Index: openacs-4/packages/xooauth/tcl/authorize-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/xooauth/tcl/authorize-procs.tcl,v diff -u -r1.1.2.4 -r1.1.2.5 --- openacs-4/packages/xooauth/tcl/authorize-procs.tcl 10 May 2023 07:02:38 -0000 1.1.2.4 +++ openacs-4/packages/xooauth/tcl/authorize-procs.tcl 11 May 2023 16:43:57 -0000 1.1.2.5 @@ -38,9 +38,23 @@ :method qualified {partial_url} { return [util_current_location]$partial_url } - + + :method encoded_state {{-return_url ""}} { + set state [::xo::oauth::nonce] + append state . [ns_base64urlencode $return_url] + return $state + } + + :method decoded_state {state} { + lassign [split $state .] nonce encoded_url + return [list \ + nonce $nonce \ + return_url [ns_base64urldecode $encoded_url]] + } + + :public method login_url { - {-state} + {-return_url ""} {-login} } { # @@ -49,7 +63,7 @@ set base ${:base_url}/authorize set client_id ${:client_id} set scope ${:scope} - set state [::xo::oauth::nonce] + set state [:encoded_state -return_url $return_url] set redirect_uri [:qualified ${:responder_url}] return [export_vars -no_empty -base $base { @@ -118,13 +132,13 @@ :method required_fields {} { return [expr {${:create_not_registered_users} - ? "email given_name family_name" + ? "email given_name family_name" : "email"}] } - + :method get_required_fields { {-claims:required} - {-mapped_fields:required} + {-mapped_fields:required} } { # # Check, if required fields are provided in the claims and @@ -147,7 +161,7 @@ break } } - + if {[info exists not_enough_data]} { ns_log warning "[self] get_user_data: not enough data:" \ $not_enough_data "is missing" @@ -216,7 +230,7 @@ return $user_id } - :public method perform_login {-token} { + :public method perform_login {-token {-state ""}} { # # Get the provided claims from the identity provider and # perform an OpenACS login, when the user exists. @@ -247,6 +261,7 @@ [dict get $data error] "\n$data" } else { + dict set data decoded_state [:decoded_state $state] set user_id [:lookup_user_id -email [dict get $data email]] if {!${:debug} && $user_id == 0 Index: openacs-4/packages/xooauth/tcl/ms-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/xooauth/tcl/ms-procs.tcl,v diff -u -r1.1.2.20 -r1.1.2.21 --- openacs-4/packages/xooauth/tcl/ms-procs.tcl 10 May 2023 07:02:38 -0000 1.1.2.20 +++ openacs-4/packages/xooauth/tcl/ms-procs.tcl 11 May 2023 16:43:57 -0000 1.1.2.21 @@ -1098,7 +1098,7 @@ :public method login_url { {-prompt} - {-state} + {-return_url ""} {-login_hint} {-domain_hint} {-code_challenge} @@ -1129,12 +1129,13 @@ set response_type ${:response_type} set nonce [::xo::oauth::nonce] set response_mode form_post + set state [:encoded_state -return_url $return_url] set redirect_uri [:qualified ${:responder_url}] - - return [export_vars -no_empty -base $base { + + return [export_vars -no_empty -base $base { client_id response_type redirect_uri response_mode state scope nonce prompt login_hint domain_hint - code_challenge code_challenge_method + code_challenge code_challenge_method }] } @@ -1168,7 +1169,7 @@ # "id_token"). In case of an error or incomplete data, # add this information the result dict. # - # See here for AD claim sets + # See here for AD claim sets: # https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims # # The error codes returned by Azure are defined here: Index: openacs-4/packages/xooauth/www/azure-login-handler.