Fix element-desktop-ssoid being included in OIDC Authorization call (#12495)

* Fix `element-desktop-ssoid being` included in OIDC Authorization call Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> * Split out oidc callback url into its own method Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> * Fix unexpected hash on oidc callback url Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> * Update src/BasePlatform.ts Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> --------- Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
2024-11-22 01:05:42 +03:00 · 2024-05-13 14:31:08 +01:00 · 2024-05-13 14:31:08 +01:00 · cc6958980b
commit cc6958980b
parent ed7a21a63c
5 changed files with 17 additions and 6 deletions
--- a/src/BasePlatform.ts
+++ b/src/BasePlatform.ts
@ -315,7 +315,7 @@ export default abstract class BasePlatform {
    }

    /**
-     * The URL to return to after a successful SSO/OIDC authentication
+     * The URL to return to after a successful SSO authentication
     * @param fragmentAfterLogin optional fragment for specific view to return to
     */
    public getSSOCallbackUrl(fragmentAfterLogin = ""): URL {
@ -438,7 +438,7 @@ export default abstract class BasePlatform {
        return {
            clientName: config.brand,
            clientUri: this.baseUrl,
-            redirectUris: [this.getSSOCallbackUrl().href],
+            redirectUris: [this.getOidcCallbackUrl().href],
            logoUri: new URL("vector-icons/1024.png", this.baseUrl).href,
            applicationType: "web",
            // XXX: We break the spec by not consistently supplying these required fields
@ -457,4 +457,15 @@ export default abstract class BasePlatform {
    public getOidcClientState(): string {
        return "";
    }
+
+    /**
+     * The URL to return to after a successful OIDC authentication
+     */
+    public getOidcCallbackUrl(): URL {
+        const url = new URL(window.location.href);
+        // The redirect URL has to exactly match that registered at the OIDC server, so
+        // ensure that the fragment part of the URL is empty.
+        url.hash = "";
+        return url;
+    }
 }
--- a/src/Lifecycle.ts
+++ b/src/Lifecycle.ts
@ -720,7 +720,7 @@ async function createOidcTokenRefresher(credentials: IMatrixClientCreds): Promis
    try {
        const clientId = getStoredOidcClientId();
        const idTokenClaims = getStoredOidcIdTokenClaims();
-        const redirectUri = PlatformPeg.get()!.getSSOCallbackUrl().href;
+        const redirectUri = PlatformPeg.get()!.getOidcCallbackUrl().href;
        const deviceId = credentials.deviceId;
        if (!deviceId) {
            throw new Error("Expected deviceId in user credentials.");
--- a/src/stores/oidc/OidcClientStore.ts
+++ b/src/stores/oidc/OidcClientStore.ts
@ -169,7 +169,7 @@ export class OidcClientStore {
                ...metadata,
                authority: metadata.issuer,
                signingKeys,
-                redirect_uri: PlatformPeg.get()!.getSSOCallbackUrl().href,
+                redirect_uri: PlatformPeg.get()!.getOidcCallbackUrl().href,
                client_id: clientId,
            });
        } catch (error) {
--- a/src/utils/oidc/authorize.ts
+++ b/src/utils/oidc/authorize.ts
@ -40,7 +40,7 @@ export const startOidcLogin = async (
    identityServerUrl?: string,
    isRegistration?: boolean,
 ): Promise<void> => {
-    const redirectUri = PlatformPeg.get()!.getSSOCallbackUrl().href;
+    const redirectUri = PlatformPeg.get()!.getOidcCallbackUrl().href;

    const nonce = randomString(10);

--- a/test/utils/oidc/registerClient-test.ts
+++ b/test/utils/oidc/registerClient-test.ts
@ -44,7 +44,7 @@ describe("getOidcClientId()", () => {
                return baseUrl;
            },
        });
-        Object.defineProperty(PlatformPeg.get(), "getSSOCallbackUrl", {
+        Object.defineProperty(PlatformPeg.get(), "getOidcCallbackUrl", {
            value: () => ({
                href: baseUrl,
            }),