Docker/planka
Docker/planka
1
0
Fork 0
mirror of https://github.com/plankanban/planka.git synced 2025-08-08 23:15:31 +02:00
Code Issues Releases Activity

ref: Parametrize OIDC authorization response mode

Browse source 
Planka used a default response_mode 'fragment', which is not supported by all
OIDC providers.

Planka supports only the Authorization Code flow. The default response mode
for the authorization code flow is 'query', meaning the authorization server
appends the authorization code to the redirect URI as a query parameter.

I have added two environment variables: one to use the default response mode
from the OIDC provider, and one to customize the response mode if needed.

Using the default response mode is recommended by the OIDC specification:
"This use of this parameter is NOT RECOMMENDED when the Response Mode that
would be requested is the default mode specified for the Response Type."

To avoid any breaking changes, I kept the default value as 'fragment'. Ideally,
the environment variable should be undefined by default.
This commit is contained in:
lebaudantoine 2024-07-15 18:46:59 +02:00
parent 8d74cc1732
commit a6c8f1bc23
2 changed files with 11 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

13
server/api/controllers/show-config.js
View file

@ -4,11 +4,16 @@ module.exports = {
if (sails.hooks.oidc.isActive()) { if (sails.hooks.oidc.isActive()) {
const oidcClient = sails.hooks.oidc.getClient(); const oidcClient = sails.hooks.oidc.getClient();
oidc = { const authorizationParameters = {
authorizationUrl: oidcClient.authorizationUrl({
scope: sails.config.custom.oidcScopes, scope: sails.config.custom.oidcScopes,
response_mode: 'fragment', }
}),
if(!sails.config.custom.oidcDefaultResponseMode) {
authorizationParameters.response_mode = sails.config.custom.oidcResponseMode
}
oidc = {
authorizationUrl: oidcClient.authorizationUrl(authorizationParameters),
endSessionUrl: oidcClient.issuer.end_session_endpoint ? oidcClient.endSessionUrl({}) : null, endSessionUrl: oidcClient.issuer.end_session_endpoint ? oidcClient.endSessionUrl({}) : null,
isEnforced: sails.config.custom.oidcEnforced, isEnforced: sails.config.custom.oidcEnforced,
}; };

2
server/config/custom.js
View file

@ -40,6 +40,8 @@ module.exports.custom = {
oidcClientId: process.env.OIDC_CLIENT_ID, oidcClientId: process.env.OIDC_CLIENT_ID,
oidcClientSecret: process.env.OIDC_CLIENT_SECRET, oidcClientSecret: process.env.OIDC_CLIENT_SECRET,
oidcScopes: process.env.OIDC_SCOPES || 'openid email profile', oidcScopes: process.env.OIDC_SCOPES || 'openid email profile',
oidcResponseMode: process.env.OIDC_RESPONSE_MODE || 'fragment',
oidcDefaultResponseMode: process.env.OIDC_DEFAULT_RESPONSE_MODE === 'true',
oidcAdminRoles: process.env.OIDC_ADMIN_ROLES ? process.env.OIDC_ADMIN_ROLES.split(',') : [], oidcAdminRoles: process.env.OIDC_ADMIN_ROLES ? process.env.OIDC_ADMIN_ROLES.split(',') : [],
oidcEmailAttribute: process.env.OIDC_EMAIL_ATTRIBUTE || 'email', oidcEmailAttribute: process.env.OIDC_EMAIL_ATTRIBUTE || 'email',
oidcNameAttribute: process.env.OIDC_NAME_ATTRIBUTE || 'name', oidcNameAttribute: process.env.OIDC_NAME_ATTRIBUTE || 'name',