Check logout redirect URI (#1233)
This commit is contained in:
Clément Oudot
parent
52596eed9b
commit
318d43e07f
|
|
@ -27,7 +27,7 @@ our $specialNodeKeys = '(?:(?:(?:saml(?:ID|S)|oidc[OR])P|cas(?:App|Srv))MetaData
|
|||
our $casAppMetaDataNodeKeys = 'casAppMetaData(?:Options(?:Servic|Rul)e|ExportedVars)';
|
||||
our $casSrvMetaDataNodeKeys = 'casSrvMetaData(?:Options(?:ProxiedServices|DisplayName|Gateway|Renew|Icon|Url)|ExportedVars)';
|
||||
our $oidcOPMetaDataNodeKeys = 'oidcOPMetaData(?:Options(?:C(?:lient(?:Secret|ID)|heckJWTSignature|onfigurationURI)|TokenEndpointAuthMethod|(?:JWKSTimeou|Promp)t|I(?:DTokenMaxAge|con)|S(?:toreIDToken|cope)|U(?:iLocales|seNonce)|Display(?:Name)?|AcrValues|MaxAge)|ExportedVars|J(?:SON|WKS))';
|
||||
our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:I(?:DToken(?:Expiration|SignAlg)|con)|Logout(?:SessionRequired|Type|Url)|AccessTokenExpiration|R(?:edirectUris|ule)|Client(?:Secret|ID)|BypassConsent|DisplayName|ExtraClaims|UserIDAttr)|ExportedVars)';
|
||||
our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:(?:PostLogoutRedirectUri|ExtraClaim)s|I(?:DToken(?:Expiration|SignAlg)|con)|Logout(?:SessionRequired|Type|Url)|AccessTokenExpiration|R(?:edirectUris|ule)|Client(?:Secret|ID)|BypassConsent|DisplayName|UserIDAttr)|ExportedVars)';
|
||||
our $samlIDPMetaDataNodeKeys = 'samlIDPMetaData(?:Options(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|EncryptionMod|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Re(?:questedAuthnContext|solutionRule|layStateURL)|S(?:ignS[LS]OMessage|toreSAMLToken|[LS]OBinding)|Force(?:Authn|UTF8)|NameIDFormat)|ExportedAttributes|XML)';
|
||||
our $samlSPMetaDataNodeKeys = 'samlSPMetaData(?:Options(?:N(?:ameID(?:SessionKey|Format)|otOnOrAfterTimeout)|S(?:essionNotOnOrAfterTimeout|ignS[LS]OMessage)|(?:CheckS[LS]OMessageSignatur|OneTimeUs|Rul)e|En(?:ableIDPInitiatedURL|cryptionMode)|ForceUTF8)|ExportedAttributes|XML)';
|
||||
our $virtualHostKeys = '(?:vhost(?:A(?:uthnLevel|liases)|(?:Maintenanc|Typ)e|Https|Port)|(?:exportedHeader|locationRule)s|post)';
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ sub types {
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
|
@ -651,7 +651,7 @@ sub attributes {
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
|
@ -1004,7 +1004,7 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
}
|
||||
eval $s;
|
||||
my $err = join(
|
||||
|
|
@ -1086,7 +1086,7 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
|
@ -1109,7 +1109,7 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
|
@ -1432,7 +1432,7 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
}
|
||||
eval $s;
|
||||
my $err = join(
|
||||
|
|
@ -1469,7 +1469,7 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
|
@ -1807,6 +1807,9 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
|
|||
'oidcRPMetaDataOptionsLogoutUrl' => {
|
||||
'type' => 'url'
|
||||
},
|
||||
'oidcRPMetaDataOptionsPostLogoutRedirectUris' => {
|
||||
'type' => 'text'
|
||||
},
|
||||
'oidcRPMetaDataOptionsRedirectUris' => {
|
||||
'type' => 'text'
|
||||
},
|
||||
|
|
@ -1817,7 +1820,7 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
|
@ -2150,7 +2153,7 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
|
