From a6c8f1bc23ecfff3fc728f515aa551d6f7fec651 Mon Sep 17 00:00:00 2001 From: lebaudantoine Date: Mon, 15 Jul 2024 18:46:59 +0200 Subject: [PATCH] ref: Parametrize OIDC authorization response mode Planka used a default response_mode 'fragment', which is not supported by all OIDC providers. Planka supports only the Authorization Code flow. The default response mode for the authorization code flow is 'query', meaning the authorization server appends the authorization code to the redirect URI as a query parameter. I have added two environment variables: one to use the default response mode from the OIDC provider, and one to customize the response mode if needed. Using the default response mode is recommended by the OIDC specification: "This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is the default mode specified for the Response Type." To avoid any breaking changes, I kept the default value as 'fragment'. Ideally, the environment variable should be undefined by default. --- server/api/controllers/show-config.js | 13 +++++++++---- server/config/custom.js | 2 ++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/server/api/controllers/show-config.js b/server/api/controllers/show-config.js index d1dc6f67..2740cb7b 100644 --- a/server/api/controllers/show-config.js +++ b/server/api/controllers/show-config.js @@ -4,11 +4,16 @@ module.exports = { if (sails.hooks.oidc.isActive()) { const oidcClient = sails.hooks.oidc.getClient(); + const authorizationParameters = { + scope: sails.config.custom.oidcScopes, + } + + if(!sails.config.custom.oidcDefaultResponseMode) { + authorizationParameters.response_mode = sails.config.custom.oidcResponseMode + } + oidc = { - authorizationUrl: oidcClient.authorizationUrl({ - scope: sails.config.custom.oidcScopes, - response_mode: 'fragment', - }), + authorizationUrl: oidcClient.authorizationUrl(authorizationParameters), endSessionUrl: oidcClient.issuer.end_session_endpoint ? oidcClient.endSessionUrl({}) : null, isEnforced: sails.config.custom.oidcEnforced, }; diff --git a/server/config/custom.js b/server/config/custom.js index ac8b9276..173e104e 100644 --- a/server/config/custom.js +++ b/server/config/custom.js @@ -40,6 +40,8 @@ module.exports.custom = { oidcClientId: process.env.OIDC_CLIENT_ID, oidcClientSecret: process.env.OIDC_CLIENT_SECRET, oidcScopes: process.env.OIDC_SCOPES || 'openid email profile', + oidcResponseMode: process.env.OIDC_RESPONSE_MODE || 'fragment', + oidcDefaultResponseMode: process.env.OIDC_DEFAULT_RESPONSE_MODE === 'true', oidcAdminRoles: process.env.OIDC_ADMIN_ROLES ? process.env.OIDC_ADMIN_ROLES.split(',') : [], oidcEmailAttribute: process.env.OIDC_EMAIL_ATTRIBUTE || 'email', oidcNameAttribute: process.env.OIDC_NAME_ATTRIBUTE || 'name',