Add ssoToken to limit lifetime of SSO redirect (#1965)

(cherry picked from commit 6e2e613fee)
2025-12-05 23:53:33 +00:00 · 2022-06-27 15:53:15 -04:00
parent daab473cbb
commit ee68dcf3b0
4 changed files with 16 additions and 5 deletions
--- a/src/App/Pages/Accounts/LoginSsoPageViewModel.cs
+++ b/src/App/Pages/Accounts/LoginSsoPageViewModel.cs
@@ -81,10 +81,12 @@ namespace Bit.App.Pages
            }

            await _deviceActionService.ShowLoadingAsync(AppResources.LoggingIn);
+            string ssoToken;

            try
            {
-                await _apiService.PreValidateSso(OrgIdentifier);
+                var response = await _apiService.PreValidateSso(OrgIdentifier);
+                ssoToken = response.Token;
            }
            catch (ApiException e)
            {
@@ -112,7 +114,8 @@ namespace Bit.App.Pages
                      "response_type=code&scope=api%20offline_access&" +
                      "state=" + state + "&code_challenge=" + codeChallenge + "&" +
                      "code_challenge_method=S256&response_mode=query&" +
-                      "domain_hint=" + Uri.EscapeDataString(OrgIdentifier);
+                      "domain_hint=" + Uri.EscapeDataString(OrgIdentifier) + "&" +
+                      "ssoToken=" + Uri.EscapeDataString(ssoToken);

            WebAuthenticatorResult authResult = null;
            try
--- a/src/Core/Abstractions/IApiService.cs
+++ b/src/Core/Abstractions/IApiService.cs
@@ -44,7 +44,7 @@ namespace Bit.Core.Abstractions
        Task PutDeleteCipherAsync(string id);
        Task<CipherResponse> PutRestoreCipherAsync(string id);
        Task RefreshIdentityTokenAsync();
-        Task<object> PreValidateSso(string identifier);
+        Task<SsoPrevalidateResponse> PreValidateSso(string identifier);
        Task<TResponse> SendAsync<TRequest, TResponse>(HttpMethod method, string path,
            TRequest body, bool authed, bool hasResponse, bool logoutOnUnauthorized = true);
        void SetUrls(EnvironmentUrls urls);
--- a/src/Core/Models/Response/SsoPrevalidateResponse.cs
+++ b/src/Core/Models/Response/SsoPrevalidateResponse.cs
@@ -0,0 +1,7 @@
+namespace Bit.Core.Models.Response
+{
+    public class SsoPrevalidateResponse
+    {
+        public string Token { get; set; }
+    }
+}
--- a/src/Core/Services/ApiService.cs
+++ b/src/Core/Services/ApiService.cs
@@ -547,7 +547,7 @@ namespace Bit.Core.Services
            return accessToken;
        }

-        public async Task<object> PreValidateSso(string identifier)
+        public async Task<SsoPrevalidateResponse> PreValidateSso(string identifier)
        {
            var path = "/account/prevalidate?domainHint=" + WebUtility.UrlEncode(identifier);
            using (var requestMessage = new HttpRequestMessage())
@@ -571,7 +571,8 @@ namespace Bit.Core.Services
                    var error = await HandleErrorAsync(response, false, true);
                    throw new ApiException(error);
                }
-                return null;
+                var responseJsonString = await response.Content.ReadAsStringAsync();
+                return JsonConvert.DeserializeObject<SsoPrevalidateResponse>(responseJsonString);
            }
        }