Remove legacy CSRF protection for approve page
Instead, we rely on the Spring Security CSRF protection, like we already do for the login page. Additionally, we remove the authentication check in`isApproved`, because this is already done by Spring Security (and if not, we have bigger problems to worry about).pull/932/head
Mark Janssen
parent
8b362f23f3
commit
b5c298e0ca
|
|
@ -260,8 +260,8 @@
|
|||
</h3>
|
||||
<spring:message code="approve.label.authorize" var="authorize_label"/>
|
||||
<spring:message code="approve.label.deny" var="deny_label"/>
|
||||
<input id="user_oauth_approval" name="user_oauth_approval" value="true" type="hidden" />
|
||||
<input name="csrf" value="${ csrf }" type="hidden" />
|
||||
<input id="user_oauth_approval" name="user_oauth_approval" value="true" type="hidden" />
|
||||
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
|
||||
<input name="authorize" value="${authorize_label}" type="submit"
|
||||
onclick="$('#user_oauth_approval').attr('value',true)" class="btn btn-success btn-large" />
|
||||
|
||||
|
|
|
|||
|
|
@ -57,7 +57,6 @@ import com.google.common.base.Strings;
|
|||
import com.google.common.collect.Sets;
|
||||
import com.google.gson.JsonObject;
|
||||
|
||||
import static org.mitre.openid.connect.request.ConnectRequestParameters.CSRF;
|
||||
import static org.mitre.openid.connect.request.ConnectRequestParameters.PROMPT;
|
||||
import static org.mitre.openid.connect.request.ConnectRequestParameters.PROMPT_SEPARATOR;
|
||||
|
||||
|
|
@ -221,9 +220,6 @@ public class OAuthConfirmationController {
|
|||
model.put("gras", false);
|
||||
}
|
||||
|
||||
// inject a random value for CSRF purposes
|
||||
model.put("csrf", authRequest.getExtensions().get(CSRF));
|
||||
|
||||
return "approve";
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -55,7 +55,6 @@ import com.nimbusds.jwt.SignedJWT;
|
|||
|
||||
import static org.mitre.openid.connect.request.ConnectRequestParameters.CLAIMS;
|
||||
import static org.mitre.openid.connect.request.ConnectRequestParameters.CLIENT_ID;
|
||||
import static org.mitre.openid.connect.request.ConnectRequestParameters.CSRF;
|
||||
import static org.mitre.openid.connect.request.ConnectRequestParameters.DISPLAY;
|
||||
import static org.mitre.openid.connect.request.ConnectRequestParameters.LOGIN_HINT;
|
||||
import static org.mitre.openid.connect.request.ConnectRequestParameters.MAX_AGE;
|
||||
|
|
@ -157,13 +156,6 @@ public class ConnectOAuth2RequestFactory extends DefaultOAuth2RequestFactory {
|
|||
}
|
||||
}
|
||||
|
||||
|
||||
// add CSRF protection to the request on first parse
|
||||
String csrf = UUID.randomUUID().toString();
|
||||
request.getExtensions().put(CSRF, csrf);
|
||||
|
||||
|
||||
|
||||
return request;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -38,7 +38,6 @@ public interface ConnectRequestParameters {
|
|||
public String PROMPT_SEPARATOR = " ";
|
||||
|
||||
// extensions
|
||||
public String CSRF = "csrf";
|
||||
public String APPROVED_SITE = "approved_site";
|
||||
|
||||
// responses
|
||||
|
|
|
|||
|
|
@ -48,7 +48,6 @@ import com.google.common.base.Strings;
|
|||
import com.google.common.collect.Sets;
|
||||
|
||||
import static org.mitre.openid.connect.request.ConnectRequestParameters.APPROVED_SITE;
|
||||
import static org.mitre.openid.connect.request.ConnectRequestParameters.CSRF;
|
||||
import static org.mitre.openid.connect.request.ConnectRequestParameters.PROMPT;
|
||||
import static org.mitre.openid.connect.request.ConnectRequestParameters.PROMPT_SEPARATOR;
|
||||
|
||||
|
|
@ -102,21 +101,8 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
|
|||
return true;
|
||||
} else {
|
||||
// if not, check to see if the user has approved it
|
||||
if (Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get("user_oauth_approval"))) { // TODO: make parameter name configurable?
|
||||
|
||||
// check the value of the CSRF parameter
|
||||
|
||||
if (authorizationRequest.getExtensions().get(CSRF) != null) {
|
||||
if (authorizationRequest.getExtensions().get(CSRF).equals(authorizationRequest.getApprovalParameters().get(CSRF))) {
|
||||
|
||||
// make sure the user is actually authenticated
|
||||
return userAuthentication.isAuthenticated();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// if the above doesn't pass, it's not yet approved
|
||||
return false;
|
||||
// TODO: make parameter name configurable?
|
||||
return Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get("user_oauth_approval"));
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -195,9 +181,7 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
|
|||
ClientDetails client = clientDetailsService.loadClientByClientId(clientId);
|
||||
|
||||
// This must be re-parsed here because SECOAUTH forces us to call things in a strange order
|
||||
if (Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get("user_oauth_approval"))
|
||||
&& authorizationRequest.getExtensions().get(CSRF) != null
|
||||
&& authorizationRequest.getExtensions().get(CSRF).equals(authorizationRequest.getApprovalParameters().get(CSRF))) {
|
||||
if (Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get("user_oauth_approval"))) {
|
||||
|
||||
authorizationRequest.setApproved(true);
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue