From cc6958980b32f8afc7140c0718b56b04e33c43de Mon Sep 17 00:00:00 2001
From: Michael Telatynski <7t3chguy@gmail.com>
Date: Mon, 13 May 2024 14:31:08 +0100
Subject: [PATCH] Fix `element-desktop-ssoid being` included in OIDC
 Authorization call (#12495)

* Fix `element-desktop-ssoid being` included in OIDC Authorization call

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

* Split out oidc callback url into its own method

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

* Fix unexpected hash on oidc callback url

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

* Update src/BasePlatform.ts

Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>

---------

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
---
 src/BasePlatform.ts                    | 15 +++++++++++++--
 src/Lifecycle.ts                       |  2 +-
 src/stores/oidc/OidcClientStore.ts     |  2 +-
 src/utils/oidc/authorize.ts            |  2 +-
 test/utils/oidc/registerClient-test.ts |  2 +-
 5 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/src/BasePlatform.ts b/src/BasePlatform.ts
index 2dd9ac17cf..5950233641 100644
--- a/src/BasePlatform.ts
+++ b/src/BasePlatform.ts
@@ -315,7 +315,7 @@ export default abstract class BasePlatform {
     }
 
     /**
-     * The URL to return to after a successful SSO/OIDC authentication
+     * The URL to return to after a successful SSO authentication
      * @param fragmentAfterLogin optional fragment for specific view to return to
      */
     public getSSOCallbackUrl(fragmentAfterLogin = ""): URL {
@@ -438,7 +438,7 @@ export default abstract class BasePlatform {
         return {
             clientName: config.brand,
             clientUri: this.baseUrl,
-            redirectUris: [this.getSSOCallbackUrl().href],
+            redirectUris: [this.getOidcCallbackUrl().href],
             logoUri: new URL("vector-icons/1024.png", this.baseUrl).href,
             applicationType: "web",
             // XXX: We break the spec by not consistently supplying these required fields
@@ -457,4 +457,15 @@ export default abstract class BasePlatform {
     public getOidcClientState(): string {
         return "";
     }
+
+    /**
+     * The URL to return to after a successful OIDC authentication
+     */
+    public getOidcCallbackUrl(): URL {
+        const url = new URL(window.location.href);
+        // The redirect URL has to exactly match that registered at the OIDC server, so
+        // ensure that the fragment part of the URL is empty.
+        url.hash = "";
+        return url;
+    }
 }
diff --git a/src/Lifecycle.ts b/src/Lifecycle.ts
index cbc1f19915..8b04f74afc 100644
--- a/src/Lifecycle.ts
+++ b/src/Lifecycle.ts
@@ -720,7 +720,7 @@ async function createOidcTokenRefresher(credentials: IMatrixClientCreds): Promis
     try {
         const clientId = getStoredOidcClientId();
         const idTokenClaims = getStoredOidcIdTokenClaims();
-        const redirectUri = PlatformPeg.get()!.getSSOCallbackUrl().href;
+        const redirectUri = PlatformPeg.get()!.getOidcCallbackUrl().href;
         const deviceId = credentials.deviceId;
         if (!deviceId) {
             throw new Error("Expected deviceId in user credentials.");
diff --git a/src/stores/oidc/OidcClientStore.ts b/src/stores/oidc/OidcClientStore.ts
index 04328dfc94..ffe6977390 100644
--- a/src/stores/oidc/OidcClientStore.ts
+++ b/src/stores/oidc/OidcClientStore.ts
@@ -169,7 +169,7 @@ export class OidcClientStore {
                 ...metadata,
                 authority: metadata.issuer,
                 signingKeys,
-                redirect_uri: PlatformPeg.get()!.getSSOCallbackUrl().href,
+                redirect_uri: PlatformPeg.get()!.getOidcCallbackUrl().href,
                 client_id: clientId,
             });
         } catch (error) {
diff --git a/src/utils/oidc/authorize.ts b/src/utils/oidc/authorize.ts
index 3cb4147680..345fb42969 100644
--- a/src/utils/oidc/authorize.ts
+++ b/src/utils/oidc/authorize.ts
@@ -40,7 +40,7 @@ export const startOidcLogin = async (
     identityServerUrl?: string,
     isRegistration?: boolean,
 ): Promise<void> => {
-    const redirectUri = PlatformPeg.get()!.getSSOCallbackUrl().href;
+    const redirectUri = PlatformPeg.get()!.getOidcCallbackUrl().href;
 
     const nonce = randomString(10);
 
diff --git a/test/utils/oidc/registerClient-test.ts b/test/utils/oidc/registerClient-test.ts
index bf8d179329..9d8ba0ac16 100644
--- a/test/utils/oidc/registerClient-test.ts
+++ b/test/utils/oidc/registerClient-test.ts
@@ -44,7 +44,7 @@ describe("getOidcClientId()", () => {
                 return baseUrl;
             },
         });
-        Object.defineProperty(PlatformPeg.get(), "getSSOCallbackUrl", {
+        Object.defineProperty(PlatformPeg.get(), "getOidcCallbackUrl", {
             value: () => ({
                 href: baseUrl,
             }),