mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2025-01-18 15:30:48 +01:00
Base64 encode state before sending it to providers
This commit is contained in:
parent
c0267e9bbb
commit
02a9ab5d48
2 changed files with 27 additions and 13 deletions
|
@ -931,10 +931,10 @@ fn prevalidate() -> JsonResult {
|
||||||
#[get("/connect/oidc-signin?<code>&<state>", rank = 1)]
|
#[get("/connect/oidc-signin?<code>&<state>", rank = 1)]
|
||||||
async fn oidcsignin(code: String, state: String, conn: DbConn) -> ApiResult<Redirect> {
|
async fn oidcsignin(code: String, state: String, conn: DbConn) -> ApiResult<Redirect> {
|
||||||
oidcsignin_redirect(
|
oidcsignin_redirect(
|
||||||
state.clone(),
|
state,
|
||||||
sso::OIDCCodeWrapper::Ok {
|
|decoded_state| sso::OIDCCodeWrapper::Ok {
|
||||||
|
state: decoded_state,
|
||||||
code,
|
code,
|
||||||
state,
|
|
||||||
},
|
},
|
||||||
&conn,
|
&conn,
|
||||||
)
|
)
|
||||||
|
@ -951,9 +951,9 @@ async fn oidcsignin_error(
|
||||||
conn: DbConn,
|
conn: DbConn,
|
||||||
) -> ApiResult<Redirect> {
|
) -> ApiResult<Redirect> {
|
||||||
oidcsignin_redirect(
|
oidcsignin_redirect(
|
||||||
state.clone(),
|
state,
|
||||||
sso::OIDCCodeWrapper::Error {
|
|decoded_state| sso::OIDCCodeWrapper::Error {
|
||||||
state,
|
state: decoded_state,
|
||||||
error,
|
error,
|
||||||
error_description,
|
error_description,
|
||||||
},
|
},
|
||||||
|
@ -962,9 +962,21 @@ async fn oidcsignin_error(
|
||||||
.await
|
.await
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// The state was encoded using Base64 to ensure no issue with providers.
|
||||||
// iss and scope parameters are needed for redirection to work on IOS.
|
// iss and scope parameters are needed for redirection to work on IOS.
|
||||||
async fn oidcsignin_redirect(state: String, wrapper: sso::OIDCCodeWrapper, conn: &DbConn) -> ApiResult<Redirect> {
|
async fn oidcsignin_redirect(
|
||||||
let code = sso::encode_code_claims(wrapper);
|
base64_state: String,
|
||||||
|
wrapper: impl FnOnce(String) -> sso::OIDCCodeWrapper,
|
||||||
|
conn: &DbConn,
|
||||||
|
) -> ApiResult<Redirect> {
|
||||||
|
let state = match data_encoding::BASE64.decode(base64_state.as_bytes()) {
|
||||||
|
Ok(vec) => match String::from_utf8(vec) {
|
||||||
|
Ok(valid) => valid,
|
||||||
|
Err(_) => err!(format!("Invalid utf8 chars in {base64_state} after base64 decoding")),
|
||||||
|
},
|
||||||
|
Err(_) => err!(format!("Failed to decode {base64_state} using base64")),
|
||||||
|
};
|
||||||
|
let code = sso::encode_code_claims(wrapper(state.clone()));
|
||||||
|
|
||||||
let nonce = match SsoNonce::find(&state, conn).await {
|
let nonce = match SsoNonce::find(&state, conn).await {
|
||||||
Some(n) => n,
|
Some(n) => n,
|
||||||
|
|
12
src/sso.rs
12
src/sso.rs
|
@ -81,8 +81,8 @@ pub fn encode_ssotoken_claims() -> String {
|
||||||
#[derive(Debug, Serialize, Deserialize)]
|
#[derive(Debug, Serialize, Deserialize)]
|
||||||
pub enum OIDCCodeWrapper {
|
pub enum OIDCCodeWrapper {
|
||||||
Ok {
|
Ok {
|
||||||
code: String,
|
|
||||||
state: String,
|
state: String,
|
||||||
|
code: String,
|
||||||
},
|
},
|
||||||
Error {
|
Error {
|
||||||
state: String,
|
state: String,
|
||||||
|
@ -209,9 +209,11 @@ impl CoreClientExt for CoreClient {
|
||||||
}
|
}
|
||||||
|
|
||||||
// The `nonce` allow to protect against replay attacks
|
// The `nonce` allow to protect against replay attacks
|
||||||
|
// The `state` is encoded using base64 to ensure no issue with providers (It contains the Organization identifier).
