Skip to content

Commit

Permalink
Add support for client-side OIDC redirect by UUID
Browse files Browse the repository at this point in the history
changelog: Internal, OpenID Connect, Add support for client-side OIDC redirect

Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
  • Loading branch information
mitchellhenke and zachmargolis committed Dec 18, 2023
1 parent 5ad5455 commit c460a5f
Show file tree
Hide file tree
Showing 6 changed files with 244 additions and 62 deletions.
20 changes: 14 additions & 6 deletions app/controllers/openid_connect/authorization_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,10 @@ def handle_successful_handoff
track_events
SpHandoffBounce::AddHandoffTimeToSession.call(sp_session)

redirect_user(@authorize_form.success_redirect_uri)
redirect_user(
@authorize_form.success_redirect_uri,
current_user.uuid,
)

delete_branded_experience
end
Expand Down Expand Up @@ -127,7 +130,7 @@ def pre_validate_authorize_form
if redirect_uri.nil?
render :error
else
redirect_user(redirect_uri)
redirect_user(redirect_uri, current_user&.uuid)
end
end

Expand Down Expand Up @@ -186,15 +189,20 @@ def track_events
track_billing_events
end

def redirect_user(redirect_uri)
case IdentityConfig.store.openid_connect_redirect
when :client_side
def redirect_user(redirect_uri, user_uuid)
redirect_method = IdentityConfig.store.openid_connect_redirect_uuid_override_map.fetch(
user_uuid,
IdentityConfig.store.openid_connect_redirect,
)

case redirect_method
when 'client_side'
@oidc_redirect_uri = redirect_uri
render(
'openid_connect/shared/redirect',
layout: false,
)
when :client_side_js
when 'client_side_js'
@oidc_redirect_uri = redirect_uri
render(
'openid_connect/shared/redirect_js',
Expand Down
17 changes: 11 additions & 6 deletions app/controllers/openid_connect/logout_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ def delete
analytics.logout_initiated(**result.to_h.except(:redirect_uri))
irs_attempts_api_tracker.logout_initiated(success: result.success?)

redirect_user(redirect_uri)
redirect_user(redirect_uri, current_user&.uuid)
sign_out
else
render :error
Expand All @@ -39,15 +39,20 @@ def delete

private

def redirect_user(redirect_uri)
case IdentityConfig.store.openid_connect_redirect
when :client_side
def redirect_user(redirect_uri, user_uuid)
redirect_method = IdentityConfig.store.openid_connect_redirect_uuid_override_map.fetch(
user_uuid,
IdentityConfig.store.openid_connect_redirect,
)

case redirect_method
when 'client_side'
@oidc_redirect_uri = redirect_uri
render(
'openid_connect/shared/redirect',
layout: false,
)
when :client_side_js
when 'client_side_js'
@oidc_redirect_uri = redirect_uri
render(
'openid_connect/shared/redirect_js',
Expand Down Expand Up @@ -105,7 +110,7 @@ def handle_successful_logout_request(result, redirect_uri)

sign_out

redirect_user(redirect_uri)
redirect_user(redirect_uri, current_user&.uuid)
end
end

Expand Down
1 change: 1 addition & 0 deletions config/application.yml.default
Original file line number Diff line number Diff line change
Expand Up @@ -211,6 +211,7 @@ minimum_wait_before_another_usps_letter_in_hours: 24
mx_timeout: 3
openid_connect_redirect: client_side_js
openid_connect_content_security_form_action_enabled: false
openid_connect_redirect_uuid_override_map: '{}'
otp_delivery_blocklist_maxretry: 10
otp_valid_for: 10
otp_expiration_warning_seconds: 150
Expand Down
8 changes: 6 additions & 2 deletions lib/identity_config.rb
Original file line number Diff line number Diff line change
Expand Up @@ -322,8 +322,12 @@ def self.build_store(config_map)
config.add(:nonessential_email_banlist, type: :json)
config.add(
:openid_connect_redirect,
type: :symbol,
enum: [:server_side, :client_side, :client_side_js],
type: :string,
enum: ['server_side', 'client_side', 'client_side_js'],
)
config.add(
:openid_connect_redirect_uuid_override_map,
type: :json,
)
config.add(:openid_connect_content_security_form_action_enabled, type: :boolean)
config.add(:otp_delivery_blocklist_findtime, type: :integer)
Expand Down
Loading

0 comments on commit c460a5f

Please sign in to comment.