janhoy commented on code in PR #1791: URL: https://github.com/apache/solr/pull/1791#discussion_r1296130713
########## solr/webapp/web/js/angular/controllers/login.js: ########## @@ -60,92 +60,169 @@ solrAdminApp.controller('LoginController', var hp = AuthenticationService.decodeHashParams(hash); var expectedState = sessionStorage.getItem("auth.stateRandom") + "_" + sessionStorage.getItem("auth.location"); sessionStorage.setItem("auth.state", "error"); - if (hp['access_token'] && hp['token_type'] && hp['state']) { - // Validate state - if (hp['state'] !== expectedState) { - $scope.error = "Problem with auth callback"; - console.log("Expected state param " + expectedState + " but got " + hp['state']); - errorText += "Invalid values in state parameter. "; - } - // Validate token type - if (hp['token_type'].toLowerCase() !== "bearer") { - console.log("Expected token_type param 'bearer', but got " + hp['token_type']); - errorText += "Invalid values in token_type parameter. "; - } - // Unpack ID token and validate nonce, get username - if (hp['id_token']) { - var idToken = hp['id_token'].split("."); - if (idToken.length === 3) { - var payload = AuthenticationService.decodeJwtPart(idToken[1]); - if (!payload['nonce'] || payload['nonce'] !== sessionStorage.getItem("auth.nonce")) { - errorText += "Invalid 'nonce' value, possible attack detected. Please log in again. "; - } + $scope.authData = AuthenticationService.getAuthDataHeader(); + if (!validateState(hp['state'], expectedState)) { + $scope.error = "Problems with OpenID callback"; + $scope.errorDescription = errorText; + $scope.http401 = "true"; + sessionStorage.setItem("auth.state", "error"); + } + else { + // for backward compatibility default flow to 'implicit' + var flow = $scope.authData ? $scope.authData['authorization_flow'] : "implicit"; + console.log("Callback: authorization_flow : " +flow); + var isCodePKCE = flow == 'code_pkce'; + if (isCodePKCE) { + // code flow with PKCE + console.debug("Callback. Using code flow with PKCE"); + var code = hp['code']; + var tokenEndpoint = $scope.authData['tokenEndpoint']; + // concurrent Solr API calls will trigger 401 and erase session's "auth.realm" in app.js + // save it before it's erased + var authRealm = sessionStorage.getItem("auth.realm"); + + var data = { + 'grant_type': 'authorization_code', + 'code': code, + 'redirect_uri': $window.location.href.split('#')[0], + 'scope': "openid " + $scope.authData['scope'], + 'code_verifier': sessionStorage.getItem('codeVerifier'), + "client_id": $scope.authData['client_id'] + }; - if (errorText === "") { - sessionStorage.setItem("auth.username", payload['sub']); - sessionStorage.setItem("auth.header", "Bearer " + hp['access_token']); - sessionStorage.removeItem("auth.statusText"); - sessionStorage.removeItem("auth.stateRandom"); - sessionStorage.removeItem("auth.wwwAuthHeader"); - console.log("User " + payload['sub'] + " is logged in"); - var redirectTo = sessionStorage.getItem("auth.location"); - console.log("Redirecting to stored location " + redirectTo); - sessionStorage.setItem("auth.state", "authenticated"); - sessionStorage.removeItem("http401"); - $location.path(redirectTo).hash(""); + console.debug(`Callback. Got code: ${code} \nCalling token endpoint:: ${tokenEndpoint} `); + AuthenticationService.getOAuthTokens(tokenEndpoint, data).then(function(response) { Review Comment: > One outstanding question is: how can we incorporate the /token URL into the list of allowed URLs in the CSP connect-src directive? For now, this is manually added in server/etc/jetty.xml.’ Yea, we need backend to be able to generate CSP header dynamically (now it is set statically in `jetty.xml`). Let's explore that. ########## solr/webapp/web/js/angular/controllers/login.js: ########## @@ -60,92 +60,169 @@ solrAdminApp.controller('LoginController', var hp = AuthenticationService.decodeHashParams(hash); var expectedState = sessionStorage.getItem("auth.stateRandom") + "_" + sessionStorage.getItem("auth.location"); sessionStorage.setItem("auth.state", "error"); - if (hp['access_token'] && hp['token_type'] && hp['state']) { - // Validate state - if (hp['state'] !== expectedState) { - $scope.error = "Problem with auth callback"; - console.log("Expected state param " + expectedState + " but got " + hp['state']); - errorText += "Invalid values in state parameter. "; - } - // Validate token type - if (hp['token_type'].toLowerCase() !== "bearer") { - console.log("Expected token_type param 'bearer', but got " + hp['token_type']); - errorText += "Invalid values in token_type parameter. "; - } - // Unpack ID token and validate nonce, get username - if (hp['id_token']) { - var idToken = hp['id_token'].split("."); - if (idToken.length === 3) { - var payload = AuthenticationService.decodeJwtPart(idToken[1]); - if (!payload['nonce'] || payload['nonce'] !== sessionStorage.getItem("auth.nonce")) { - errorText += "Invalid 'nonce' value, possible attack detected. Please log in again. "; - } + $scope.authData = AuthenticationService.getAuthDataHeader(); + if (!validateState(hp['state'], expectedState)) { + $scope.error = "Problems with OpenID callback"; + $scope.errorDescription = errorText; + $scope.http401 = "true"; + sessionStorage.setItem("auth.state", "error"); + } + else { + // for backward compatibility default flow to 'implicit' + var flow = $scope.authData ? $scope.authData['authorization_flow'] : "implicit"; + console.log("Callback: authorization_flow : " +flow); + var isCodePKCE = flow == 'code_pkce'; + if (isCodePKCE) { + // code flow with PKCE + console.debug("Callback. Using code flow with PKCE"); + var code = hp['code']; + var tokenEndpoint = $scope.authData['tokenEndpoint']; + // concurrent Solr API calls will trigger 401 and erase session's "auth.realm" in app.js + // save it before it's erased + var authRealm = sessionStorage.getItem("auth.realm"); + + var data = { + 'grant_type': 'authorization_code', + 'code': code, + 'redirect_uri': $window.location.href.split('#')[0], + 'scope': "openid " + $scope.authData['scope'], + 'code_verifier': sessionStorage.getItem('codeVerifier'), + "client_id": $scope.authData['client_id'] + }; - if (errorText === "") { - sessionStorage.setItem("auth.username", payload['sub']); - sessionStorage.setItem("auth.header", "Bearer " + hp['access_token']); - sessionStorage.removeItem("auth.statusText"); - sessionStorage.removeItem("auth.stateRandom"); - sessionStorage.removeItem("auth.wwwAuthHeader"); - console.log("User " + payload['sub'] + " is logged in"); - var redirectTo = sessionStorage.getItem("auth.location"); - console.log("Redirecting to stored location " + redirectTo); - sessionStorage.setItem("auth.state", "authenticated"); - sessionStorage.removeItem("http401"); - $location.path(redirectTo).hash(""); + console.debug(`Callback. Got code: ${code} \nCalling token endpoint:: ${tokenEndpoint} `); + AuthenticationService.getOAuthTokens(tokenEndpoint, data).then(function(response) { Review Comment: > One outstanding question is: how can we incorporate the /token URL into the list of allowed URLs in the CSP connect-src directive? For now, this is manually added in server/etc/jetty.xml.’ Yea, we need backend to be able to generate CSP header dynamically (now it is set statically in `jetty.xml`). Let's explore that. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org