From e30289c41a50025eb28aa3fe2bbcf67a82bb8f16 Mon Sep 17 00:00:00 2001 From: guillaume chervet Date: Wed, 30 Mar 2022 09:40:23 +0200 Subject: [PATCH] fix(silent-signing): more security --- packages/context/src/MultiAuth.tsx | 16 +++++++++------ packages/context/src/oidc/vanilla/oidc.ts | 24 +++++++++++++++++------ 2 files changed, 28 insertions(+), 12 deletions(-) diff --git a/packages/context/src/MultiAuth.tsx b/packages/context/src/MultiAuth.tsx index b34eacf8b..c6b1363ed 100644 --- a/packages/context/src/MultiAuth.tsx +++ b/packages/context/src/MultiAuth.tsx @@ -3,9 +3,7 @@ import {OidcProvider, useOidc, useOidcAccessToken} from "./oidc"; import { configurationIdentityServer} from "./configurations"; const MultiAuth = ( {configurationName, handleConfigurationChange }) => { - const { login, logout, isLogged} = useOidc(configurationName); - return (
@@ -22,7 +20,7 @@ const MultiAuth = ( {configurationName, handleConfigurationChange }) => {
- ) + ); }; if(!sessionStorage.configurationName){ @@ -34,8 +32,15 @@ export const MultiAuthContainer = () => { const callBack = window.location.origin+"/multi-auth/authentification/callback2"; const silent_redirect_uri = window.location.origin+"/multi-auth/authentification/silent-callback2"; const configurations = { - "config_1": {...configurationIdentityServer, redirect_uri:callBack, silent_redirect_uri}, - "config_2": {...configurationIdentityServer, redirect_uri:callBack, silent_redirect_uri, scope: 'openid profile email api'} + config_1: {...configurationIdentityServer, + redirect_uri:callBack, + silent_redirect_uri, + scope: 'openid profile email api offline_access' + }, + config_2: {...configurationIdentityServer, + redirect_uri:callBack, + silent_redirect_uri: "", + scope: 'openid profile email api'} } const handleConfigurationChange = (event) => { const configurationName = event.target.value; @@ -51,7 +56,6 @@ export const MultiAuthContainer = () => { ); }; - const DisplayAccessToken = ({configurationName}) => { const{ accessToken, accessTokenPayload } = useOidcAccessToken(configurationName); diff --git a/packages/context/src/oidc/vanilla/oidc.ts b/packages/context/src/oidc/vanilla/oidc.ts index 3374569dc..ab0191a50 100644 --- a/packages/context/src/oidc/vanilla/oidc.ts +++ b/packages/context/src/oidc/vanilla/oidc.ts @@ -11,11 +11,19 @@ import { TokenRequest } from '@openid/appauth'; import {NoHashQueryStringUtils} from './noHashQueryStringUtils'; -import {initWorkerAsync, sleepAsync} from './initWorker' +import {initWorkerAsync} from './initWorker' import {MemoryStorageBackend} from "./memoryStorageBackend"; import {initSession} from "./initSession"; import timer from './timer'; +const isInIframe = () => { + try { + return window.self !== window.top; + } catch (e) { + return true; + } +} + const idTokenPayload = (token) => { const base64Url = token.split('.')[1]; const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/'); @@ -174,8 +182,6 @@ const eventNames = { silentSigninAsync_error: "silentSigninAsync_error", } -let isSilentSignin = false; - export class Oidc { public configuration: Configuration; public userInfo: null; @@ -232,7 +238,9 @@ export class Oidc { static eventNames = eventNames; silentSigninCallbackFromIFrame(){ - window.top.postMessage(`${this.configurationName}_oidc_tokens:${JSON.stringify(this.tokens)}`, window.location.origin); + if (this.configuration.silent_redirect_uri) { + window.top.postMessage(`${this.configurationName}_oidc_tokens:${JSON.stringify(this.tokens)}`, window.location.origin); + } } async silentSigninAsync() { if (!this.configuration.silent_redirect_uri) { @@ -270,7 +278,7 @@ export class Oidc { iframe.remove(); isResolved = true; } - }, 8000); + }, 12000); } catch (e) { iframe.remove(); reject(e); @@ -345,7 +353,11 @@ export class Oidc { const url = callbackPath || location.pathname + (location.search || '') + (location.hash || ''); const state = url; this.publishEvent(eventNames.loginAsync_begin, {}); - const configuration = this.configuration; + const configuration = this.configuration + // Security we cannot loggin from Iframe + if (!configuration.silent_redirect_uri && isInIframe()) { + throw new Error("Login from iframe is forbidden"); + } let serviceWorker = await initWorkerAsync(configuration.service_worker_relative_url, this.configurationName); const oidcServerConfiguration = await this.initAsync(configuration.authority); if(serviceWorker && installServiceWorker) {