From fe7ef198512f625a653665007c345ecec2c5517b Mon Sep 17 00:00:00 2001 From: Michael Jumper Date: Sun, 2 Jun 2019 16:43:48 -0700 Subject: [PATCH] GUACAMOLE-805: Only reformat a URL fragment that appears to be from OpenID Connect if the fragment is not already in a format consumable by AngularJS ("#?..." or "#/?..."). --- .../src/main/resources/transformToken.js | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/extensions/guacamole-auth-openid/src/main/resources/transformToken.js b/extensions/guacamole-auth-openid/src/main/resources/transformToken.js index 7ebd18395..b65d2fde4 100644 --- a/extensions/guacamole-auth-openid/src/main/resources/transformToken.js +++ b/extensions/guacamole-auth-openid/src/main/resources/transformToken.js @@ -18,19 +18,17 @@ */ /** - * Before AngularJS routing takes effect, test whether the URL fragment - * contains an OpenID Connect "id_token" parameter, and reformat the fragment - * such that the client side of Guacamole's authentication system will - * automatically forward the "id_token" value for server-side validation. + * Before AngularJS routing takes effect, reformat the URL fragment + * from the format used by OpenID Connect ("#param1=value1¶m2=value2&...") + * to the format used by AngularJS ("#/?param1=value1¶m2=value2&...") such + * that the client side of Guacamole's authentication system will automatically + * forward the "id_token" value for server-side validation. * * Note that not all OpenID identity providers will include the "id_token" * parameter in the first position; it may occur after several other parameters - * within the hash. + * within the fragment. */ (function guacOpenIDTransformToken() { - - // Transform "/#id_token=..." to "/#/?id_token=..." - if (/(^#|&)id_token=/.test(location.hash)) + if (/^#(?![?\/])(.*&)?id_token=/.test(location.hash)) location.hash = '/?' + location.hash.substring(1); - })();