IssueTracker

I have configured Open Id using following step by step tutorial and it works as expected

https://developers.google.com/identity/openid-connect/openid-connect

However it seems API is configured to use HTTP Referer too which then it will returns 403 if there is no HTTP Referer is sent with the request or it doesn't match the website.

There are a few major issues with this approach.

1- Not all applications are web and send referer (e.g. my windows (and linux) desktop application uses google open ID to identify logged in users, does not send a referer and if I send one, it will be a meaningless made up header.

2- Some of my users are using browser Referer extension (for privacy of course) which then masks inter-website referer header if the website for two pages are not same (in this case my website and google). This causes the following request return 403

https://accounts.google.com/gsi/button?*******

Assuming this same page is returning error if browser agent is not as expected (not listed in google) since I am again getting random 403 errors even though I am sending a fixed fake referer to API.

This is easily reproducible with "Smart Referer" extension on firefox browser

https://addons.mozilla.org/en-US/firefox/addon/smart-referer/

or Referer Control extension on Chrome browser

https://chrome.google.com/webstore/detail/referer-control/hnkcfpcejkafcihlgbojoidoihckciin

in both cases no configuration needed, install the extension and activate it and following script will always fail (screenshots)

I am attaching content of the HTML page and request and response when extension is active or inactive.

Note that using both HTTP referer and user-agent as a security header is very very wrong as user can easily modify it even with a browsers widely available in market. use of an encrypted value in a custom header, request GET or POST content instead, is more secure and preferred.

HTML Page content

<!DOCTYPE html>
<html lang="en">
<head>
    <script src="https://accounts.google.com/gsi/client" async defer></script>
    <script>
        window.onload = function () {
            google.accounts.id.initialize({
                client_id: "************-**************.apps.googleusercontent.com",
                auto_select: true,
                ux_mode: "redirect",
                callback: function (response) {
                    debug("Encoded JWT ID token: " + response.credential);
                }
            });
            google.accounts.id.renderButton(
                document.getElementById("buttonDiv"),
                {theme: "outline", size: "large"}
            );
        }
    </script>
</head>
<body>
    <div id="buttonDiv"></div>
</body>
</html>

When referer extension is active (running on localhost)

Request Header (identifiers redacted)

GET /gsi/button?theme=outline&size=large&client_id=************-**************.apps.googleusercontent.com&iframe_id=gsi_**************&as=*************** HTTP/3
Host: accounts.google.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://accounts.google.com/gsi/button?theme=outline&size=large&client_id=******************-**********************.apps.googleusercontent.com&iframe_id=gsi_************&as=****************
Alt-Used: accounts.google.com
Connection: keep-alive
Cookie: ****************************************************************************************************************************************************************************************************
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
TE: trailers

Response Header (identifiers redacted)

HTTP/3 403 Forbidden
content-type: text/html; charset=utf-8
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: Mon, 01 Jan 1990 00:00:00 GMT
date: Sat, 24 Jun 2023 00:36:07 GMT
cross-origin-resource-policy: cross-origin
content-security-policy: require-trusted-types-for 'script';report-uri https://csp.withgoogle.com/csp/identity-sign-in-google-http
content-security-policy: script-src 'nonce-******************************' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/identity-sign-in-google-http
report-to: {"group":"coop_******************************","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/******************************"}]}
cross-origin-opener-policy-report-only: same-origin; report-to="coop_******************************"
content-encoding: gzip
server: ESF
x-xss-protection: 0
x-content-type-options: nosniff
set-cookie: ******=**********************************************************************; expires=Sun, 23-Jun-2024 00:36:07 GMT; path=/; domain=.google.com; priority=high
set-cookie: __Secure-*******=************************************************************; expires=Sun, 23-Jun-2024 00:36:07 GMT; path=/; domain=.google.com; Secure; HttpOnly; priority=high
set-cookie: __Secure-******=*************************************************************; expires=Sun, 23-Jun-2024 00:36:07 GMT; path=/; domain=.google.com; Secure; HttpOnly; priority=high; SameSite=none
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

With same page when referer extension is not active

Request Header (identifiers redacted)

GET /gsi/button?theme=outline&size=large&client_id=************-**************.apps.googleusercontent.com&iframe_id=gsi_***************&as=*************** HTTP/3
Host: accounts.google.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://localhost:85/
Alt-Used: accounts.google.com
Connection: keep-alive
Cookie: *******************************************************************************************************************************************************************************
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
TE: trailers

Response Header (identifiers redacted)

HTTP/3 200 OK
content-type: text/html; charset=utf-8
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: Mon, 01 Jan 1990 00:00:00 GMT
date: Sat, 24 Jun 2023 00:46:20 GMT
cross-origin-resource-policy: cross-origin
report-to: {"group":"*******************","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/*******************"}]}
content-security-policy: require-trusted-types-for 'script';report-uri https://csp.withgoogle.com/csp/identity-sign-in-google-http
content-security-policy: script-src 'nonce-*******************' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/identity-sign-in-google-http
cross-origin-opener-policy-report-only: same-origin; report-to="coop_*******************"
content-encoding: gzip
server: ESF
x-xss-protection: 0
x-content-type-options: nosniff
set-cookie: *****=*********************************************************; expires=Sun, 23-Jun-2024 00:46:20 GMT; path=/; domain=.google.com; priority=high
set-cookie: __Secure-*****=**************************************************; expires=Sun, 23-Jun-2024 00:46:20 GMT; path=/; domain=.google.com; Secure; HttpOnly; priority=high
set-cookie: __Secure-*****=**************************************************; expires=Sun, 23-Jun-2024 00:46:20 GMT; path=/; domain=.google.com; Secure; HttpOnly; priority=high; SameSite=none
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000