Critical security fix for CVE-2023-3128 breaks AWS Cognito OAuth

  • What Grafana version and what operating system are you using?
    Grafana 9.5.5 official Docker Image

  • What are you trying to achieve?
    Trying to sign in after updating to 9.5.5, using AWS Cognito as IDP, configured as Generic OAuth2 Provider

  • How are you trying to achieve it?
    Configured AWS Cognito as Generic OAuth Provider in Grafana

  • What happened?
    Getting an error message:

Login Failed - User already exists 
  • What did you expect to happen?
    I kinda expected the update not to break the configuration

  • Can you copy/paste the configuration(s) that you are having problems with?
    Configure generic OAuth2 authentication | Grafana documentation
    All settings are configured with the appropriate values, it works fine before Grafana 9.5.5. Here is an example from the Terraform configuration
    ā€˜ā€™ā€™
    {
    ā€œnameā€ = ā€œGF_AUTH_GENERIC_OAUTH_API_URLā€,
    ā€œvalueā€ = ā€œhttps://${module.cognito_grafana.domain_prefix}.auth.eu-central-1.amazoncognito.com/oauth2/userInfoā€
    },
    {
    ā€œnameā€ = ā€œGF_AUTH_GENERIC_OAUTH_AUTH_URLā€,
    ā€œvalueā€ = ā€œhttps://${module.cognito_grafana.domain_prefix}.auth.eu-central-1.amazoncognito.com/oauth2/authorizeā€
    },
    {
    ā€œnameā€ = ā€œGF_AUTH_GENERIC_OAUTH_TOKEN_URLā€,
    ā€œvalueā€ = ā€œhttps://${module.cognito_grafana.domain_prefix}.auth.eu-central-1.amazoncognito.com/oauth2/tokenā€
    },
    {
    ā€œnameā€ = ā€œGF_AUTH_SIGNOUT_REDIRECT_URLā€,
    ā€œvalueā€ = ā€œhttps://${module.cognito_grafana.domain_prefix}.auth.eu-central-1.amazoncognito.com/logout?response_type=code&client_id=${module.cognito_grafana.client_id}&redirect_uri=https://${module.routing.domain_map_dashboard[var.environment]}/loginā€
    },
    ā€˜ā€™ā€™

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.

  • Did you follow any online instructions? If so, what is the URL?
    I followed the official advice from here: Grafana security release for CVE-2023-3128

When Grafana is configured to use multiple identity providers (including a combination of standard Grafana login/password authentication with additional SSO), and you have users with the same email address in multiple identity providers.
When Grafana is configured to use generic OAuth with an identity provider that does not support the unique ID field.

I tried to disable Basic Auth, because as mentioned in the Blogpost, this is exactly the scenario we are in. We didnā€™t create any local users, but basic auth was still active + one configured Generic OAuth2 Provider. But this didnā€™t help.
I looked into the unique ID field and Cognito indeed does use it, as it uses the mentioned OpenID Connect standard and sends a unique ID in the ā€œsubā€ field, but apparently Grafana doesnā€™t recognize or evaluate it.

I can not imagine, we are the only ones having problems after the update. Any idea how to fix this?
As far as I understood, the flaw comes from having multiple IDPs and having the same email address being authorized by more than one IDP. That is an interesting scenario, as in our AWS Cognito we only have one IDP connected, but if we had more than one, I couldnā€™t limit the domains that one IDP is responsible for. If we add a rogue IDP, it might send authorization tokens for an email address that usually uses another IDP so sign up and we wouldnā€™t notice it either - but this is something to solve on Cognito end- As the connected IDPs are not visible to Grafana, since Grafana will only ever talk with AWS Cognito.

If anyone else is having his problem, it was confirmed as a bug in Grafana 9.5.5

use the workaround in the .ini and not as env - it will work in Grafana 10.0.1 only.
Another solution is to delete the user from Grafana and have him log in again, then the unique ID will be populated. It was never populated before by Grafana before, but it is being synced.

1 Like