@ -2820,7 +2823,7 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
|
|||
|
||||
BEGIN {
|
||||
${^WARNING_BITS} =
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55";
|
||||
"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05";
|
||||
}
|
||||
eval "$s $val";
|
||||
my $err = join(
|
||||
|
|
|
|||
|
|
@ -2690,6 +2690,7 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
|
|||
{ type => 'keyTextContainer', default => {} },
|
||||
oidcRPMetaDataOptionsBypassConsent =>
|
||||
{ type => 'bool', help => 'openidconnectclaims.html', default => 0 },
|
||||
oidcRPMetaDataOptionsPostLogoutRedirectUris => { type => 'text', },
|
||||
oidcRPMetaDataOptionsLogoutUrl => {
|
||||
type => 'url',
|
||||
documentation => 'Logout URL',
|
||||
|
|
|
|||
|
|
@ -204,6 +204,7 @@ sub cTrees {
|
|||
title => 'logout',
|
||||
form => 'simpleInputContainer',
|
||||
nodes => [
|
||||
'oidcRPMetaDataOptionsPostLogoutRedirectUris',
|
||||
'oidcRPMetaDataOptionsLogoutUrl',
|
||||
'oidcRPMetaDataOptionsLogoutType',
|
||||
'oidcRPMetaDataOptionsLogoutSessionRequired',
|
||||
|
|
|
|||
|
|
@ -469,6 +469,11 @@ function templates(tpl,key) {
|
|||
},
|
||||
{
|
||||
"_nodes" : [
|
||||
{
|
||||
"get" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsPostLogoutRedirectUris",
|
||||
"id" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsPostLogoutRedirectUris",
|
||||
"title" : "oidcRPMetaDataOptionsPostLogoutRedirectUris"
|
||||
},
|
||||
{
|
||||
"get" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsLogoutUrl",
|
||||
"id" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsLogoutUrl",
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
|
|
@ -499,7 +499,8 @@
|
|||
"oidcOPMetaDataOptionsAcrValues": "ACR values",
|
||||
"oidcOPMetaDataOptionsIDTokenMaxAge": "ID Token max age",
|
||||
"oidcOPMetaDataOptionsUseNonce": "Use nonce",
|
||||
"oidcRPMetaDataOptionsRedirectUris": "Redirection addresses",
|
||||
"oidcRPMetaDataOptionsRedirectUris": "Allowed redirection addresses for login",
|
||||
"oidcRPMetaDataOptionsPostLogoutRedirectUris": "Allowed redirection addresses for logout",
|
||||
"oidcRPMetaDataOptionsExtraClaims": "Extra claims",
|
||||
"oidcServiceMetaDataIssuer": "Issuer identifier",
|
||||
"oidcServiceMetaDataTokenURI": "Token",
|
||||
|
|
|
|||
|
|
@ -499,7 +499,8 @@
|
|||
"oidcOPMetaDataOptionsAcrValues": "Valeurs ACR",
|
||||
"oidcOPMetaDataOptionsIDTokenMaxAge": "Âge maximum du jeton ID",
|
||||
"oidcOPMetaDataOptionsUseNonce": "Utilisation du nonce",
|
||||
"oidcRPMetaDataOptionsRedirectUris": "Adresses de redirection",
|
||||
"oidcRPMetaDataOptionsRedirectUris": "Adresses de redirection autorisées pour la connexion",
|
||||
"oidcRPMetaDataOptionsPostLogoutRedirectUris": "Adresses de redirection autorisées pour la déconnexion",
|
||||
"oidcRPMetaDataOptionsExtraClaims": "Déclarations (scopes/claims)",
|
||||
"oidcServiceMetaDataIssuer": "Identifiant du fournisseur",
|
||||
"oidcServiceMetaDataTokenURI": "Jeton",
|
||||
|
|
|
|||
|
|
@ -499,7 +499,8 @@
|
|||
"oidcOPMetaDataOptionsAcrValues": "Giá trị ACR",
|
||||
"oidcOPMetaDataOptionsIDTokenMaxAge": "Thời hạn ID Token",
|
||||
"oidcOPMetaDataOptionsUseNonce": "Sử dụng nonce",
|
||||
"oidcRPMetaDataOptionsRedirectUris": "Chuyển hướng địa chỉ",
|
||||
