Skip to content

fix: limit OAuth redirects to local paths #14585

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Sep 10, 2024
Merged

fix: limit OAuth redirects to local paths #14585

Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
0abbb7c
fix: limit OAuth redirects to local paths
sreya Sep 5, 2024
5e88d67
hm
sreya Sep 6, 2024
7905003
Prevent malicious redirects in OAuth flows
sreya Sep 9, 2024
8b4baf0
Remove extra blank line in TestUserOIDC
sreya Sep 9, 2024
0706f45
Refactor OIDC login redirection handling
sreya Sep 9, 2024
6f9baa8
Refactor OIDC login redirection handling
sreya Sep 9, 2024
5b35a07
Remove debug print statement in FakeIDP
sreya Sep 9, 2024
4f8b28b
Refactor OIDC login redirection handling
sreya Sep 9, 2024
ef5fc1f
Fix OAuth redirect URL test
sreya Sep 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Refactor OIDC login redirection handling 
- Prevent redirecting the last step in the OIDC flow involving the state
  parameter, ensuring it remains part of the core OIDC process.
- This ensures secure and consistent handling of redirects in the OIDC
  login flow.
  • Loading branch information
@sreya
sreya committed Sep 9, 2024
commit 4f8b28bfd3f9ae7641c62a57a3804623bbf3b202
3 changes: 3 additions & 0 deletions coderd/coderdtest/oidctest/idp.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -496,6 +496,9 @@ func (f *FakeIDP) LoginWithClient(t testing.TB, client *codersdk.Client, idToken
f.stateToIDTokenClaims.Store(state, idTokenClaims)
return nil
}
// This is mainly intended to prevent the _last_ redirect
// The one involving the state param is a core part of the
// OIDC flow and shouldn't be redirected.
if redirectFn != nil {
return redirectFn(req, via)
}
Expand Down
Loading