fix(oauth2): validate session identity matches consent request subject

Add security validation to prevent consent hijacking attacks where an
attacker could use a stolen consent_challenge to grant or reject consent
on behalf of a different user.

Changes:
- Pages Router: verify session cookie and compare identity with subject
- App Router: add identityId parameter to accept/reject functions
- Return 401 for missing session, 403 for identity mismatch

Author: Jorgagu

examples/nextjs-app-router-custom-components/app/api/consent/route.ts

@@ -1,7 +1,11 @@
 // Copyright © 2024 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
-import { acceptConsentRequest, rejectConsentRequest } from "@ory/nextjs/app"
+import {
+  acceptConsentRequest,
+  getServerSession,
+  rejectConsentRequest,
+} from "@ory/nextjs/app"
 import { NextResponse } from "next/server"
 
 interface ConsentBody {
@@ -40,6 +44,25 @@ async function parseRequest(request: Request): Promise<ConsentBody> {
 }
 
 export async function POST(request: Request) {
+  // Security: Verify session exists before processing consent
+  const session = await getServerSession()
+  if (!session) {
+    console.error("Consent security: No session found")
+    return NextResponse.json(
+      { error: "unauthorized", error_description: "No session" },
+      { status: 401 },
+    )
+  }
+
+  const identityId = session.identity?.id
+  if (!identityId) {
+    console.error("Consent security: Session has no identity ID")
+    return NextResponse.json(
+      { error: "unauthorized", error_description: "Invalid session" },
+      { status: 401 },
+    )
+  }
+
   const body = await parseRequest(request)
 
   const action = body.action
@@ -68,14 +91,32 @@ export async function POST(request: Request) {
       redirectTo = await acceptConsentRequest(consentChallenge, {
         grantScope,
         remember,
+        identityId,
       })
     } else {
-      redirectTo = await rejectConsentRequest(consentChallenge)
+      redirectTo = await rejectConsentRequest(consentChallenge, {
+        identityId,
+      })
     }
 
     return NextResponse.json({ redirect_to: redirectTo })
   } catch (error) {
     console.error("Consent error:", error)
+
+    // Check for identity mismatch error
+    if (
+      error instanceof Error &&
+      error.message.includes("does not match consent request subject")
+    ) {
+      return NextResponse.json(
+        {
+          error: "forbidden",
+          error_description: "Session does not match consent request subject",
+        },
+        { status: 403 },
+      )
+    }
+
     return NextResponse.json(
       { error: "server_error", error_description: "Failed to process consent" },
       { status: 500 },

examples/nextjs-pages-router/pages/api/consent.ts

@@ -1,20 +1,23 @@
 // Copyright © 2024 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
-import { Configuration, OAuth2Api } from "@ory/client-fetch"
+import { Configuration, FrontendApi, OAuth2Api } from "@ory/client-fetch"
 import type { NextApiRequest, NextApiResponse } from "next"
 
-function getOAuth2Client() {
+function getBaseUrl(): string {
   const baseUrl = process.env.NEXT_PUBLIC_ORY_SDK_URL || process.env.ORY_SDK_URL
   if (!baseUrl) {
     throw new Error("ORY_SDK_URL is not set")
   }
+  return baseUrl.replace(/\/$/, "")
+}
 
+function getOAuth2Client() {
   const apiKey = process.env.ORY_PROJECT_API_TOKEN ?? ""
 
   return new OAuth2Api(
     new Configuration({
-      basePath: baseUrl.replace(/\/$/, ""),
+      basePath: getBaseUrl(),
       headers: {
         Accept: "application/json",
         ...(apiKey ? { Authorization: `Bearer ${apiKey}` } : {}),
@@ -23,6 +26,17 @@ function getOAuth2Client() {
   )
 }
 
+function getFrontendClient() {
+  return new FrontendApi(
+    new Configuration({
+      basePath: getBaseUrl(),
+      headers: {
+        Accept: "application/json",
+      },
+    }),
+  )
+}
+
 interface ConsentRequestBody {
   action?: string
   consent_challenge?: string
@@ -46,8 +60,45 @@ export default async function handler(
   }
 
   const oauth2Client = getOAuth2Client()
+  const frontendClient = getFrontendClient()
 
   try {
+    // Security: Fetch the consent request to get the expected subject
+    const consentRequest = await oauth2Client.getOAuth2ConsentRequest({
+      consentChallenge: consent_challenge,
+    })
+
+    // Security: Verify the current session matches the consent challenge subject
+    // This prevents an attacker from using a stolen consent_challenge
+    // to grant consent on behalf of a different user
+    const cookie = req.headers.cookie
+    if (!cookie) {
+      console.error("Consent security: No session cookie provided")
+      return res.status(401).json({ error: "Unauthorized: No session" })
+    }
+
+    let session
+    try {
+      session = await frontendClient.toSession({ cookie })
+    } catch {
+      console.error("Consent security: Invalid or expired session")
+      return res.status(401).json({ error: "Unauthorized: Invalid session" })
+    }
+
+    // Compare the session identity with the consent request subject
+    const sessionIdentityId = session.identity?.id
+    const consentSubject = consentRequest.subject
+
+    if (!sessionIdentityId || sessionIdentityId !== consentSubject) {
+      console.error(
+        "Consent security: Session identity mismatch. " +
+          `Session: ${sessionIdentityId}, Consent subject: ${consentSubject}`,
+      )
+      return res.status(403).json({
+        error: "Forbidden: Session does not match consent request subject",
+      })
+    }
+
     let redirectTo: string
 