|
||||||
// redirect_uri from: https://github.com/bitwarden/server/blob/main/src/Identity/IdentityServer/ApiClient.cs
|
// redirect_uri from: https://github.com/bitwarden/server/blob/main/src/Identity/IdentityServer/ApiClient.cs
|
||||||
pub async fn authorize_url(state: String, client_id: &str, raw_redirect_uri: &str, mut conn: DbConn) -> ApiResult<Url> {
|
pub async fn authorize_url(state: String, client_id: &str, raw_redirect_uri: &str, mut conn: DbConn) -> ApiResult<Url> {
|
||||||
let scopes = CONFIG.sso_scopes_vec().into_iter().map(Scope::new);
|
let scopes = CONFIG.sso_scopes_vec().into_iter().map(Scope::new);
|
||||||
|
let base64_state = data_encoding::BASE64.encode(state.as_bytes());
|
||||||
|
|
||||||
let redirect_uri = match client_id {
|
let redirect_uri = match client_id {
|
||||||
"web" | "browser" => format!("{}/sso-connector.html", CONFIG.domain()),
|
"web" | "browser" => format!("{}/sso-connector.html", CONFIG.domain()),
|
||||||
|
@ -230,7 +232,7 @@ pub async fn authorize_url(state: String, client_id: &str, raw_redirect_uri: &st
|
||||||
let mut auth_req = client
|
let mut auth_req = client
|
||||||
.authorize_url(
|
.authorize_url(
|
||||||
AuthenticationFlow::<CoreResponseType>::AuthorizationCode,
|
AuthenticationFlow::<CoreResponseType>::AuthorizationCode,
|
||||||
|| CsrfToken::new(state),
|
|| CsrfToken::new(base64_state),
|
||||||
Nonce::new_random,
|
Nonce::new_random,
|
||||||
)
|
)
|
||||||
.add_scopes(scopes)
|
.add_scopes(scopes)
|
||||||
|
@ -244,9 +246,9 @@ pub async fn authorize_url(state: String, client_id: &str, raw_redirect_uri: &st
|
||||||
None
|
None
|
||||||
};
|
};
|
||||||
|
|
||||||
let (auth_url, csrf_state, nonce) = auth_req.url();
|
let (auth_url, _, nonce) = auth_req.url();
|
||||||
|
|
||||||
let sso_nonce = SsoNonce::new(csrf_state.secret().to_string(), nonce.secret().to_string(), verifier, redirect_uri);
|
let sso_nonce = SsoNonce::new(state, nonce.secret().to_string(), verifier, redirect_uri);
|
||||||
sso_nonce.save(&mut conn).await?;
|
sso_nonce.save(&mut conn).await?;
|
||||||
|
|
||||||
Ok(auth_url)
|
Ok(auth_url)
|
||||||
|
@ -276,8 +278,8 @@ async fn decode_code_claims(code: &str, conn: &mut DbConn) -> ApiResult<(String,
|
||||||
match auth::decode_jwt::<OIDCCodeClaims>(code, SSO_JWT_ISSUER.to_string()) {
|
match auth::decode_jwt::<OIDCCodeClaims>(code, SSO_JWT_ISSUER.to_string()) {
|
||||||
Ok(code_claims) => match code_claims.code {
|
Ok(code_claims) => match code_claims.code {
|
||||||
OIDCCodeWrapper::Ok {
|
OIDCCodeWrapper::Ok {
|
||||||
code,
|
|
||||||
state,
|
state,
|
||||||
|
code,
|
||||||
} => Ok((code, state)),
|
} => Ok((code, state)),
|
||||||
OIDCCodeWrapper::Error {
|
OIDCCodeWrapper::Error {
|
||||||
state,
|
state,
|
||||||
|
|
Loading…
Reference in a new issue