From 2c4b7e5f3632a9893680eb850737371219a86ca4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Robles?= Date: Wed, 17 Apr 2024 18:37:17 -0500 Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9E=20OIDC:=20Use=20Authorization=20Co?= =?UTF-8?q?de=20Flow=20instead=20of=20implicit=20flow=20(#388)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Parent issue: https://github.com/sequentech/meta/issues/716 --- avRegistration/login-directive/login-directive.js | 14 +++++++++----- dist/appCommon-v10.3.0.js | 14 ++++++++------ 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/avRegistration/login-directive/login-directive.js b/avRegistration/login-directive/login-directive.js index f7b24296..e5d2929c 100644 --- a/avRegistration/login-directive/login-directive.js +++ b/avRegistration/login-directive/login-directive.js @@ -272,7 +272,7 @@ angular.module('avRegistration') // validate csrf token format and data var csrf = scope.csrf = angular.fromJson($cookies.get(OIDC_CSRF_COOKIE)); - var uri = "?" + $window.location.hash.substr(1); + var uri = $window.location.search; // NOTE: if you need to debug this callback, obtain the callback // URL, get the callback received in the server (to obtain the @@ -320,6 +320,7 @@ angular.module('avRegistration') } autheventid = scope.eventId = attrs.eventId = scope.csrf.eventId; scope.selectedAltMethod = scope.csrf.altAuthMethodId; + scope.setLoginOIDC = true; } else { autheventid = scope.eventId = attrs.eventId; } @@ -375,11 +376,11 @@ angular.module('avRegistration') // obtain the openid login data function getOpenidLoginData() { - var uri = "?" + $window.location.hash.substr(1); + var uri = $window.location.search; // Auth data to send back to our backend var data = { - id_token: getURIParameter("id_token", uri), + code: getURIParameter("code", uri), provider_id: scope.csrf.providerId, nonce: scope.csrf.randomNonce }; @@ -392,7 +393,7 @@ angular.module('avRegistration') } var postfix = "_authevent_" + scope.csrf.eventId; - $cookies.put("id_token_" + postfix, data.id_token, options); + $cookies.put("code_" + postfix, data.code, options); return data; } @@ -1025,6 +1026,9 @@ angular.module('avRegistration') ) { scope.loginUser(true); } + if (scope.setLoginOIDC) { + scope.loginUser(true); + } }; scope.view = function(id) { @@ -1107,7 +1111,7 @@ angular.module('avRegistration') // Craft the OpenID Connect auth URI var authURI = (provider.public_info.authorization_endpoint + - "?response_type=id_token" + + "?response_type=code" + "&client_id=" + encodeURIComponent(provider.public_info.client_id) + "&scope=" + encodeURIComponent(provider.public_info.scope) + "&redirect_uri=" + encodeURIComponent( diff --git a/dist/appCommon-v10.3.0.js b/dist/appCommon-v10.3.0.js index 319426b2..4a79dec6 100644 --- a/dist/appCommon-v10.3.0.js +++ b/dist/appCommon-v10.3.0.js @@ -517,11 +517,12 @@ angular.module("avRegistration").config(function() {}), angular.module("avRegist if (!function() { if (!$cookies.get("OIDC_CSRF")) return setOIDCErrorCookie("unexpectedOIDCRedirect"), void redirectToLogin(); - var csrf = scope.csrf = angular.fromJson($cookies.get("OIDC_CSRF")), uri = "?" + $window.location.hash.substr(1); + var csrf = scope.csrf = angular.fromJson($cookies.get("OIDC_CSRF")), uri = $window.location.search; return $cookies.remove("OIDC_CSRF"), !!csrf && angular.isObject(csrf) && angular.isString(csrf.randomState) && angular.isString(csrf.randomNonce) && angular.isString(csrf.providerId) && angular.isNumber(csrf.created) && angular.isDefined(csrf.altAuthMethodId) && getURIParameter("state", uri) === csrf.randomState && csrf.created - Date.now() < ConfigService.authTokenExpirationSeconds ? 1 : (setOIDCErrorCookie("invalidCsrf"), void redirectToLogin()); }()) return; - autheventid = scope.eventId = attrs.eventId = scope.csrf.eventId, scope.selectedAltMethod = scope.csrf.altAuthMethodId; + autheventid = scope.eventId = attrs.eventId = scope.csrf.eventId, scope.selectedAltMethod = scope.csrf.altAuthMethodId, + scope.setLoginOIDC = !0; } else autheventid = scope.eventId = attrs.eventId; scope.orgName = ConfigService.organization.orgName; var autheventCookie = $cookies.get("authevent_" + adminId), authCookie = $cookies.get("auth_authevent_" + adminId); @@ -595,13 +596,13 @@ angular.module("avRegistration").config(function() {}), angular.module("avRegist var data = {}; if (scope.isOpenId) data = function() { var data = { - id_token: getURIParameter("id_token", "?" + $window.location.hash.substr(1)), + code: getURIParameter("code", $window.location.search), provider_id: scope.csrf.providerId, nonce: scope.csrf.randomNonce }, options = {}; ConfigService.authTokenExpirationSeconds && (options.expires = new Date(Date.now() + 1e3 * ConfigService.authTokenExpirationSeconds)); var postfix = "_authevent_" + scope.csrf.eventId; - return $cookies.put("id_token_" + postfix, data.id_token, options), data; + return $cookies.put("code_" + postfix, data.code, options), data; }(); else { if (!scope.withCode && (scope.hasOtpFieldsCode || _.contains([ "sms-otp", "email-otp" ], scope.method)) && 0 === scope.currentFormStep) return void scope.resendAuthCode(); data.captcha_code = Authmethod.captcha_code; @@ -703,7 +704,8 @@ angular.module("avRegistration").config(function() {}), angular.module("avRegist filledFields = _.filter(filledFields, function(el) { return null !== el.value || "otp-code" === el.type; }); - !scope.isOpenId && filledFields.length !== scope.login_fields.length || scope.isOpenId || scope.isOtl || scope.isCensusQuery || scope.withCode || scope.oidcError || scope.loginUser(!0); + !scope.isOpenId && filledFields.length !== scope.login_fields.length || (scope.isOpenId || scope.isOtl || scope.isCensusQuery || scope.withCode || scope.oidcError || scope.loginUser(!0), + scope.setLoginOIDC && scope.loginUser(!0)); }, scope.view = function(id) { Authmethod.viewEvent(id).then(function(altAuthMethod) { "ok" === altAuthMethod.data.status ? (scope.base_authevent = angular.copy(altAuthMethod.data.events), @@ -730,7 +732,7 @@ angular.module("avRegistration").config(function() {}), angular.module("avRegist created: Date.now(), eventId: scope.eventId, providerId: provider.public_info.id - }), options), authURI = provider.public_info.authorization_endpoint + "?response_type=id_token&client_id=" + encodeURIComponent(provider.public_info.client_id) + "&scope=" + encodeURIComponent(provider.public_info.scope) + "&redirect_uri=" + encodeURIComponent($window.location.origin + "/election/login-openid-connect-redirect") + "&state=" + randomState + "&nonce=" + authURI, + }), options), authURI = provider.public_info.authorization_endpoint + "?response_type=code&client_id=" + encodeURIComponent(provider.public_info.client_id) + "&scope=" + encodeURIComponent(provider.public_info.scope) + "&redirect_uri=" + encodeURIComponent($window.location.origin + "/election/login-openid-connect-redirect") + "&state=" + randomState + "&nonce=" + authURI, $window.location.href = authURI) : setError("providerNotFound", "avRegistration.loginError.openid-connect.providerNotFound"); }; },