     if (action === "accept") {

packages/nextjs/api-report/nextjs-client.api.json

@@ -364,7 +364,7 @@
         {
           "kind": "Function",
           "canonicalReference": "@ory/nextjs!acceptConsentRequest:function(1)",
-          "docComment": "/**\n * Accept an OAuth2 consent request.\n *\n * This method should be called from an API route handler when the user accepts the consent.\n *\n * @param consentChallenge - The consent challenge from the form.\n *\n * @param options - Options for accepting the consent request.\n *\n * @returns The redirect URL to complete the OAuth2 flow.\n *\n * @example\n * ```tsx\n * // app/api/consent/route.ts\n * import { acceptConsentRequest, rejectConsentRequest } from \"@ory/nextjs/app\"\n * import { redirect } from \"next/navigation\"\n *\n * export async function POST(request: Request) {\n *   const formData = await request.formData()\n *   const action = formData.get(\"action\")\n *   const consentChallenge = formData.get(\"consent_challenge\") as string\n *   const grantScope = formData.getAll(\"grant_scope\") as string[]\n *   const remember = formData.get(\"remember\") === \"true\"\n *\n *   if (action === \"accept\") {\n *     const redirectTo = await acceptConsentRequest(consentChallenge, {\n *       grantScope,\n *       remember,\n *       session: { ... }\n *     })\n *     return redirect(redirectTo)\n *   } else {\n *     const redirectTo = await rejectConsentRequest(consentChallenge)\n *     return redirect(redirectTo)\n *   }\n * }\n * ```\n *\n * @public\n */\n",
+          "docComment": "/**\n * Accept an OAuth2 consent request.\n *\n * This method should be called from an API route handler when the user accepts the consent. It validates that the provided session identity matches the consent request subject to prevent consent hijacking attacks.\n *\n * @param consentChallenge - The consent challenge from the form.\n *\n * @param options - Options for accepting the consent request.\n *\n * @returns The redirect URL to complete the OAuth2 flow.\n *\n * @example\n * ```tsx\n * // app/api/consent/route.ts\n * import { acceptConsentRequest, rejectConsentRequest, getServerSession } from \"@ory/nextjs/app\"\n * import { redirect } from \"next/navigation\"\n *\n * export async function POST(request: Request) {\n *   const session = await getServerSession()\n *   if (!session) {\n *     return new Response(\"Unauthorized\", { status: 401 })\n *   }\n *\n *   const formData = await request.formData()\n *   const action = formData.get(\"action\")\n *   const consentChallenge = formData.get(\"consent_challenge\") as string\n *   const grantScope = formData.getAll(\"grant_scope\") as string[]\n *   const remember = formData.get(\"remember\") === \"true\"\n *\n *   if (action === \"accept\") {\n *     const redirectTo = await acceptConsentRequest(consentChallenge, {\n *       grantScope,\n *       remember,\n *       identityId: session.identity?.id,\n *     })\n *     return redirect(redirectTo)\n *   } else {\n *     const redirectTo = await rejectConsentRequest(consentChallenge, {\n *       identityId: session.identity?.id,\n *     })\n *     return redirect(redirectTo)\n *   }\n * }\n * ```\n *\n * @throws\n *\n * Error if identityId doesn't match the consent request subject.\n *\n * @public\n */\n",
           "excerptTokens": [
             {
               "kind": "Content",
@@ -380,7 +380,7 @@
             },
             {
               "kind": "Content",
-              "text": "{\n    grantScope: string[];\n    remember?: boolean;\n    rememberFor?: number;\n    session?: {\n        accessToken?: "
+              "text": "{\n    grantScope: string[];\n    remember?: boolean;\n    rememberFor?: number;\n    identityId?: string;\n    session?: {\n        accessToken?: "
             },
             {
               "kind": "Reference",
@@ -1459,7 +1459,7 @@
         {
           "kind": "Function",
           "canonicalReference": "@ory/nextjs!rejectConsentRequest:function(1)",
-          "docComment": "/**\n * Reject an OAuth2 consent request.\n *\n * This method should be called from an API route handler when the user rejects the consent.\n *\n * @param consentChallenge - The consent challenge from the form.\n *\n * @param options - Options for rejecting the consent request.\n *\n * @returns The redirect URL to complete the OAuth2 flow.\n *\n * @public\n */\n",
+          "docComment": "/**\n * Reject an OAuth2 consent request.\n *\n * This method should be called from an API route handler when the user rejects the consent. It validates that the provided session identity matches the consent request subject to prevent consent hijacking attacks.\n *\n * @param consentChallenge - The consent challenge from the form.\n *\n * @param options - Options for rejecting the consent request.\n *\n * @returns The redirect URL to complete the OAuth2 flow.\n *\n * @throws\n *\n * Error if identityId doesn't match the consent request subject.\n *\n * @public\n */\n",
           "excerptTokens": [
             {
               "kind": "Content",
@@ -1475,7 +1475,7 @@
             },
             {
               "kind": "Content",
-              "text": "{\n    error?: string;\n    errorDescription?: string;\n}"
+              "text": "{\n    error?: string;\n    errorDescription?: string;\n    identityId?: string;\n}"
             },
             {
               "kind": "Content",

packages/nextjs/api-report/nextjs.api.md

@@ -24,6 +24,7 @@ export function acceptConsentRequest(consentChallenge: string, options: {
     grantScope: string[];
     remember?: boolean;
     rememberFor?: number;
+    identityId?: string;
     session?: {
         accessToken?: Record<string, unknown>;
         idToken?: Record<string, unknown>;
@@ -105,6 +106,7 @@ export interface OryPageParams {
 export function rejectConsentRequest(consentChallenge: string, options?: {
     error?: string;
     errorDescription?: string;
+    identityId?: string;
 }): Promise<string>;
 
