I own an OIDC IdP. I also own the proxy my clients are using in front of their RP, to do user authentication by accepting the id_tokens my IdP issues. I use the implicit flow. For simplicity, assume Alice is already authenticated to example[dot]com and that Alice is also authenticated to my IdP. I.e. Alice will not visibly interact with my IdP for the next 4hours, when her login with my IdP expires.
When Alice loads example[dot]com/index.html, the DOM contains 100 links. The browser tries to load the 100 different images as fast as possible, and issues 100 “parallel” calls to images.cdn. Alice is not yet authenticated to the CDN and the CDN itself requires authentication with my IdP. In front of the CDN web app, there is a proxy that I own(do I control both ends, nice). The proxy sets a random value in an RFP cookie and redirects Alice to my IdP.
Because the browser tries to load all 100 images “in parallel”, Alice’s browser get 100 different RFP cookies, and 100 redirects to my IdP. The 100 cookies are actually overwritten in the browser, because they are all have the same name “rfp_cookie”.
My IdP also get 100 requests to issue id_tokens for images.cdn. Each id_token includes a different random value that was set in the RFP cookie in that particular redirect.
My IdP also throttles Alice, because issuing 100 id_tokens in 1 seconds for the same example[dot]com RP seems like too much.
When my IdP redirects Alice back to images.cdn/blah123.png with a valid id_token, my proxy in front of images.cdn checks if the value in the presented RFP cookie matches the value in the signed id_token. For 99 out of the 100 calls, it does not (because the RFP cookie was overwritten), so it rejects the id_token to avoid an attack that the RFP cookie actually protects against (another topic, won’t go into it).
So Alice sees basically a blank page
I have 2 problems:
- Alice sees she gets throttled by my IdP and complains to me. All she wants is to visit example[dot]com and to see those images.
- Even without the throttle, the images would not load because the RFP cookie get overwritten.
I talked to the owner of example[dot]com and she changed the HTML to put 99 out of the 100 images in div that is initially hidden, and shown it when Alice clicks a button. The 99 images are of the form . Because a single image is visible at the begining, the OIDC redirect dance and RFP cookies works great. For a single image, there is no throttle, no overwriting, and now Alice has a valid id_token for images.cdn. When Alice clicks the button to see the other 99 images, she is no longer redirected to my IdP, as she is already authenticated to the CDN. Nice save!
However, my problems now are:
- I have to talk to the owners of the other 5000 services and convince them to do modify their HTML in the same way as the owner of example[dot]com did. Not looking forward to doing that…
- Alice has to click a link before she can see a nice webpage. Bad user experience.
Any Ideas on how to solve this? Can I somehow force the browser to obtain all the id_tokens for all the domains it will load assets from, before the browser actually tries to load the assets?
PS: removing the authentication from the CDN is out of the question. And as you can see, just increasing the throttle limit does not solve the RFP problem. Plus, I like throttling.
PPS: using the Authorization Code Flow would have the precise same issues.