Skip to content
This repository has been archived by the owner on Oct 24, 2024. It is now read-only.

HPKP Headers In Chrome Warning #410

Closed
2 of 9 tasks
faddah opened this issue Mar 14, 2019 · 2 comments
Closed
2 of 9 tasks

HPKP Headers In Chrome Warning #410

faddah opened this issue Mar 14, 2019 · 2 comments
Assignees
@swiftone

Comments

@faddah
Copy link

faddah commented Mar 14, 2019

I'm submitting this issue for the package(s):

  • jwt-verifier
  • okta-angular
  • oidc-middleware
  • okta-react
  • okta-react-native
  • okta-vue

I'm submitting a:

  • Bug report
  • Feature request
  • Other (Describe below)

Current behavior

Have a front-end app using @okta/okta-react (this repository) NPM package. Update a Google Chrome Browser in Mac OS to be >v69.0.xxxx (mine was v73.0.3683.75 (Official Build) (64-bit))

Expected behavior

You should interact with Okta OAuth servers using this NPM package with no warnings in the console.

Minimal reproduction of the problem with instructions

Extra information about the use case/user story you are trying to implement

Environment

  • Package Version: @okta/[email protected]
  • Browser: Google Chrome for Mac OS v73.0.3683.75 (Official Build) (64-bit)
  • OS: Mac OS v10.14.3 (Mojave)
  • Node version (node -v): Node.JS v10.15.2
  • Other: NPM v6.8.0

This is also reported in https://github.com/okta/okta-auth-js/, their Issue #138 (okta/okta-auth-js#138).

At my corporation we're using the @okta/okta-react NPM package (which is https://github.com/okta/okta-oidc-js here on GitHub), and in my Google Chrome browser v73.0.3683.75 (Official Build) (64-bit), i get the following message when going to my local Dev environment of an internal web site —

oauthUtil.js:53 HTTP-Based Public Key Pinning is deprecated. Chrome 69 and later will ignore HPKP response headers. (Host: nike-qa.oktapreview.com)
loadFrame    @    oauthUtil.js:53
getToken    @    token.js:362
getWithoutPrompt    @    token.js:441
(anonymous)    @    util.js:67
renewToken    @    token.js:505
(anonymous)    @    util.js:67
renew    @    TokenManager.js:143
(anonymous)    @    TokenManager.js:114
promise    @    q.js:683
getAsync    @    TokenManager.js:106
(anonymous)    @    util.js:67
_callee5$    @    Auth.js:333
tryCatch    @    runtime.js:63
invoke    @    runtime.js:290
prototype.(anonymous function)    @    runtime.js:116
step    @    asyncToGenerator.js:21
(anonymous)    @    asyncToGenerator.js:39
F    @    _export.js:43
(anonymous)    @    asyncToGenerator.js:18
getAccessToken    @    Auth.js:353
_callee2$    @    Auth.js:192
tryCatch    @    runtime.js:63
invoke    @    runtime.js:290
prototype.(anonymous function)    @    runtime.js:116
step    @    asyncToGenerator.js:21
(anonymous)    @    asyncToGenerator.js:39
F    @    _export.js:43
(anonymous)    @    asyncToGenerator.js:18
isAuthenticated    @    Auth.js:220
_callee$    @    SecureRoute.js:135
Show 36 more frames

...so we need a fix for this also, please.
@swiftone swiftone self-assigned this Mar 15, 2019
@swiftone
Copy link
Contributor

This is a Chrome-generated warning, not a JS error (it interrupts no JS code, it's just being triggered by JS actions), and says that Chrome will cease ENFORCING the HPKP security feature, so it also doesn't indicate a security issue.

https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

Okta has HPKP set to report-only. We plan to remove HPKP in the future, but it still provides some value (it is still enforced by some browsers) and does not cause problems, so the warning can be safely ignored.

@faddah
Copy link
Author

faddah commented Apr 1, 2019

Thanks for the response, I'll notify teams here at my company.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@swiftone swiftone

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@faddah @swiftone