Base64 encode state before sending it to providers

This commit is contained in:
Timshel 2024-11-28 13:59:24 +01:00
parent c0267e9bbb
commit 02a9ab5d48
2 changed files with 27 additions and 13 deletions

View file

@ -931,10 +931,10 @@ fn prevalidate() -> JsonResult {
#[get("/connect/oidc-signin?<code>&<state>", rank = 1)] #[get("/connect/oidc-signin?<code>&<state>", rank = 1)]
async fn oidcsignin(code: String, state: String, conn: DbConn) -> ApiResult<Redirect> { async fn oidcsignin(code: String, state: String, conn: DbConn) -> ApiResult<Redirect> {
oidcsignin_redirect( oidcsignin_redirect(
state.clone(), state,
sso::OIDCCodeWrapper::Ok { |decoded_state| sso::OIDCCodeWrapper::Ok {
state: decoded_state,
code, code,
state,
}, },
&conn, &conn,
) )
@ -951,9 +951,9 @@ async fn oidcsignin_error(
conn: DbConn, conn: DbConn,
) -> ApiResult<Redirect> { ) -> ApiResult<Redirect> {
oidcsignin_redirect( oidcsignin_redirect(
state.clone(), state,
sso::OIDCCodeWrapper::Error { |decoded_state| sso::OIDCCodeWrapper::Error {
state, state: decoded_state,
error, error,
error_description, error_description,
}, },
@ -962,9 +962,21 @@ async fn oidcsignin_error(
.await .await
} }
// The state was encoded using Base64 to ensure no issue with providers.
// iss and scope parameters are needed for redirection to work on IOS. // iss and scope parameters are needed for redirection to work on IOS.
async fn oidcsignin_redirect(state: String, wrapper: sso::OIDCCodeWrapper, conn: &DbConn) -> ApiResult<Redirect> { async fn oidcsignin_redirect(
let code = sso::encode_code_claims(wrapper); base64_state: String,
wrapper: impl FnOnce(String) -> sso::OIDCCodeWrapper,
conn: &DbConn,
) -> ApiResult<Redirect> {
let state = match data_encoding::BASE64.decode(base64_state.as_bytes()) {
Ok(vec) => match String::from_utf8(vec) {
Ok(valid) => valid,
Err(_) => err!(format!("Invalid utf8 chars in {base64_state} after base64 decoding")),
},
Err(_) => err!(format!("Failed to decode {base64_state} using base64")),
};
let code = sso::encode_code_claims(wrapper(state.clone()));
let nonce = match SsoNonce::find(&state, conn).await { let nonce = match SsoNonce::find(&state, conn).await {
Some(n) => n, Some(n) => n,

View file

@ -81,8 +81,8 @@ pub fn encode_ssotoken_claims() -> String {
#[derive(Debug, Serialize, Deserialize)] #[derive(Debug, Serialize, Deserialize)]
pub enum OIDCCodeWrapper { pub enum OIDCCodeWrapper {
Ok { Ok {
code: String,
state: String, state: String,
code: String,
}, },
Error { Error {
state: String, state: String,
@ -209,9 +209,11 @@ impl CoreClientExt for CoreClient {
} }
// The `nonce` allow to protect against replay attacks // The `nonce` allow to protect against replay attacks
// The `state` is encoded using base64 to ensure no issue with providers (It contains the Organization identifier).
// redirect_uri from: https://github.com/bitwarden/server/blob/main/src/Identity/IdentityServer/ApiClient.cs // redirect_uri from: https://github.com/bitwarden/server/blob/main/src/Identity/IdentityServer/ApiClient.cs
pub async fn authorize_url(state: String, client_id: &str, raw_redirect_uri: &str, mut conn: DbConn) -> ApiResult<Url> { pub async fn authorize_url(state: String, client_id: &str, raw_redirect_uri: &str, mut conn: DbConn) -> ApiResult<Url> {
let scopes = CONFIG.sso_scopes_vec().into_iter().map(Scope::new); let scopes = CONFIG.sso_scopes_vec().into_iter().map(Scope::new);
let base64_state = data_encoding::BASE64.encode(state.as_bytes());
let redirect_uri = match client_id { let redirect_uri = match client_id {
"web" | "browser" => format!("{}/sso-connector.html", CONFIG.domain()), "web" | "browser" => format!("{}/sso-connector.html", CONFIG.domain()),
@ -230,7 +232,7 @@ pub async fn authorize_url(state: String, client_id: &str, raw_redirect_uri: &st
let mut auth_req = client let mut auth_req = client
.authorize_url( .authorize_url(
AuthenticationFlow::<CoreResponseType>::AuthorizationCode, AuthenticationFlow::<CoreResponseType>::AuthorizationCode,
|| CsrfToken::new(state), || CsrfToken::new(base64_state),
Nonce::new_random, Nonce::new_random,
) )
.add_scopes(scopes) .add_scopes(scopes)
@ -244,9 +246,9 @@ pub async fn authorize_url(state: String, client_id: &str, raw_redirect_uri: &st
None None
}; };
let (auth_url, csrf_state, nonce) = auth_req.url(); let (auth_url, _, nonce) = auth_req.url();
let sso_nonce = SsoNonce::new(csrf_state.secret().to_string(), nonce.secret().to_string(), verifier, redirect_uri); let sso_nonce = SsoNonce::new(state, nonce.secret().to_string(), verifier, redirect_uri);
sso_nonce.save(&mut conn).await?; sso_nonce.save(&mut conn).await?;
Ok(auth_url) Ok(auth_url)
@ -276,8 +278,8 @@ async fn decode_code_claims(code: &str, conn: &mut DbConn) -> ApiResult<(String,
match auth::decode_jwt::<OIDCCodeClaims>(code, SSO_JWT_ISSUER.to_string()) { match auth::decode_jwt::<OIDCCodeClaims>(code, SSO_JWT_ISSUER.to_string()) {
Ok(code_claims) => match code_claims.code { Ok(code_claims) => match code_claims.code {
OIDCCodeWrapper::Ok { OIDCCodeWrapper::Ok {
code,
state, state,
code,
} => Ok((code, state)), } => Ok((code, state)),
OIDCCodeWrapper::Error { OIDCCodeWrapper::Error {
state, state,