3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-01 16:01:26 +02:00
Code Issues Projects Releases Packages Wiki Activity

authenticate: fix identity provider id in encrypted query string (#4006)

Browse source 
Co-authored-by: Denis Mishin <dmishin@pomerium.com>
This commit is contained in:
Caleb Doxsey 2023-02-23 08:30:50 -07:00 committed by GitHub
parent df54a0c603
commit 00c047b114
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 25 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

29
authenticate/handlers.go
View file

@ -133,7 +133,7 @@ func (a *Authenticate) VerifySession(next http.Handler) http.Handler {
defer span.End()
state := a.state.Load()
idpID := r.FormValue(urlutil.QueryIdentityProviderID)
idpID := a.getIdentityProviderIDForRequest(r)
sessionState, err := a.getSessionFromCtx(ctx)
if err != nil {
@ -247,7 +247,7 @@ func (a *Authenticate) signOutRedirect(w http.ResponseWriter, r *http.Request) e
defer span.End()
options := a.options.Load()
idpID := r.FormValue(urlutil.QueryIdentityProviderID)
idpID := a.getIdentityProviderIDForRequest(r)
authenticator, err := a.cfg.getIdentityProvider(options, idpID)
if err != nil {
@ -304,7 +304,7 @@ func (a *Authenticate) reauthenticateOrFail(w http.ResponseWriter, r *http.Reque
state := a.state.Load()
options := a.options.Load()
idpID := r.FormValue(urlutil.QueryIdentityProviderID)
idpID := a.getIdentityProviderIDForRequest(r)
authenticator, err := a.cfg.getIdentityProvider(options, idpID)
if err != nil {
@ -408,7 +408,7 @@ Or contact your administrator.
`, redirectURL.String(), redirectURL.String()))
}
idpID := redirectURL.Query().Get(urlutil.QueryIdentityProviderID)
idpID := a.getIdentityProviderIDForURLValues(redirectURL.Query())
authenticator, err := a.cfg.getIdentityProvider(options, idpID)
if err != nil {
@ -588,3 +588,24 @@ func (a *Authenticate) saveCallbackSession(w http.ResponseWriter, r *http.Reques
}
return rawJWT, nil
}
func (a *Authenticate) getIdentityProviderIDForRequest(r *http.Request) string {
if err := r.ParseForm(); err != nil {
return ""
}
return a.getIdentityProviderIDForURLValues(r.Form)
}
func (a *Authenticate) getIdentityProviderIDForURLValues(vs url.Values) string {
state := a.state.Load()
idpID := ""
if _, requestParams, err := hpke.DecryptURLValues(state.hpkePrivateKey, vs); err == nil {
if idpID == "" {
idpID = requestParams.Get(urlutil.QueryIdentityProviderID)
}
}
if idpID == "" {
idpID = vs.Get(urlutil.QueryIdentityProviderID)
}
return idpID
}