Skip to content

fix: Add state param in Azure AD provider #89

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yasudacloud merged 3 commits into from
May 8, 2025
Merged

fix: Add state param in Azure AD provider #89

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2215667
refactor: Refactor URL construction in Azure AD provider
ww24 Apr 1, 2025
80a59bc
fix: Ensure email property is set for Azure AD user in sign-in callback
ww24 Apr 1, 2025
1e05d62
fix: Add state param in Azure AD provider
ww24 May 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 20 additions & 3 deletions server/controllers/azuread.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
import axios from "axios";
import {Buffer} from 'buffer';
import { randomUUID } from "crypto";
import pkceChallenge from "pkce-challenge";


const configValidation = () => {
const config = strapi.config.get("plugin::strapi-plugin-sso");
if (
Expand Down Expand Up @@ -30,7 +30,6 @@ const OAUTH_RESPONSE_TYPE = "code";

async function azureAdSignIn(ctx) {
const config = configValidation();
const redirectUri = encodeURIComponent(config["AZUREAD_OAUTH_REDIRECT_URI"]);
const endpoint = OAUTH_ENDPOINT(config["AZUREAD_TENANT_ID"]);

// Generate code verifier and code challenge
Expand All @@ -40,7 +39,18 @@ async function azureAdSignIn(ctx) {
// Store the code verifier in the session
ctx.session.codeVerifier = codeVerifier;

const url = `${endpoint}?client_id=${config["AZUREAD_OAUTH_CLIENT_ID"]}&redirect_uri=${redirectUri}&scope=${config["AZUREAD_SCOPE"]}&response_type=${OAUTH_RESPONSE_TYPE}&code_challenge=${codeChallenge}&code_challenge_method=S256`;
const state = crypto.getRandomValues(Buffer.alloc(32)).toString('base64url');
ctx.session.oidcState = state;

const params = new URLSearchParams();
params.append('client_id', config['AZUREAD_OAUTH_CLIENT_ID']);
params.append('redirect_uri', config['AZUREAD_OAUTH_REDIRECT_URI']);
params.append('scope', config['AZUREAD_SCOPE']);
params.append('response_type', OAUTH_RESPONSE_TYPE);
params.append('code_challenge', codeChallenge);
params.append('code_challenge_method', 'S256');
params.append('state', state);
const url = `${endpoint}?${params.toString()}`;
ctx.set("Location", url);
return ctx.send({}, 302);
}
Expand All @@ -56,6 +66,9 @@ async function azureAdSignInCallback(ctx) {
if (!ctx.query.code) {
return ctx.send(oauthService.renderSignUpError(`code Not Found`));
}
if (!ctx.query.state || ctx.query.state !== ctx.session.oidcState) {
return ctx.send(oauthService.renderSignUpError(`Invalid state`))
}

const params = new URLSearchParams();
params.append("code", ctx.query.code);
Expand All @@ -80,6 +93,10 @@ async function azureAdSignInCallback(ctx) {
},
});

if (!userResponse.data.email) {
throw new Error('Email address is not set. Please set email property to the Azure AD user.');
}
Comment on lines +96 to +98

@ww24 ww24 Apr 1, 2025

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I lost some time to realize that the email property was not set for the Azure AD User. I add an error message for clarity.

@ww24 ww24 Apr 1, 2025
edited
Loading

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is possible that someone who forgot to specify an email address for Azure AD users has submitted a Pull Request like this. Usually, the userinfo endpoint is sufficient.


// whitelist check
await whitelistService.checkWhitelistForEmail(userResponse.data.email)

Expand Down