fix(silent-signing): more security

AxaFrance · Mar 30, 2022 · e30289c · e30289c
1 parent 62f6cd6
commit e30289c
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 12 deletions.
diff --git a/packages/context/src/MultiAuth.tsx b/packages/context/src/MultiAuth.tsx
@@ -3,9 +3,7 @@ import {OidcProvider, useOidc, useOidcAccessToken} from "./oidc";
 import { configurationIdentityServer} from "./configurations";
 
 const MultiAuth = ( {configurationName, handleConfigurationChange }) => {
-
     const { login, logout, isLogged} = useOidc(configurationName);
-
     return (
         <div className="container-fluid mt-3">
             <div className="card">
@@ -22,7 +20,7 @@ const MultiAuth = ( {configurationName, handleConfigurationChange }) => {
                 </div>
             </div>
         </div>
-    )
+    );
 };
 
 if(!sessionStorage.configurationName){
@@ -34,8 +32,15 @@ export const MultiAuthContainer = () => {
     const callBack = window.location.origin+"/multi-auth/authentification/callback2";
     const silent_redirect_uri = window.location.origin+"/multi-auth/authentification/silent-callback2";
     const configurations = {
-        "config_1": {...configurationIdentityServer, redirect_uri:callBack, silent_redirect_uri},
-        "config_2": {...configurationIdentityServer, redirect_uri:callBack, silent_redirect_uri, scope: 'openid profile email api'}
+        config_1: {...configurationIdentityServer, 
+            redirect_uri:callBack, 
+            silent_redirect_uri,
+            scope: 'openid profile email api offline_access'
+        },
+        config_2: {...configurationIdentityServer, 
+            redirect_uri:callBack, 
+            silent_redirect_uri: "", 
+            scope: 'openid profile email api'}
     }
     const handleConfigurationChange = (event) => {
         const configurationName = event.target.value;
@@ -51,7 +56,6 @@ export const MultiAuthContainer = () => {
     );
 };
 
-
 const DisplayAccessToken = ({configurationName}) => {
     const{ accessToken, accessTokenPayload } = useOidcAccessToken(configurationName);
 

diff --git a/packages/context/src/oidc/vanilla/oidc.ts b/packages/context/src/oidc/vanilla/oidc.ts
@@ -11,11 +11,19 @@ import {
     TokenRequest
 } from '@openid/appauth';
 import {NoHashQueryStringUtils} from './noHashQueryStringUtils';
-import {initWorkerAsync, sleepAsync} from './initWorker'
+import {initWorkerAsync} from './initWorker'
 import {MemoryStorageBackend} from "./memoryStorageBackend";
 import {initSession} from "./initSession";
 import timer from './timer';
 
+const isInIframe = () => {
+    try {
+        return window.self !== window.top;
+    } catch (e) {
+        return true;
+    }
+}
+
 const idTokenPayload = (token) => {
     const base64Url = token.split('.')[1];
     const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');
@@ -174,8 +182,6 @@ const eventNames = {
     silentSigninAsync_error: "silentSigninAsync_error",
 }
 
-let isSilentSignin = false;
-
 export class Oidc {
     public configuration: Configuration;
     public userInfo: null;
@@ -232,7 +238,9 @@ export class Oidc {
     static eventNames = eventNames;
 
     silentSigninCallbackFromIFrame(){
-        window.top.postMessage(`${this.configurationName}_oidc_tokens:${JSON.stringify(this.tokens)}`, window.location.origin);
+        if (this.configuration.silent_redirect_uri) {
+            window.top.postMessage(`${this.configurationName}_oidc_tokens:${JSON.stringify(this.tokens)}`, window.location.origin);
+        }
     }
     async silentSigninAsync() {
         if (!this.configuration.silent_redirect_uri) {
@@ -270,7 +278,7 @@ export class Oidc {
                         iframe.remove();
                         isResolved = true;
                     }
-                }, 8000);
+                }, 12000);
             } catch (e) {
                 iframe.remove();
                 reject(e);
@@ -345,7 +353,11 @@ export class Oidc {
             const url = callbackPath || location.pathname + (location.search || '') + (location.hash || '');
             const state = url;
             this.publishEvent(eventNames.loginAsync_begin, {});
-            const configuration = this.configuration;
+            const configuration = this.configuration
+            // Security we cannot loggin from Iframe
+            if (!configuration.silent_redirect_uri && isInIframe()) {
+                throw new Error("Login from iframe is forbidden");
+            }
             let serviceWorker = await initWorkerAsync(configuration.service_worker_relative_url, this.configurationName);
             const oidcServerConfiguration = await this.initAsync(configuration.authority);
             if(serviceWorker && installServiceWorker) {