From c7fc2042db317e97468610358a0997d305352629 Mon Sep 17 00:00:00 2001 From: Maxence Lange Date: Thu, 20 Apr 2023 17:09:59 -0100 Subject: [PATCH] extract idp from jwt in globalscale Signed-off-by: Maxence Lange --- lib/Controller/SAMLController.php | 27 +++++++++++---------------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/lib/Controller/SAMLController.php b/lib/Controller/SAMLController.php index 6fa4633cb..1ea23cc95 100644 --- a/lib/Controller/SAMLController.php +++ b/lib/Controller/SAMLController.php @@ -446,23 +446,30 @@ public function singleLogoutService() { } $isFromIDP = !$isFromGS && !empty($_GET['SAMLRequest']); - + $idp = null; if ($isFromIDP) { // requests comes from the IDP so let it manage the logout // (or raise Error if request is invalid) $pass = true ; } elseif ($isFromGS) { // Request is from master GlobalScale - // Request validity is check via a JSON Web Token $jwt = $this->request->getParam('jwt', ''); - $pass = $this->isValidJwt($jwt); + + try { + $key = $this->config->getSystemValue('gss.jwt.key', ''); + $decoded = (array)JWT::decode($jwt, new Key($key, 'HS256')); + + $idp = $decoded['idp'] ?? null; + $pass = true; + } catch (\Exception $e) { + } } else { // standard request : need read CRSF check $pass = $this->request->passesCSRFCheck(); } if ($pass) { - $idp = $this->session->get('user_saml.Idp'); + $idp = ($idp !== null) ? (int)$idp : $this->session->get('user_saml.Idp'); $stay = true; // $auth will return the redirect URL but won't perform the redirect himself if ($isFromIDP) { [$targetUrl, $auth] = $this->tryProcessSLOResponse($idp); @@ -665,18 +672,6 @@ private function getDirectLoginUrl($redirectUrl) { return $directUrl; } - - private function isValidJwt($jwt): bool { - try { - $key = $this->config->getSystemValue('gss.jwt.key', ''); - JWT::decode($jwt, new Key($key, 'HS256')); - } catch (\Exception $e) { - return false; - } - - return true; - } - /** * @PublicPage * @NoCSRFRequired