GUACAMOLE-805: Merge more robust handling of OpenID "id_token" parameter

2025-09-06 05:07:41 +00:00 · 2019-06-02 20:18:53 -04:00
parent 2362cfcabe fe7ef19851
commit 0344ef30e4
2 changed files with 34 additions and 21 deletions
--- a/extensions/guacamole-auth-openid/src/main/resources/config/openidConfig.js
+++ b/extensions/guacamole-auth-openid/src/main/resources/config/openidConfig.js
@@ -31,24 +31,3 @@ angular.module('guacOpenID').config(['formServiceProvider',
    });

 }]);
-
-/**
- * Config block which augments the existing routing, providing special handling
- * for the "id_token=" fragments provided by OpenID Connect.
- */
-angular.module('index').config(['$routeProvider',
-        function indexRouteConfig($routeProvider) {
-
-    // Transform "/#/id_token=..." to "/#/?id_token=..."
-    $routeProvider.when('/id_token=:response', {
-
-        template   : '',
-        controller : ['$location', function reroute($location) {
-            var params = $location.path().substring(1);
-            $location.url('/');
-            $location.search(params);
-        }]
-
-    });
-
-}]);
--- a/extensions/guacamole-auth-openid/src/main/resources/transformToken.js
+++ b/extensions/guacamole-auth-openid/src/main/resources/transformToken.js
@@ -0,0 +1,34 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/**
+ * Before AngularJS routing takes effect, reformat the URL fragment
+ * from the format used by OpenID Connect ("#param1=value1&param2=value2&...")
+ * to the format used by AngularJS ("#/?param1=value1&param2=value2&...") such
+ * that the client side of Guacamole's authentication system will automatically
+ * forward the "id_token" value for server-side validation.
+ * 
+ * Note that not all OpenID identity providers will include the "id_token"
+ * parameter in the first position; it may occur after several other parameters
+ * within the fragment.
+ */
+(function guacOpenIDTransformToken() {
+    if (/^#(?![?\/])(.*&)?id_token=/.test(location.hash))
+        location.hash = '/?' + location.hash.substring(1);
+})();