janhoy commented on code in PR #1791: URL: https://github.com/apache/solr/pull/1791#discussion_r1292753402
########## solr/webapp/web/js/angular/controllers/login.js: ########## @@ -60,92 +60,169 @@ solrAdminApp.controller('LoginController', var hp = AuthenticationService.decodeHashParams(hash); var expectedState = sessionStorage.getItem("auth.stateRandom") + "_" + sessionStorage.getItem("auth.location"); sessionStorage.setItem("auth.state", "error"); - if (hp['access_token'] && hp['token_type'] && hp['state']) { - // Validate state - if (hp['state'] !== expectedState) { - $scope.error = "Problem with auth callback"; - console.log("Expected state param " + expectedState + " but got " + hp['state']); - errorText += "Invalid values in state parameter. "; - } - // Validate token type - if (hp['token_type'].toLowerCase() !== "bearer") { - console.log("Expected token_type param 'bearer', but got " + hp['token_type']); - errorText += "Invalid values in token_type parameter. "; - } - // Unpack ID token and validate nonce, get username - if (hp['id_token']) { - var idToken = hp['id_token'].split("."); - if (idToken.length === 3) { - var payload = AuthenticationService.decodeJwtPart(idToken[1]); - if (!payload['nonce'] || payload['nonce'] !== sessionStorage.getItem("auth.nonce")) { - errorText += "Invalid 'nonce' value, possible attack detected. Please log in again. "; - } + $scope.authData = AuthenticationService.getAuthDataHeader(); + if (!validateState(hp['state'], expectedState)) { + $scope.error = "Problems with OpenID callback"; + $scope.errorDescription = errorText; + $scope.http401 = "true"; + sessionStorage.setItem("auth.state", "error"); + } + else { + // for backward compatibility default flow to 'implicit' + var flow = $scope.authData ? $scope.authData['authorization_flow'] : "implicit"; Review Comment: Have you considered to have this "default" happening in backend #1792 instead, meaning the frontend will always receive either `authorization_flow` or `implicit` in this var? ########## solr/webapp/web/js/angular/services.js: ########## @@ -286,8 +286,74 @@ solrAdminServices.factory('System', }) }]) .factory('AuthenticationService', - ['base64', function (base64) { - var service = {}; + ['base64', '$resource', function (base64, $resource) { + var service = {}; + + service.getOAuthTokens = function (url, data) { + var serializedData = serialize(data); + var resource = $resource(url, {}, { + getToken: { + method: 'POST', + timeout: 10000, + headers: { + 'Content-Type': 'application/x-www-form-urlencoded', + 'X-Requested-With': undefined // Set this header to undefined to prevent preflight requests + }, + transformResponse: function (data) { + return angular.fromJson(data); + } + } + }); + return resource.getToken({}, serializedData).$promise; + }; + + var codeChallengeMethod = "S256"; + service.getCodeChallengeMethod = function getCodeChallengeMethod() { + return codeChallengeMethod; + } + + service.generateCodeVerifier = function generateCodeVerifier() { + var codeVerifier = ''; + var possibleChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~'; + for (var i = 0; i < 96; i++) { + codeVerifier += possibleChars.charAt(Math.floor(Math.random() * possibleChars.length)); + } + return codeVerifier; + } + + service.generateCodeChallengeFromVerifier = async function generateCodeChallengeFromVerifier(v) { + var hashed = await sha256(v); + var base64encoded = base64urlencode(hashed); + return base64encoded; + } + + function sha256(str) { + const encoder = new TextEncoder(); + return window.crypto.subtle.digest("SHA-256", encoder.encode(str)); Review Comment: The [digest](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest) function is only available in secure context (https). I believe we have not required SSL to test JWT before, will this be changing that? I absolutely think we should require SSL for using auth, just trying to be explicit ########## solr/webapp/web/js/angular/controllers/login.js: ########## @@ -60,92 +60,169 @@ solrAdminApp.controller('LoginController', var hp = AuthenticationService.decodeHashParams(hash); var expectedState = sessionStorage.getItem("auth.stateRandom") + "_" + sessionStorage.getItem("auth.location"); sessionStorage.setItem("auth.state", "error"); - if (hp['access_token'] && hp['token_type'] && hp['state']) { - // Validate state - if (hp['state'] !== expectedState) { - $scope.error = "Problem with auth callback"; - console.log("Expected state param " + expectedState + " but got " + hp['state']); - errorText += "Invalid values in state parameter. "; - } - // Validate token type - if (hp['token_type'].toLowerCase() !== "bearer") { - console.log("Expected token_type param 'bearer', but got " + hp['token_type']); - errorText += "Invalid values in token_type parameter. "; - } - // Unpack ID token and validate nonce, get username - if (hp['id_token']) { - var idToken = hp['id_token'].split("."); - if (idToken.length === 3) { - var payload = AuthenticationService.decodeJwtPart(idToken[1]); - if (!payload['nonce'] || payload['nonce'] !== sessionStorage.getItem("auth.nonce")) { - errorText += "Invalid 'nonce' value, possible attack detected. Please log in again. "; - } + $scope.authData = AuthenticationService.getAuthDataHeader(); + if (!validateState(hp['state'], expectedState)) { + $scope.error = "Problems with OpenID callback"; + $scope.errorDescription = errorText; + $scope.http401 = "true"; + sessionStorage.setItem("auth.state", "error"); + } + else { + // for backward compatibility default flow to 'implicit' + var flow = $scope.authData ? $scope.authData['authorization_flow'] : "implicit"; + console.log("Callback: authorization_flow : " +flow); + var isCodePKCE = flow == 'code_pkce'; + if (isCodePKCE) { + // code flow with PKCE + console.debug("Callback. Using code flow with PKCE"); Review Comment: This debug and on line 115 would be redundant as the 'raw' flow is printed in line 73 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org