-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AD FS namespace OIDC bug fix #19460
AD FS namespace OIDC bug fix #19460
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for tackling this leave great comments describing the case for the fix!
/* | ||
If authenticating to a namespace, most SSO providers return a callback url | ||
with a 'state' query param that includes a URI encoded namespace, example: | ||
'?code=BZBDVPMz0By2JTqulEMWX5-6rflW3A20UAusJYHEeFygJ&state=sst_yOarDguU848w5YZuotLs%2Cns%3Dadmin' | ||
|
||
Active Directory Federation Service (AD FS), instead, decodes the namespace portion: | ||
'?code=BZBDVPMz0By2JTqulEMWX5-6rflW3A20UAusJYHEeFygJ&state=st_yOarDguU848w5YZuotLs,ns=admin' | ||
|
||
'ns' isn't recognized as a separate param because there is no ampersand, so using this.paramsFor() returns | ||
a namespace-less state and authentication fails | ||
{ state: 'st_yOarDguU848w5YZuotLs,ns' } | ||
*/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great comments here thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for all these test updates 🎉
* the fix * changelog * clair fix * add test * update changelog * clarify comment * remove state from paramsFor completely, update tests * Revert "remove state from paramsFor completely, update tests" This reverts commit bea042f. * add tests with skips until not flaky --------- Co-authored-by: clairebontempo@gmail.com <clairebontempo@gmail.com> Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* the fix * changelog * clair fix * add test * update changelog * clarify comment * remove state from paramsFor completely, update tests * Revert "remove state from paramsFor completely, update tests" This reverts commit bea042f. * add tests with skips until not flaky --------- Co-authored-by: clairebontempo@gmail.com <clairebontempo@gmail.com> Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* the fix * changelog * clair fix * add test * update changelog * clarify comment * remove state from paramsFor completely, update tests * Revert "remove state from paramsFor completely, update tests" This reverts commit bea042f. * add tests with skips until not flaky --------- Co-authored-by: clairebontempo@gmail.com <clairebontempo@gmail.com> Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* the fix * changelog * clair fix * add test * update changelog * clarify comment * remove state from paramsFor completely, update tests * Revert "remove state from paramsFor completely, update tests" This reverts commit bea042f. * add tests with skips until not flaky --------- Co-authored-by: Angel Garbarino <Monkeychip@users.noreply.github.com>
* the fix * changelog * claire fix * add test * update changelog * clarify comment * remove state from paramsFor completely, update tests * Revert "remove state from paramsFor completely, update tests" This reverts commit bea042f. * add tests with skips until not flaky --------- Co-authored-by: Angel Garbarino <Monkeychip@users.noreply.github.com>
* the fix * changelog * claire fix * add test * update changelog * clarify comment * remove state from paramsFor completely, update tests * Revert "remove state from paramsFor completely, update tests" This reverts commit bea042f. * add tests with skips until not flaky --------- Co-authored-by: Angel Garbarino <Monkeychip@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It may seem redundant to first get namespace using paramsFor
and then again using window.location.search
but if the namespace is from the cluster (i.e. HCP namespace flag) window.location.search
is empty and so we have to use paramsFor
to initially assign those variables.
This PR #15378 implemented using the URL api because Ember was stripping out the ns param via the
paramsFor
method. While implementing a fix for cluster namespace flags (PR #16886), we discoveredparamsFor
was no longer stripping out the namespace.However, this introduced a regression because ADFS decodes the namespace portion of the state query param in the callback uri, but doesn't separate it as a separate query param using
&
. ThusparamsFor
was unable to recognizens
as a separate parameter and authentication failed. (See these lines in the test file for examples and a more in depth explanation.)Thanks to @austingebauer for checking out this branch and testing it with his local AD FS setup to confirm this does in fact fix the issue!