Implement oidc #628
Open
Implement oidc #628
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
FireMasterK
reviewed
Jun 18, 2023
# Conflicts: # build.gradle
FireMasterK
requested changes
Oct 25, 2023
|
I have cleaned up the code and made sure everything works. Here are a few things worth mentioning:
Please let me know if there are any questions or concerns. I have tested this and from my view this could be merged edit: Found the alternative for |
FireMasterK
reviewed
Nov 17, 2024
FireMasterK
reviewed
Nov 17, 2024
src/main/java/me/kavin/piped/server/handlers/auth/UserHandlers.java
Outdated
Show resolved
Hide resolved
FireMasterK
reviewed
Nov 18, 2024
src/main/java/me/kavin/piped/server/handlers/auth/UserHandlers.java
Outdated
Show resolved
Hide resolved
Bnyro
reviewed
Jan 8, 2025
Comment on lines
+537
to
+541
| for (int i = 0; i < Constants.OIDC_PROVIDERS.size(); i++) { | ||
| OidcProvider curr = Constants.OIDC_PROVIDERS.get(i); | ||
| if (curr == null || !curr.name.equals(provider)) continue; | ||
| return curr; | ||
| } |
There was a problem hiding this comment.
Suggested change
| for (int i = 0; i < Constants.OIDC_PROVIDERS.size(); i++) { | |
| OidcProvider curr = Constants.OIDC_PROVIDERS.get(i); | |
| if (curr == null || !curr.name.equals(provider)) continue; | |
| return curr; | |
| } | |
| for (OidcProvider curr : Constants.OIDC_PROVIDERS) { | |
| if (curr != null && curr.name.equals(provider)) return curr; | |
| } | |
Bnyro
reviewed
Jan 8, 2025
| .state(new State(state)) | ||
| .nonce(data.getOidNonce()).build(); | ||
|
|
||
| if (redirectUri.equals(Constants.FRONTEND_URL + "/login")) { |
There was a problem hiding this comment.
We probably shouldn't hardcode the url path here, maybe it makes sense to parse the domain of the redirectUri and see if equals Constants.FRONTEND_URL? Or we could just do a redirectUri.startsWith(Constants.FRONTEND_URL + "/").
Bnyro
reviewed
Jan 8, 2025
| return HttpResponse.ok200().withHtml( | ||
| "<!DOCTYPE html><html style=\"color-scheme: dark light;\"><body>" + | ||
| "<h3>Warning:</h3> You are trying to give <pre style=\"font-size: 1.2rem;\">" + | ||
| redirectUri + |
There was a problem hiding this comment.
redirectUri needs to be HTML escaped or checked if it's a real URL, otherwise that would allow HTML injection.
Bnyro
reviewed
Jan 8, 2025
|
|
||
| OidcData data = DatabaseHelper.getOidcData(authResponse.getState().toString()); | ||
| if (data == null) { | ||
| return HttpResponse.ofCode(400).withHtml( |
There was a problem hiding this comment.
Since we don't provide any styling or color-scheme: dark light;, withPlainText would probably be better to not become flashed in dark mode
Bnyro
reviewed
Jan 8, 2025
| AuthorizationCode code = authResponse.getAuthorizationCode(); | ||
|
|
||
| if (code == null) { | ||
| return HttpResponse.ofCode(400).withHtml( |
Bnyro
reviewed
Jan 8, 2025
Comment on lines
+210
to
+213
| return HttpResponse.ofCode(400).withHtml("Received a bad token. Please try again"); | ||
| } catch (JOSEException e) { | ||
| System.err.println("Token processing error: " + e); | ||
| return HttpResponse.ofCode(500).withHtml("Internal processing error. Please try again"); |
Bnyro
reviewed
Jan 8, 2025
| UserInfoResponse userInfoResponse = UserInfoResponse.parse(ur.toHTTPRequest().send()); | ||
|
|
||
| if (!userInfoResponse.indicatesSuccess()) { | ||
| return HttpResponse.ofCode(500).withHtml( |
Bnyro
reviewed
Jan 8, 2025
|
|
||
| cr.select(root).where(root.get("sub").in(sub)); | ||
|
|
||
| OidcUserData dbuser = s.createQuery(cr).uniqueResult(); |
There was a problem hiding this comment.
