon changed the default behavior
    of cross-site cookies by allowing all if unset.
    Some IDP providers use cross-site cookies to
    authenticate. Chromium-based browsers reject insecure
    cross-site cookies.

    Adding config option to optioanlly enable
    Secure HTTPS cookies so it can work with
    Chromium-based browsers as long as the
    IDP connection is HTTPS.

    [1] https://github.com/latchset/mod_auth_mellon/commit/5a629a1

    Closes-bug: #2068654
    Change-Id: Ied65c3dc87e3ebb599b446cc72ce3c6adac74e08
    (cherry picked from commit 8c973aaed370e37e38a57b9566bb83ffc7b80656)
    (cherry picked from commit ffcb4348ef47c70934b58f2f34f058c5e7ae29f0)
    (cherry picked from commit 28207fa4f244dd4d02e33e8d858e6295308175da)
    (cherry picked from commit 35646986a284a342f59ad711e28cb9205e336249)

tags: added: in-stable-zed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-keystone-saml-mellon (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/charm-keystone-saml-mellon/+/924154

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-keystone-saml-mellon (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/charm-keystone-saml-mellon/+/924154
Committed: https://opendev.org/openstack/charm-keystone-saml-mellon/commit/5a73e226550f1756eb4ee0d6bd0a3a61d8073842
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit 5a73e226550f1756eb4ee0d6bd0a3a61d8073842
Author: Rodrigo Barbieri <email address hidden>
Date: Thu Jun 6 13:09:14 2024 -0300

    Improve compatibility with Chromium-based browsers

    Since commit [1] mellon changed the default behavior
    of cross-site cookies by allowing all if unset.
    Some IDP providers use cross-site cookies to
    authenticate. Chromium-based browsers reject insecure
    cross-site cookies.

    Adding config option to optioanlly enable
    Secure HTTPS cookies so it can work with
    Chromium-based browsers as long as the
    IDP connection is HTTPS.

    [1] https://github.com/latchset/mod_auth_mellon/commit/5a629a1

    Closes-bug: #2068654
    Change-Id: Ied65c3dc87e3ebb599b446cc72ce3c6adac74e08
    (cherry picked from commit 8c973aaed370e37e38a57b9566bb83ffc7b80656)
    (cherry picked from commit ffcb4348ef47c70934b58f2f34f058c5e7ae29f0)
    (cherry picked from commit 28207fa4f244dd4d02e33e8d858e6295308175da)
    (cherry picked from commit 35646986a284a342f59ad711e28cb9205e336249)
    (cherry picked from commit 0e2386f35db451da5429cde8ee68691254aa6639)

tags: added: in-stable-yoga
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.