From 21f1ee6ac3d1994301ca3b30331f4dcf436648cc Mon Sep 17 00:00:00 2001 From: Michael Jumper Date: Fri, 7 Dec 2018 16:48:46 -0800 Subject: [PATCH 1/2] GUACAMOLE-805: Handle OpenID Connect "id_token" parameter regardless of location within URL fragment. --- .../src/main/resources/config/openidConfig.js | 21 ----------- .../src/main/resources/transformToken.js | 36 +++++++++++++++++++ 2 files changed, 36 insertions(+), 21 deletions(-) create mode 100644 extensions/guacamole-auth-openid/src/main/resources/transformToken.js diff --git a/extensions/guacamole-auth-openid/src/main/resources/config/openidConfig.js b/extensions/guacamole-auth-openid/src/main/resources/config/openidConfig.js index 12bc0dabb..5d0b6b22f 100644 --- a/extensions/guacamole-auth-openid/src/main/resources/config/openidConfig.js +++ b/extensions/guacamole-auth-openid/src/main/resources/config/openidConfig.js @@ -31,24 +31,3 @@ angular.module('guacOpenID').config(['formServiceProvider', }); }]); - -/** - * Config block which augments the existing routing, providing special handling - * for the "id_token=" fragments provided by OpenID Connect. - */ -angular.module('index').config(['$routeProvider', - function indexRouteConfig($routeProvider) { - - // Transform "/#/id_token=..." to "/#/?id_token=..." - $routeProvider.when('/id_token=:response', { - - template : '', - controller : ['$location', function reroute($location) { - var params = $location.path().substring(1); - $location.url('/'); - $location.search(params); - }] - - }); - -}]); diff --git a/extensions/guacamole-auth-openid/src/main/resources/transformToken.js b/extensions/guacamole-auth-openid/src/main/resources/transformToken.js new file mode 100644 index 000000000..7ebd18395 --- /dev/null +++ b/extensions/guacamole-auth-openid/src/main/resources/transformToken.js @@ -0,0 +1,36 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/** + * Before AngularJS routing takes effect, test whether the URL fragment + * contains an OpenID Connect "id_token" parameter, and reformat the fragment + * such that the client side of Guacamole's authentication system will + * automatically forward the "id_token" value for server-side validation. + * + * Note that not all OpenID identity providers will include the "id_token" + * parameter in the first position; it may occur after several other parameters + * within the hash. + */ +(function guacOpenIDTransformToken() { + + // Transform "/#id_token=..." to "/#/?id_token=..." + if (/(^#|&)id_token=/.test(location.hash)) + location.hash = '/?' + location.hash.substring(1); + +})(); From fe7ef198512f625a653665007c345ecec2c5517b Mon Sep 17 00:00:00 2001 From: Michael Jumper Date: Sun, 2 Jun 2019 16:43:48 -0700 Subject: [PATCH 2/2] GUACAMOLE-805: Only reformat a URL fragment that appears to be from OpenID Connect if the fragment is not already in a format consumable by AngularJS ("#?..." or "#/?..."). --- .../src/main/resources/transformToken.js | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/extensions/guacamole-auth-openid/src/main/resources/transformToken.js b/extensions/guacamole-auth-openid/src/main/resources/transformToken.js index 7ebd18395..b65d2fde4 100644 --- a/extensions/guacamole-auth-openid/src/main/resources/transformToken.js +++ b/extensions/guacamole-auth-openid/src/main/resources/transformToken.js @@ -18,19 +18,17 @@ */ /** - * Before AngularJS routing takes effect, test whether the URL fragment - * contains an OpenID Connect "id_token" parameter, and reformat the fragment - * such that the client side of Guacamole's authentication system will - * automatically forward the "id_token" value for server-side validation. + * Before AngularJS routing takes effect, reformat the URL fragment + * from the format used by OpenID Connect ("#param1=value1¶m2=value2&...") + * to the format used by AngularJS ("#/?param1=value1¶m2=value2&...") such + * that the client side of Guacamole's authentication system will automatically + * forward the "id_token" value for server-side validation. * * Note that not all OpenID identity providers will include the "id_token" * parameter in the first position; it may occur after several other parameters - * within the hash. + * within the fragment. */ (function guacOpenIDTransformToken() { - - // Transform "/#id_token=..." to "/#/?id_token=..." - if (/(^#|&)id_token=/.test(location.hash)) + if (/^#(?![?\/])(.*&)?id_token=/.test(location.hash)) location.hash = '/?' + location.hash.substring(1); - })();