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/xooauth/www/azure-login-handler.tcl,v diff -u -r1.1.2.3 -r1.1.2.4 --- openacs-4/packages/xooauth/www/azure-login-handler.tcl 8 May 2023 17:37:52 -0000 1.1.2.3 +++ openacs-4/packages/xooauth/www/azure-login-handler.tcl 11 May 2023 16:43:57 -0000 1.1.2.4 @@ -17,12 +17,14 @@ set name [$auth_obj name] set title "$name Authorization" -set login_url [$auth_obj login_url] +set login_url [$auth_obj login_url -return_url [ns_queryget return_url]] set logout_url [$auth_obj logout_url] set data "" if {[ns_queryget id_token] ne ""} { - set data [$auth_obj perform_login -token [ns_queryget id_token]] + set data [$auth_obj perform_login \ + -token [ns_queryget id_token] \ + -state [ns_queryget state]] } if {![$auth_obj cget -debug] @@ -32,15 +34,15 @@ # # Login was performed, just redirect to the right place. # - # We can use "state" on Azure as redirect URL (since it has a - # nonce) - set redirect_url [ns_queryget state \ - [$auth_obj cget -after_successful_login_url]] - if {[string range $redirect_url 0 0] eq "/"} { - ad_returnredirect $redirect_url - } else { - ns_log warning "Azure redirect URL looks suspicious: '$redirect_url'" + set return_url [$auth_obj cget -after_successful_login_url] + if {[dict exists $data decoded_state return_url]} { + set return_url [dict get $data decoded_state return_url] } + if {[string range $return_url 0 0] ne "/"} { + ns_log warning "Azure redirect URL looks suspicious: '$return_url'" + set return_url /pvt + } + ad_returnredirect $redirect_url ad_script_abort } Index: openacs-4/packages/xooauth/www/github-login-handler.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/xooauth/www/github-login-handler.tcl,v diff -u -r1.1.2.1 -r1.1.2.2 --- openacs-4/packages/xooauth/www/github-login-handler.tcl 8 May 2023 17:37:52 -0000 1.1.2.1 +++ openacs-4/packages/xooauth/www/github-login-handler.tcl 11 May 2023 16:43:57 -0000 1.1.2.2 @@ -17,35 +17,33 @@ set name [$auth_obj name] set title "$name Authorization" -set login_url [$auth_obj login_url] +set login_url [$auth_obj login_url -return_url [ns_queryget return_url]] set logout_url [$auth_obj logout_url] set data "" if {[ns_queryget code] ne ""} { - set data [$auth_obj perform_login -token [ns_queryget code]] + set data [$auth_obj perform_login \ + -token [ns_queryget code] \ + -state [ns_queryget state]] } if {![$auth_obj cget -debug] && [dict exists $data user_id] && [dict get $data user_id] > 0 } { - # - # Login was performed, just redirect to the right place. - # - # We can use "state" on azure as redirect URL (since it has a - # nonce), but on the GitHub description, it says clearly, that - # it should be an unguessable random string... Maybe, we can - # cookup later some compromise. - # - #set redirect_url [ns_queryget state \ - # [$auth_obj cget -after_successful_login_url]] - set redirect_url [$auth_obj cget -after_successful_login_url] - if {[string range $redirect_url 0 0] eq "/"} { - ad_returnredirect $redirect_url - } else { - ns_log warning "OAuth redirect URL looks suspicious: '$redirect_url'" - } - ad_script_abort + # + # Login was performed, just redirect to the right place. + # + set return_url [$auth_obj cget -after_successful_login_url] + if {[dict exists $data decoded_state return_url]} { + set return_url [dict get $data decoded_state return_url] + } + if {[string range $return_url 0 0] ne "/"} { + ns_log warning "OAuth redirect URL looks suspicious: '$return_url'" + set return_url /pvt + } + ad_returnredirect $return_url + ad_script_abort } if {1 || $swa_p} { @@ -76,3 +74,10 @@ set error [dict get $data error] } + +# +# Local variables: +# mode: tcl +# tcl-indent-level: 4 +# indent-tabs-mode: nil +# End