 // @public

packages/nextjs/src/app/consent.ts

@@ -66,14 +66,21 @@ export async function getConsentFlow(
  * Accept an OAuth2 consent request.
  *
  * This method should be called from an API route handler when the user accepts the consent.
+ * It validates that the provided session identity matches the consent request subject
+ * to prevent consent hijacking attacks.
  *
  * @example
  * ```tsx
  * // app/api/consent/route.ts
- * import { acceptConsentRequest, rejectConsentRequest } from "@ory/nextjs/app"
+ * import { acceptConsentRequest, rejectConsentRequest, getServerSession } from "@ory/nextjs/app"
  * import { redirect } from "next/navigation"
  *
  * export async function POST(request: Request) {
+ *   const session = await getServerSession()
+ *   if (!session) {
+ *     return new Response("Unauthorized", { status: 401 })
+ *   }
+ *
  *   const formData = await request.formData()
  *   const action = formData.get("action")
  *   const consentChallenge = formData.get("consent_challenge") as string
@@ -84,11 +91,13 @@ export async function getConsentFlow(
  *     const redirectTo = await acceptConsentRequest(consentChallenge, {
  *       grantScope,
  *       remember,
- *       session: { ... }
+ *       identityId: session.identity?.id,
  *     })
  *     return redirect(redirectTo)
  *   } else {
- *     const redirectTo = await rejectConsentRequest(consentChallenge)
+ *     const redirectTo = await rejectConsentRequest(consentChallenge, {
+ *       identityId: session.identity?.id,
+ *     })
  *     return redirect(redirectTo)
  *   }
  * }
@@ -97,6 +106,7 @@ export async function getConsentFlow(
  * @param consentChallenge - The consent challenge from the form.
  * @param options - Options for accepting the consent request.
  * @returns The redirect URL to complete the OAuth2 flow.
+ * @throws Error if identityId doesn't match the consent request subject.
  * @public
  */
 export async function acceptConsentRequest(
@@ -105,13 +115,29 @@ export async function acceptConsentRequest(
     grantScope: string[]
     remember?: boolean
     rememberFor?: number
+    identityId?: string
     session?: {
       accessToken?: Record<string, unknown>
       idToken?: Record<string, unknown>
     }
   },
 ): Promise<string> {
-  const response = await serverSideOAuth2Client().acceptOAuth2ConsentRequest({
+  const oauth2Client = serverSideOAuth2Client()
+
+  // Security: Verify session identity matches consent request subject
+  if (options.identityId) {
+    const consentRequest = await oauth2Client.getOAuth2ConsentRequest({
+      consentChallenge,
+    })
+
+    if (consentRequest.subject !== options.identityId) {
+      throw new Error(
+        "Forbidden: Session identity does not match consent request subject",
+      )
+    }
+  }
+
+  const response = await oauth2Client.acceptOAuth2ConsentRequest({
     consentChallenge,
     acceptOAuth2ConsentRequest: {
       grant_scope: options.grantScope,
@@ -133,20 +159,39 @@ export async function acceptConsentRequest(
  * Reject an OAuth2 consent request.
  *
  * This method should be called from an API route handler when the user rejects the consent.
+ * It validates that the provided session identity matches the consent request subject
+ * to prevent consent hijacking attacks.
  *
  * @param consentChallenge - The consent challenge from the form.
  * @param options - Options for rejecting the consent request.
  * @returns The redirect URL to complete the OAuth2 flow.
+ * @throws Error if identityId doesn't match the consent request subject.
  * @public
  */
 export async function rejectConsentRequest(
   consentChallenge: string,
   options?: {
     error?: string
     errorDescription?: string
+    identityId?: string
   },
 ): Promise<string> {
-  const response = await serverSideOAuth2Client().rejectOAuth2ConsentRequest({
+  const oauth2Client = serverSideOAuth2Client()
+
+  // Security: Verify session identity matches consent request subject
+  if (options?.identityId) {
+    const consentRequest = await oauth2Client.getOAuth2ConsentRequest({
+      consentChallenge,
+    })
+
+    if (consentRequest.subject !== options.identityId) {
+      throw new Error(
+        "Forbidden: Session identity does not match consent request subject",
+      )
+    }
+  }
+
+  const response = await oauth2Client.rejectOAuth2ConsentRequest({
     consentChallenge,
     rejectOAuth2Request: {
       error: options?.error ?? "access_denied",