Arp Spoofing in Adonisjs with Openid Connect

Arp spoofing is a Layer 2 attack where an adversary sends falsified ARP messages to associate their MAC address with the IP of a legitimate host, typically the gateway or another API service. In an AdonisJS application that uses OpenID Connect (OIDC) for authentication, this attack can undermine the integrity of the authentication flow even when tokens are validated cryptographically.

When an AdonisJS server relies on OIDC discovery and token verification, it typically communicates over HTTPS with an identity provider (IdP). If an attacker performs ARP spoofing on the local network segment between the AdonisJS backend and the IdP (or between the client and the AdonisJS server), they can intercept or modify traffic. Although the communication is encrypted via TLS, ARP spoofing does not break TLS directly; however, it enables a man-in-the-middle (MITM) position that can facilitate credential theft or session fixation if other controls are weak.

Specifically, in AdonisJS, if the application uses a custom OIDC client implementation or improperly configured redirects, ARP spoofing can expose the authorization code or tokens during transmission. For example, an attacker could redirect the OIDC callback to a malicious endpoint, or strip PKCE challenges if the client does not enforce strict transport channel binding. AdonisJS applications that construct absolute URLs for OIDC redirect URIs using request-derived host headers without strict validation are at risk; an attacker who compromises ARP tables can intercept these redirects and complete OAuth flows on a rogue server.

Additionally, if the AdonisJS app caches OIDC discovery documents or JWKS keys locally without verifying freshness and authenticity, an attacker who successfully ARP-spoofs a DNS or discovery endpoint may serve malicious discovery data, leading the application to accept attacker-signed tokens. This is particularly relevant when discovery documents are fetched over HTTP or when TLS certificate validation is bypassed inadvertently in development configurations. Even with HTTPS, ARP spoofing can be used to perform SSL stripping in environments where clients do not enforce strict TLS policies, causing the AdonisJS app to accept downgrade attacks if it does not mandate strong cipher suites and HSTS.

Therefore, the combination of AdonisJS with OpenID Connect does not inherently introduce new ARP spoofing vulnerabilities, but insecure deployment practices—such as using untrusted networks, failing to pin certificates, or mishandling redirect URIs—can allow ARP spoofing to compromise the OIDC flow. The risk is not in the protocol itself but in how the application and its hosting environment handle network-layer trust.

To mitigate ARP spoofing risks in an AdonisJS application using OpenID Connect, focus on hardening the OIDC client configuration, enforcing strict transport security, and validating all redirect and token endpoints. Below are concrete code examples and practices tailored for AdonisJS.

1. Enforce HTTPS and Strict Transport Security

Ensure all OIDC communication occurs over HTTPS and that your application rejects HTTP callbacks. In AdonisJS, configure the OIDC client to require secure redirect URIs and validate the issuer.

import { oidc } from '@adonisjs/auth';

export const authConfig = {
  redirect: {
    callback: '/auth/callback',
    baseUrl: 'https://your-app.example.com',
  },
  providers: {
    oidc: {
      driver: 'oidc',
      issuer: 'https://idp.example.com',
      clientId: process.env.OIDC_CLIENT_ID,
      clientSecret: process.env.OIDC_CLIENT_SECRET,
      redirectUri: 'https://your-app.example.com/auth/callback',
      scope: ['openid', 'profile', 'email'],
      authorizationParams: {
        response_type: 'code',
        code_challenge_method: 'S256',
      },
      async afterVerification(user, tokens) {
        // Optional: log successful verification
      },
    },
  },
};

Always set baseUrl explicitly and avoid deriving it from request headers that can be manipulated during ARP spoofing.

2. Validate Redirect URIs and Use PKCE

AdonisJS’ OIDC driver should enforce exact redirect URI matching. Do not allow open redirects. Use PKCE to protect authorization codes, which mitigates interception risks even if ARP spoofing occurs.

import { generateCodeChallenge, generateCodeVerifier } from 'oidc-provider';

// Example PKCE generation before redirect
const codeVerifier = generateCodeVerifier();
const codeChallenge = await generateCodeChallenge(codeVerifier);

// Store codeVerifier in session
session.put('oidc.codeVerifier', codeVerifier);

// Redirect with challenge
return Response.redirect(
  `https://idp.example.com/authorize?` +
  new URLSearchParams({
    client_id: process.env.OIDC_CLIENT_ID,
    response_type: 'code',
    redirect_uri: 'https://your-app.example.com/auth/callback',
    code_challenge: codeChallenge,
    code_challenge_method: 'S256',
    scope: 'openid profile email',
  })
);

Ensure your callback endpoint validates the code verifier:

import { compose } from '@adonisjs/core';
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext';

export default class CallbackController {
  public async handle({ session, request, auth }: HttpContextContract) {
    const storedVerifier = session.get('oidc.codeVerifier');
    const { code_verifier } = request.qs();

    if (!storedVerifier || storedVerifier !== code_verifier) {
      throw new Error('Invalid code verifier');
    }

    // Proceed with token exchange
    const tokens = await auth.use('oidc').callback(request.url());
    session.delete('oidc.codeVerifier');
    return Response.redirect('/dashboard');
  }
}

3. Pin IdP Certificates and Validate Issuers

Configure your HTTP client to use pinned certificates or certificate transparency logs when fetching discovery documents. In AdonisJS, you can customize the underlying HTTP agent used by the OIDC provider library.

import { HttpClient } from '@opd/oidc-client';
import { readFileSync } from 'fs';

const client = new HttpClient();
client.agent = new httpsAgent({
  ca: readFileSync('/path/to/idp-ca.pem'),
  checkServerIdentity: (host, cert) => {
    // Optional: implement certificate pinning
    if (cert.fingerprint !== process.env.IDP_CERT_FP) {
      throw new Error('Certificate mismatch');
    }
    return undefined;
  },
});

// Then pass this client to the OIDC provider configuration
export const oidcProvider = new OidcProvider({
  client,
  issuer: 'https://idp.example.com',
  // ...
});

4. Use Absolute URLs and Reject Host Header Manipulation

Never trust X-Forwarded-Host or similar headers to construct redirect URIs. Hardcode or securely configure the base domain for OIDC flows.

// BAD: const redirectUrl = `${req.hostname}/auth/callback`;
// GOOD:
const redirectUrl = 'https://your-app.example.com/auth/callback';

5. Monitor and Rotate Secrets

Regularly rotate clientSecret and use short-lived authorization codes. AdonisJS makes it easy to reload configuration, so automate secret rotation in your deployment pipeline.

6. Complement with Network Hardening

While not an AdonisJS code fix, deploy your application behind a firewall that uses ARP inspection (e.g., enabled on managed switches) and avoid running AdonisJS on shared public networks without VPN protection.