CSA-2 - Require user interaction for SSO redirect (#1948)

* CSA-2 - adding validation before redirecting for SSO login * Updating server to use generated and signed JWT for SSO redirect * Removing erroneous file * Removing erroneous file * Updating for PR feedback, adding domain_hint to Login and fixing invalid domain_hint name reference * Some code styling changes from PR feedback * Removing unnecessary JSON serialization * Couple small changes from PR feedback * Fixing linting errors * Update formatting in AccountController.cs * Remove unused dependency * Add token lifetime to settings * Use tokenable directly * Return defined models * Revert sso proj file changes * Check expiration validity when validating org * Show error message with expired token * Formatting fixes * Add SsoTokenLifetime to Sso settings * Fix build errors * Fix sql warnings Co-authored-by: Carlos J. Muentes <cmuentes@bitwarden.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: Matt Gibson <mgibson@bitwarden.com>
2025-12-29 14:43:39 +00:00 · 2022-06-01 13:23:52 -04:00
parent c27645265c
commit 14302efa2c
16 changed files with 267 additions and 56 deletions
--- a/src/Identity/Startup.cs
+++ b/src/Identity/Startup.cs
@@ -5,6 +5,7 @@ using System.Threading.Tasks;
 using AspNetCoreRateLimit;
 using Bit.Core;
 using Bit.Core.Context;
+using Bit.Core.Models.Business.Tokenables;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using Bit.Identity.Utilities;
@@ -110,10 +111,17 @@ namespace Bit.Identity
                        {
                            // Pass domain_hint onto the sso idp
                            context.ProtocolMessage.DomainHint = context.Properties.Items["domain_hint"];
+                            context.ProtocolMessage.Parameters.Add("organizationId", context.Properties.Items["organizationId"]);
                            if (context.Properties.Items.ContainsKey("user_identifier"))
                            {
                                context.ProtocolMessage.SessionState = context.Properties.Items["user_identifier"];
                            }
+
+                            if (context.Properties.Parameters.Count > 0 && context.Properties.Parameters.ContainsKey(SsoTokenable.TokenIdentifier))
+                            {
+                                var token = context.Properties.Parameters[SsoTokenable.TokenIdentifier].ToString();
+                                context.ProtocolMessage.Parameters.Add(SsoTokenable.TokenIdentifier, token);
+                            }
                            return Task.FromResult(0);
                        }
                    };