nit:
Suggested change
| OidcUserData dbuser = s.createQuery(cr).uniqueResult(); | |
| OidcUserData dbUser = s.createQuery(cr).uniqueResult(); |
Bnyro
reviewed
Jan 8, 2025
Comment on lines
+283
to
+288
| for (OidcProvider oidcProvider : Constants.OIDC_PROVIDERS) { | ||
| if (oidcProvider.name.equals(oidcUserData.getProvider())) { | ||
| provider = oidcProvider; | ||
| break; | ||
| } | ||
| } |
There was a problem hiding this comment.
Suggested change
| for (OidcProvider oidcProvider : Constants.OIDC_PROVIDERS) { | |
| if (oidcProvider.name.equals(oidcUserData.getProvider())) { | |
| provider = oidcProvider; | |
| break; | |
| } | |
| } | |
| provider = ServerLauncher.getOidcProvider(oicdUserDate.getProvider()); |
Bnyro
reviewed
Jan 8, 2025
Comment on lines
+322
to
+369
| AuthenticationSuccessResponse sr = parseOidcUri(requestUri); | ||
|
|
||
| OidcData data = DatabaseHelper.getOidcData(sr.getState().toString()); | ||
|
|
||
| if (data == null) { | ||
| return HttpResponse.ofCode(400).withHtml( | ||
| "Your oidc provider sent invalid state data. Try again or contact your oidc admin" | ||
| ); | ||
| } | ||
|
|
||
| String redirect = data.data.split("\\|")[1]; | ||
| String session = data.data.split("\\|")[0]; | ||
|
|
||
| URI callback = new URI(Constants.PUBLIC_URL + "/oidc/" + provider.name + "/delete"); | ||
| AuthorizationCode code = sr.getAuthorizationCode(); | ||
|
|
||
| if (code == null) { | ||
| return HttpResponse.ofCode(400).withHtml( | ||
| "Your oidc provider sent an invalid code. Try again or contact your oidc admin" | ||
| ); | ||
| } | ||
|
|
||
| AuthorizationGrant codeGrant = new AuthorizationCodeGrant(code, callback, data.getOidVerifier()); | ||
|
|
||
| ClientAuthentication clientAuth = new ClientSecretBasic(provider.clientID, provider.clientSecret); | ||
|
|
||
| TokenRequest tokenRequest = new TokenRequest.Builder(provider.tokenUri, clientAuth, codeGrant).build(); | ||
| TokenResponse tokenResponse = OIDCTokenResponseParser.parse(tokenRequest.toHTTPRequest().send()); | ||
|
|
||
| if (!tokenResponse.indicatesSuccess()) { | ||
| TokenErrorResponse errorResponse = tokenResponse.toErrorResponse(); | ||
| return HttpResponse.ofCode(500).withHtml("Failure while trying to request token:\n\n" + errorResponse.getErrorObject().getDescription()); | ||
| } | ||
|
|
||
| OIDCTokenResponse successResponse = (OIDCTokenResponse) tokenResponse.toSuccessResponse(); | ||
|
|
||
| JWT idToken = JWTParser.parse(successResponse.getOIDCTokens().getIDTokenString()); | ||
|
|
||
| IDTokenClaimsSet claims; | ||
| try { | ||
| claims = provider.validator.validate(idToken, data.getOidNonce()); | ||
| } catch (BadJOSEException e) { | ||
| System.err.println("Invalid token received: " + e); | ||
| return HttpResponse.ofCode(400).withHtml("Received a bad token. Please try again"); | ||
| } catch (JOSEException e) { | ||
| System.err.println("Token processing error: " + e); | ||
| return HttpResponse.ofCode(500).withHtml("Internal processing error. Please try again"); | ||
| } |
There was a problem hiding this comment.
That's just a lot of duplicate code from oidcLoginCallback, it would certainly make sense to refactor the common code into a new method.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
see TeamPiped/Piped#2571