Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AD FS namespace OIDC bug fix #19460

Merged
merged 10 commits into from
Mar 23, 2023
Merged

Conversation

Monkeychip
Copy link
Contributor

@Monkeychip Monkeychip commented Mar 6, 2023

This PR #15378 implemented using the URL api because Ember was stripping out the ns param via the paramsFor method. While implementing a fix for cluster namespace flags (PR #16886), we discovered paramsFor was no longer stripping out the namespace.

However, this introduced a regression because ADFS decodes the namespace portion of the state query param in the callback uri, but doesn't separate it as a separate query param using &. Thus paramsFor was unable to recognize ns as a separate parameter and authentication failed. (See these lines in the test file for examples and a more in depth explanation.)

Thanks to @austingebauer for checking out this branch and testing it with his local AD FS setup to confirm this does in fact fix the issue!

@Monkeychip Monkeychip added ui backport/1.12.x bug Used to indicate a potential bug labels Mar 6, 2023
@Monkeychip Monkeychip added this to the 1.13.1 milestone Mar 6, 2023
@Monkeychip Monkeychip closed this Mar 15, 2023
@Monkeychip Monkeychip deleted the ui/VAULT-13897/regression-namespace-oidc branch March 15, 2023 15:16
@Monkeychip Monkeychip restored the ui/VAULT-13897/regression-namespace-oidc branch March 16, 2023 17:10
@Monkeychip Monkeychip reopened this Mar 16, 2023
Copy link
Contributor

@zofskeez zofskeez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for tackling this leave great comments describing the case for the fix!

Comment on lines +177 to +188
/*
If authenticating to a namespace, most SSO providers return a callback url
with a 'state' query param that includes a URI encoded namespace, example:
'?code=BZBDVPMz0By2JTqulEMWX5-6rflW3A20UAusJYHEeFygJ&state=sst_yOarDguU848w5YZuotLs%2Cns%3Dadmin'

Active Directory Federation Service (AD FS), instead, decodes the namespace portion:
'?code=BZBDVPMz0By2JTqulEMWX5-6rflW3A20UAusJYHEeFygJ&state=st_yOarDguU848w5YZuotLs,ns=admin'

'ns' isn't recognized as a separate param because there is no ampersand, so using this.paramsFor() returns
a namespace-less state and authentication fails
{ state: 'st_yOarDguU848w5YZuotLs,ns' }
*/
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great comments here thanks!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for all these test updates 🎉

@hellobontempo hellobontempo enabled auto-merge (squash) March 23, 2023 00:25
@hellobontempo hellobontempo merged commit dcb44bb into main Mar 23, 2023
hellobontempo added a commit that referenced this pull request Mar 23, 2023
* the fix

* changelog

* clair fix

* add test

* update changelog

* clarify comment

* remove state from paramsFor completely, update tests

* Revert "remove state from paramsFor completely, update tests"

This reverts commit bea042f.

* add tests with skips until not flaky

---------

Co-authored-by: [email protected] <[email protected]>
Co-authored-by: claire bontempo <[email protected]>
hellobontempo added a commit that referenced this pull request Mar 23, 2023
* the fix

* changelog

* clair fix

* add test

* update changelog

* clarify comment

* remove state from paramsFor completely, update tests

* Revert "remove state from paramsFor completely, update tests"

This reverts commit bea042f.

* add tests with skips until not flaky

---------

Co-authored-by: [email protected] <[email protected]>
Co-authored-by: claire bontempo <[email protected]>
hellobontempo added a commit that referenced this pull request Mar 23, 2023
* the fix

* changelog

* clair fix

* add test

* update changelog

* clarify comment

* remove state from paramsFor completely, update tests

* Revert "remove state from paramsFor completely, update tests"

This reverts commit bea042f.

* add tests with skips until not flaky

---------

Co-authored-by: [email protected] <[email protected]>
Co-authored-by: claire bontempo <[email protected]>
@hellobontempo hellobontempo changed the title Regression bug fix OIDC namespace AD FS namespace OIDC bug fix Mar 23, 2023
hellobontempo added a commit that referenced this pull request Mar 23, 2023
* the fix

* changelog

* clair fix

* add test

* update changelog

* clarify comment

* remove state from paramsFor completely, update tests

* Revert "remove state from paramsFor completely, update tests"

This reverts commit bea042f.

* add tests with skips until not flaky

---------

Co-authored-by: Angel Garbarino <[email protected]>
hellobontempo added a commit that referenced this pull request Mar 23, 2023
* the fix

* changelog

* claire fix

* add test

* update changelog

* clarify comment

* remove state from paramsFor completely, update tests

* Revert "remove state from paramsFor completely, update tests"

This reverts commit bea042f.

* add tests with skips until not flaky

---------

Co-authored-by: Angel Garbarino <[email protected]>
hellobontempo added a commit that referenced this pull request Mar 23, 2023
* the fix

* changelog

* claire fix

* add test

* update changelog

* clarify comment

* remove state from paramsFor completely, update tests

* Revert "remove state from paramsFor completely, update tests"

This reverts commit bea042f.

* add tests with skips until not flaky

---------

Co-authored-by: Angel Garbarino <[email protected]>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may seem redundant to first get namespace using paramsFor and then again using window.location.search but if the namespace is from the cluster (i.e. HCP namespace flag) window.location.search is empty and so we have to use paramsFor to initially assign those variables.

@hellobontempo hellobontempo deleted the ui/VAULT-13897/regression-namespace-oidc branch March 23, 2023 18:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Used to indicate a potential bug ui
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants