Skip to content

Commit

Permalink
authenticate: fix identity provider id in encrypted query string (#4006)
Browse files Browse the repository at this point in the history 
Co-authored-by: Denis Mishin <dmishin@pomerium.com>
  • Loading branch information
@calebdoxsey @wasaga
calebdoxsey and wasaga committed Feb 23, 2023
1 parent df54a0c commit 00c047b
Showing 1 changed file with 25 additions and 4 deletions.
29 changes: 25 additions & 4 deletions authenticate/handlers.go
View file
Expand Up @@ -133,7 +133,7 @@ func (a *Authenticate) VerifySession(next http.Handler) http.Handler {
defer span.End()

state := a.state.Load()
idpID := r.FormValue(urlutil.QueryIdentityProviderID)
idpID := a.getIdentityProviderIDForRequest(r)

sessionState, err := a.getSessionFromCtx(ctx)
if err != nil {
Expand Down Expand Up @@ -247,7 +247,7 @@ func (a *Authenticate) signOutRedirect(w http.ResponseWriter, r *http.Request) e
defer span.End()

options := a.options.Load()
idpID := r.FormValue(urlutil.QueryIdentityProviderID)
idpID := a.getIdentityProviderIDForRequest(r)

authenticator, err := a.cfg.getIdentityProvider(options, idpID)
if err != nil {
Expand Down Expand Up @@ -304,7 +304,7 @@ func (a *Authenticate) reauthenticateOrFail(w http.ResponseWriter, r *http.Reque

state := a.state.Load()
options := a.options.Load()
idpID := r.FormValue(urlutil.QueryIdentityProviderID)
idpID := a.getIdentityProviderIDForRequest(r)

authenticator, err := a.cfg.getIdentityProvider(options, idpID)
if err != nil {
Expand Down Expand Up @@ -408,7 +408,7 @@ Or contact your administrator.
`, redirectURL.String(), redirectURL.String()))
}

idpID := redirectURL.Query().Get(urlutil.QueryIdentityProviderID)
idpID := a.getIdentityProviderIDForURLValues(redirectURL.Query())

authenticator, err := a.cfg.getIdentityProvider(options, idpID)
if err != nil {
Expand Down Expand Up @@ -588,3 +588,24 @@ func (a *Authenticate) saveCallbackSession(w http.ResponseWriter, r *http.Reques
}
return rawJWT, nil
}

func (a *Authenticate) getIdentityProviderIDForRequest(r *http.Request) string {
if err := r.ParseForm(); err != nil {
return ""
}
return a.getIdentityProviderIDForURLValues(r.Form)
}

func (a *Authenticate) getIdentityProviderIDForURLValues(vs url.Values) string {
state := a.state.Load()
idpID := ""
if _, requestParams, err := hpke.DecryptURLValues(state.hpkePrivateKey, vs); err == nil {
if idpID == "" {
idpID = requestParams.Get(urlutil.QueryIdentityProviderID)
}
}
if idpID == "" {
idpID = vs.Get(urlutil.QueryIdentityProviderID)
}
return idpID
}

0 comments on commit 00c047b

Please sign in to comment.