From acfccd84ba8ea40f0bd3f431b39d8aff8a262d45 Mon Sep 17 00:00:00 2001 From: Yadd Date: Mon, 6 Feb 2023 07:38:07 +0400 Subject: [PATCH 1/3] Include sid in OIDC tokens (#2862) --- .../NG/Portal/Issuer/OpenIDConnect.pm | 1 + .../Lemonldap/NG/Portal/Lib/OpenIDConnect.pm | 21 +++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm index 600e31a08d..7942ad7ea8 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm @@ -2488,6 +2488,7 @@ sub _generateIDToken { acr => $id_token_acr, # Authentication Context Class Reference azp => $client_id, # Authorized party, this is used for logout # TODO amr + sid => $self->getSidFromSession( $rp, $sessionInfo ), # Session id }; for ( keys %{$extra_claims} ) { diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm index b995dadf36..ff8d1149e9 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm @@ -1115,6 +1115,7 @@ sub makeJWT { iat => time, # Issued time jti => $id, # Access Token session ID scope => $scope, # Scope + sid => $self->getSidFromSession( $rp, $sessionInfo ), # Session id }; my $claims = @@ -2432,6 +2433,26 @@ sub generateNonce { return encode_base64url( Crypt::URandom::urandom(16) ); } +sub getSidFromSession { + my ( $self, $rp, $sessionInfo ) = @_; + return $self->conf->{cipher} + ->encrypt( $sessionInfo->{_session_id} . ':' . $rp ); +} + +sub getSessionIdFromSid { + my ( $self, $sid, $rp ) = @_; + my $str = $self->conf->{cipher}->decrypt($sid); + unless ( $str and $str =~ /^(?.*?):(?.*)$/ ) { + $self->logger->error("Invalid sid: $sid"); + return undef; + } + if ( $rp and $rp ne $+{rp} ) { + $self->logger->error( "RP id mismatch in sid: $rp != " . $+{rp} ); + return undef; + } + return $+{id}; +} + 1; __END__ -- GitLab From 7b84674e5e986087aff6ddef74ebc46632e09fd5 Mon Sep 17 00:00:00 2001 From: Yadd Date: Mon, 6 Feb 2023 07:45:20 +0400 Subject: [PATCH 2/3] OIDC: use valid sid in Front-Channel (#2863) --- .../lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm index 7942ad7ea8..820c533639 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm @@ -2187,12 +2187,12 @@ sub logout { if ( $rpConf->{oidcRPMetaDataOptionsLogoutType} eq 'front' ) { if ( $rpConf->{oidcRPMetaDataOptionsLogoutSessionRequired} ) { - my $user_id = $self->getUserIDForRP( $req, $rp, - $req->{sessionInfo} ); $url .= ( $url =~ /\?/ ? '&' : '?' ) . build_urlencoded( iss => $self->iss, - sid => $user_id + sid => $self->getSidFromSession( + $rp, $req->{sessionInfo} + ) ); } $req->info( qq'