"oidcRPMetaDataOptionsRedirectUris": "Allowed redirection addresses for login",
|
||||
"oidcRPMetaDataOptionsPostLogoutRedirectUris": "Allowed redirection addresses for logout",
|
||||
"oidcRPMetaDataOptionsExtraClaims": "Xác nhận bổ sung",
|
||||
"oidcServiceMetaDataIssuer": "Định danh Người phát hành",
|
||||
"oidcServiceMetaDataTokenURI": "Token",
|
||||
|
|
|
|||
|
|
@ -156,7 +156,8 @@ sub run {
|
|||
"Override $_ OIDC param by value present in request parameter"
|
||||
);
|
||||
$oidc_request->{$_} = $request->{$_};
|
||||
$self->p->setHiddenFormValue( $req, $_, $request->{$_}, '' );
|
||||
$self->p->setHiddenFormValue( $req, $_, $request->{$_},
|
||||
'' );
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -794,6 +795,30 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
|
|||
|
||||
if ($post_logout_redirect_uri) {
|
||||
|
||||
# Check redirect URI is allowed
|
||||
my $redirect_uri_allowed = 0;
|
||||
foreach ( keys %{ $self->conf->{oidcRPMetaDataOptions} } ) {
|
||||
my $logout_rp = $_;
|
||||
my $redirect_uris =
|
||||
$self->conf->{oidcRPMetaDataOptions}->{$logout_rp}
|
||||
->{oidcRPMetaDataOptionsPostLogoutRedirectUris};
|
||||
|
||||
foreach ( split( /\s+/, $redirect_uris ) ) {
|
||||
if ( $post_logout_redirect_uri eq $_ ) {
|
||||
$self->logger->debug(
|
||||
"$post_logout_redirect_uri is an allowed logout redirect URI for RP $logout_rp"
|
||||
);
|
||||
$redirect_uri_allowed = 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
unless ($redirect_uri_allowed) {
|
||||
$self->logger->error(
|
||||
"$post_logout_redirect_uri is not allowed");
|
||||
return PE_BADURL;
|
||||
}
|
||||
|
||||
# Build Response
|
||||
my $response_url =
|
||||
$self->buildLogoutResponse( $post_logout_redirect_uri,
|
||||
|
|
@ -1168,6 +1193,29 @@ sub endSessionDone {
|
|||
|
||||
if ($post_logout_redirect_uri) {
|
||||
|
||||
# Check redirect URI is allowed
|
||||
my $redirect_uri_allowed = 0;
|
||||
foreach ( keys %{ $self->conf->{oidcRPMetaDataOptions} } ) {
|
||||
my $logout_rp = $_;
|
||||
my $redirect_uris =
|
||||
$self->conf->{oidcRPMetaDataOptions}->{$logout_rp}
|
||||
->{oidcRPMetaDataOptionsPostLogoutRedirectUris};
|
||||
|
||||
foreach ( split( /\s+/, $redirect_uris ) ) {
|
||||
if ( $post_logout_redirect_uri eq $_ ) {
|
||||
$self->logger->debug(
|
||||
"$post_logout_redirect_uri is an allowed logout redirect URI for RP $logout_rp"
|
||||
);
|
||||
$redirect_uri_allowed = 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
unless ($redirect_uri_allowed) {
|
||||
$self->logger->error("$post_logout_redirect_uri is not allowed");
|
||||
return $self->p->login($req);
|
||||
}
|
||||
|
||||
# Build Response
|
||||
my $response_url =
|
||||
$self->buildLogoutResponse( $post_logout_redirect_uri, $state );
|
||||
|
|
|
|||
|
|
@ -295,7 +295,8 @@ sub op {
|
|||
oidcRPMetaDataOptionsBypassConsent => 0,
|
||||
oidcRPMetaDataOptionsClientSecret => "rpsecret",
|
||||
oidcRPMetaDataOptionsUserIDAttr => "",
|
||||
oidcRPMetaDataOptionsAccessTokenExpiration => 3600
|
||||
oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
|
||||
oidcRPMetaDataOptionsPostLogoutRedirectUris => "http://auth.rp.com"
|
||||
}
|
||||
},
|
||||
oidcOPMetaDataOptions => {},
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user