Add config option to bypass cookie checking on SSO callback.
Signed-off-by: Jason Volk <jason@zemos.net>
This commit is contained in:
Jason Volk
@@ -301,24 +301,28 @@ pub(crate) async fn sso_callback_route(
|
||||
return Err!(Request(Unauthorized("Authorization grant session has expired.")));
|
||||
}
|
||||
|
||||
let cookie = body
|
||||
.cookie
|
||||
.get(GRANT_SESSION_COOKIE)
|
||||
.map(Cookie::value)
|
||||
.map(serde_html_form::from_str::<GrantCookie<'_>>)
|
||||
.transpose()?
|
||||
.ok_or_else(|| err!(Request(Unauthorized("Missing cookie {GRANT_SESSION_COOKIE:?}"))))?;
|
||||
if provider.check_cookie {
|
||||
let cookie = body
|
||||
.cookie
|
||||
.get(GRANT_SESSION_COOKIE)
|
||||
.map(Cookie::value)
|
||||
.map(serde_html_form::from_str::<GrantCookie<'_>>)
|
||||
.transpose()?
|
||||
.ok_or_else(|| {
|
||||
err!(Request(Unauthorized("Missing cookie {GRANT_SESSION_COOKIE:?}")))
|
||||
})?;
|
||||
|
||||
if cookie.client_id.as_ref() != client_id.as_str() {
|
||||
return Err!(Request(Unauthorized("Client ID {client_id:?} cookie mismatch.")));
|
||||
}
|
||||
if cookie.client_id.as_ref() != client_id.as_str() {
|
||||
return Err!(Request(Unauthorized("Client ID {client_id:?} cookie mismatch.")));
|
||||
}
|
||||
|
||||
if Some(cookie.nonce.as_ref()) != session.cookie_nonce.as_deref() {
|
||||
return Err!(Request(Unauthorized("Cookie nonce does not match session state.")));
|
||||
}
|
||||
if Some(cookie.nonce.as_ref()) != session.cookie_nonce.as_deref() {
|
||||
return Err!(Request(Unauthorized("Cookie nonce does not match session state.")));
|
||||
}
|
||||
|
||||
if cookie.state.as_ref() != sess_id {
|
||||
return Err!(Request(Unauthorized("Session ID {sess_id:?} cookie mismatch.")));
|
||||
if cookie.state.as_ref() != sess_id {
|
||||
return Err!(Request(Unauthorized("Session ID {sess_id:?} cookie mismatch.")));
|
||||
}
|
||||
}
|
||||
|
||||
// Request access token.
|
||||
|
||||
@@ -2768,6 +2768,15 @@ pub struct IdentityProvider {
|
||||
/// default: 300
|
||||
#[serde(default = "default_sso_grant_session_duration")]
|
||||
pub grant_session_duration: Option<u64>,
|
||||
|
||||
/// Whether to check the redirect cookie during the callback. This is a
|
||||
/// security feature and should remain enabled. This is available for
|
||||
/// developers or deployments which cannot tolerate cookies and are willing
|
||||
/// to tolerate the risks.
|
||||
///
|
||||
/// default: true
|
||||
#[serde(default = "true_fn")]
|
||||
pub check_cookie: bool,
|
||||
}
|
||||
|
||||
impl IdentityProvider {
|
||||
|
||||
@@ -2378,6 +2378,13 @@
|
||||
#
|
||||
#grant_session_duration = 300
|
||||
|
||||
# Whether to check the redirect cookie during the callback. This is a
|
||||
# security feature and should remain enabled. This is available for
|
||||
# developers or deployments which cannot tolerate cookies and are willing
|
||||
# to tolerate the risks.
|
||||
#
|
||||
#check_cookie = true
|
||||
|
||||
|
||||
|
||||
#[global.appservice.<ID>]
|
||||
|
||||
Reference in New Issue
Block a user