authenticate: fix identity provider id in encrypted query string

2025-08-01 16:01:26 +02:00 · 2023-02-22 13:10:12 -07:00 · 2023-02-22 13:10:12 -07:00 · 21e5868c8e
commit 21e5868c8e
parent 62ca7ffaa2
1 changed files with 25 additions and 4 deletions
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@ -128,7 +128,7 @@ func (a *Authenticate) VerifySession(next http.Handler) http.Handler {
 		defer span.End()

 		state := a.state.Load()
-		idpID := r.FormValue(urlutil.QueryIdentityProviderID)
+		idpID := a.getIdentityProviderIDForRequest(r)

 		sessionState, err := a.getSessionFromCtx(ctx)
 		if err != nil {
@ -242,7 +242,7 @@ func (a *Authenticate) signOutRedirect(w http.ResponseWriter, r *http.Request) e
 	defer span.End()

 	options := a.options.Load()
-	idpID := r.FormValue(urlutil.QueryIdentityProviderID)
+	idpID := a.getIdentityProviderIDForRequest(r)

 	authenticator, err := a.cfg.getIdentityProvider(options, idpID)
 	if err != nil {
@ -299,7 +299,7 @@ func (a *Authenticate) reauthenticateOrFail(w http.ResponseWriter, r *http.Reque

 	state := a.state.Load()
 	options := a.options.Load()
-	idpID := r.FormValue(urlutil.QueryIdentityProviderID)
+	idpID := a.getIdentityProviderIDForRequest(r)

 	authenticator, err := a.cfg.getIdentityProvider(options, idpID)
 	if err != nil {
@ -403,7 +403,7 @@ Or contact your administrator.
 `, redirectURL.String(), redirectURL.String()))
 	}

-	idpID := redirectURL.Query().Get(urlutil.QueryIdentityProviderID)
+	idpID := a.getIdentityProviderIDForURLValues(redirectURL.Query())

 	authenticator, err := a.cfg.getIdentityProvider(options, idpID)
 	if err != nil {
@ -583,3 +583,24 @@ func (a *Authenticate) saveCallbackSession(w http.ResponseWriter, r *http.Reques
 	}
 	return rawJWT, nil
 }
+
+func (a *Authenticate) getIdentityProviderIDForRequest(r *http.Request) string {
+	if err := r.ParseForm(); err != nil {
+		return ""
+	}
+	return a.getIdentityProviderIDForURLValues(r.Form)
+}
+
+func (a *Authenticate) getIdentityProviderIDForURLValues(vs url.Values) string {
+	state := a.state.Load()
+	idpID := ""
+	if _, requestParams, err := hpke.DecryptURLValues(state.hpkePrivateKey, vs); err == nil {
+		if idpID == "" {
+			idpID = requestParams.Get(urlutil.QueryIdentityProviderID)
+		}
+	}
+	if idpID == "" {
+		idpID = vs.Get(urlutil.QueryIdentityProviderID)
+	}
+	return idpID
+}