Add ssoToken to limit lifetime of SSO redirect (#1965)

This commit is contained in:
Matt Gibson 2022-06-27 15:53:15 -04:00 committed by GitHub
parent 109aeb49e4
commit 6e2e613fee
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 16 additions and 5 deletions

View file

@ -81,10 +81,12 @@ namespace Bit.App.Pages
} }
await _deviceActionService.ShowLoadingAsync(AppResources.LoggingIn); await _deviceActionService.ShowLoadingAsync(AppResources.LoggingIn);
string ssoToken;
try try
{ {
await _apiService.PreValidateSso(OrgIdentifier); var response = await _apiService.PreValidateSso(OrgIdentifier);
ssoToken = response.Token;
} }
catch (ApiException e) catch (ApiException e)
{ {
@ -112,7 +114,8 @@ namespace Bit.App.Pages
"response_type=code&scope=api%20offline_access&" + "response_type=code&scope=api%20offline_access&" +
"state=" + state + "&code_challenge=" + codeChallenge + "&" + "state=" + state + "&code_challenge=" + codeChallenge + "&" +
"code_challenge_method=S256&response_mode=query&" + "code_challenge_method=S256&response_mode=query&" +
"domain_hint=" + Uri.EscapeDataString(OrgIdentifier); "domain_hint=" + Uri.EscapeDataString(OrgIdentifier) + "&" +
"ssoToken=" + Uri.EscapeDataString(ssoToken);
WebAuthenticatorResult authResult = null; WebAuthenticatorResult authResult = null;
try try

View file

@ -44,7 +44,7 @@ namespace Bit.Core.Abstractions
Task PutDeleteCipherAsync(string id); Task PutDeleteCipherAsync(string id);
Task<CipherResponse> PutRestoreCipherAsync(string id); Task<CipherResponse> PutRestoreCipherAsync(string id);
Task RefreshIdentityTokenAsync(); Task RefreshIdentityTokenAsync();
Task<object> PreValidateSso(string identifier); Task<SsoPrevalidateResponse> PreValidateSso(string identifier);
Task<TResponse> SendAsync<TRequest, TResponse>(HttpMethod method, string path, Task<TResponse> SendAsync<TRequest, TResponse>(HttpMethod method, string path,
TRequest body, bool authed, bool hasResponse, bool logoutOnUnauthorized = true); TRequest body, bool authed, bool hasResponse, bool logoutOnUnauthorized = true);
void SetUrls(EnvironmentUrls urls); void SetUrls(EnvironmentUrls urls);

View file

@ -0,0 +1,7 @@
namespace Bit.Core.Models.Response
{
public class SsoPrevalidateResponse
{
public string Token { get; set; }
}
}

View file

@ -547,7 +547,7 @@ namespace Bit.Core.Services
return accessToken; return accessToken;
} }
public async Task<object> PreValidateSso(string identifier) public async Task<SsoPrevalidateResponse> PreValidateSso(string identifier)
{ {
var path = "/account/prevalidate?domainHint=" + WebUtility.UrlEncode(identifier); var path = "/account/prevalidate?domainHint=" + WebUtility.UrlEncode(identifier);
using (var requestMessage = new HttpRequestMessage()) using (var requestMessage = new HttpRequestMessage())
@ -571,7 +571,8 @@ namespace Bit.Core.Services
var error = await HandleErrorAsync(response, false, true); var error = await HandleErrorAsync(response, false, true);
throw new ApiException(error); throw new ApiException(error);
} }
return null; var responseJsonString = await response.Content.ReadAsStringAsync();
return JsonConvert.DeserializeObject<SsoPrevalidateResponse>(responseJsonString);
} }
} }