mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-06 10:21:05 +02:00
authenticate: fix identity provider id in encrypted query string (#4006)
Co-authored-by: Denis Mishin <dmishin@pomerium.com>
This commit is contained in:
Caleb Doxsey
GitHub
parent
df54a0c603
commit
00c047b114
1 changed files with 25 additions and 4 deletions
|
|
@ -133,7 +133,7 @@ func (a *Authenticate) VerifySession(next http.Handler) http.Handler {
|
||||||
defer span.End()
|
defer span.End()
|
||||||
|
|
||||||
state := a.state.Load()
|
state := a.state.Load()
|
||||||
idpID := r.FormValue(urlutil.QueryIdentityProviderID)
|
idpID := a.getIdentityProviderIDForRequest(r)
|
||||||
|
|
||||||
sessionState, err := a.getSessionFromCtx(ctx)
|
sessionState, err := a.getSessionFromCtx(ctx)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -247,7 +247,7 @@ func (a *Authenticate) signOutRedirect(w http.ResponseWriter, r *http.Request) e
|
||||||
defer span.End()
|
defer span.End()
|
||||||
|
|
||||||
options := a.options.Load()
|
options := a.options.Load()
|
||||||
idpID := r.FormValue(urlutil.QueryIdentityProviderID)
|
idpID := a.getIdentityProviderIDForRequest(r)
|
||||||
|
|
||||||
authenticator, err := a.cfg.getIdentityProvider(options, idpID)
|
authenticator, err := a.cfg.getIdentityProvider(options, idpID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -304,7 +304,7 @@ func (a *Authenticate) reauthenticateOrFail(w http.ResponseWriter, r *http.Reque
|
||||||
|
|
||||||
state := a.state.Load()
|
state := a.state.Load()
|
||||||
options := a.options.Load()
|
options := a.options.Load()
|
||||||
idpID := r.FormValue(urlutil.QueryIdentityProviderID)
|
idpID := a.getIdentityProviderIDForRequest(r)
|
||||||
|
|
||||||
authenticator, err := a.cfg.getIdentityProvider(options, idpID)
|
authenticator, err := a.cfg.getIdentityProvider(options, idpID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -408,7 +408,7 @@ Or contact your administrator.
|
||||||
`, redirectURL.String(), redirectURL.String()))
|
`, redirectURL.String(), redirectURL.String()))
|
||||||
}
|
}
|
||||||
|
|
||||||
idpID := redirectURL.Query().Get(urlutil.QueryIdentityProviderID)
|
idpID := a.getIdentityProviderIDForURLValues(redirectURL.Query())
|
||||||
|
|
||||||
authenticator, err := a.cfg.getIdentityProvider(options, idpID)
|
authenticator, err := a.cfg.getIdentityProvider(options, idpID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -588,3 +588,24 @@ func (a *Authenticate) saveCallbackSession(w http.ResponseWriter, r *http.Reques
|
||||||
}
|
}
|
||||||
return rawJWT, nil
|
return rawJWT, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (a *Authenticate) getIdentityProviderIDForRequest(r *http.Request) string {
|
||||||
|
if err := r.ParseForm(); err != nil {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
return a.getIdentityProviderIDForURLValues(r.Form)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (a *Authenticate) getIdentityProviderIDForURLValues(vs url.Values) string {
|
||||||
|
state := a.state.Load()
|
||||||
|
idpID := ""
|
||||||
|
if _, requestParams, err := hpke.DecryptURLValues(state.hpkePrivateKey, vs); err == nil {
|
||||||
|
if idpID == "" {
|
||||||
|
idpID = requestParams.Get(urlutil.QueryIdentityProviderID)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if idpID == "" {
|
||||||
|
idpID = vs.Get(urlutil.QueryIdentityProviderID)
|
||||||
|
}
|
||||||
|
return idpID
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue