bitwarden/server
1
0
Fork 0
mirror of https://github.com/bitwarden/server synced 2025-12-06 00:03:34 +00:00
Code Issues Releases Wiki Activity

feat(sso): [auth/pm-17719] Make SSO identifier errors consistent (#6345)

Browse Source 
* feat(sso-account-controller): Make SSO identifiers consistent - align all return messages from prevalidate.

* feat(shared-resources): Make SSO identifiers consistent - remove unused string resources, add new consistent error message.

* feat(sso-account-controller): Make SSO identifiers consistent - Add logging.
This commit is contained in:
Dave
2025-09-16 15:01:23 -04:00
committed by GitHub
parent 6e309c6e04
commit 57f891f391
2 changed files with 20 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
bitwarden_license/src/Sso/Controllers/AccountController.cs
View File

@@ -108,36 +108,32 @@ public class AccountController : Controller
// Validate domain_hint provided
if (string.IsNullOrWhiteSpace(domainHint))
{
return InvalidJson("NoOrganizationIdentifierProvidedError");
_logger.LogError(new ArgumentException("domainHint is required."), "domainHint not specified.");
return InvalidJson("SsoInvalidIdentifierError");
}
// Validate organization exists from domain_hint
var organization = await _organizationRepository.GetByIdentifierAsync(domainHint);
if (organization == null)
if (organization is not { UseSso: true })
{
return InvalidJson("OrganizationNotFoundByIdentifierError");
}
if (!organization.UseSso)
{
return InvalidJson("SsoNotAllowedForOrganizationError");
_logger.LogError("Organization not configured to use SSO.");
return InvalidJson("SsoInvalidIdentifierError");
}
// Validate SsoConfig exists and is Enabled
var ssoConfig = await _ssoConfigRepository.GetByIdentifierAsync(domainHint);
if (ssoConfig == null)
if (ssoConfig is not { Enabled: true })
{
return InvalidJson("SsoConfigurationNotFoundForOrganizationError");
}
if (!ssoConfig.Enabled)
{
return InvalidJson("SsoNotEnabledForOrganizationError");
_logger.LogError("SsoConfig not enabled.");
return InvalidJson("SsoInvalidIdentifierError");
}
// Validate Authentication Scheme exists and is loaded (cache)
var scheme = await _schemeProvider.GetSchemeAsync(organization.Id.ToString());
if (scheme == null || !(scheme is IDynamicAuthenticationScheme dynamicScheme))
if (scheme is not IDynamicAuthenticationScheme dynamicScheme)
{
return InvalidJson("NoSchemeOrHandlerForSsoConfigurationFoundError");
_logger.LogError("Invalid authentication scheme for organization.");
return InvalidJson("SsoInvalidIdentifierError");
}
// Run scheme validation
@@ -147,13 +143,8 @@ public class AccountController : Controller
}
catch (Exception ex)
{
var translatedException = _i18nService.GetLocalizedHtmlString(ex.Message);
var errorKey = "InvalidSchemeConfigurationError";
if (!translatedException.ResourceNotFound)
{
errorKey = ex.Message;
}
return InvalidJson(errorKey, translatedException.ResourceNotFound ? ex : null);
_logger.LogError(ex, "An error occurred while validating SSO dynamic scheme.");
return InvalidJson("SsoInvalidIdentifierError");
}
var tokenable = new SsoTokenable(organization, _globalSettings.Sso.SsoTokenLifetimeInSeconds);
@@ -163,7 +154,8 @@ public class AccountController : Controller
}
catch (Exception ex)
{
return InvalidJson("PreValidationError", ex);
_logger.LogError(ex, "An error occurred during SSO prevalidation.");
return InvalidJson("SsoInvalidIdentifierError");
}
}
@@ -352,7 +344,7 @@ public class AccountController : Controller
}
/// <summary>
/// Attempts to map the external identity to a Bitwarden user, through the SsoUser table, which holds the `externalId`.
/// Attempts to map the external identity to a Bitwarden user, through the SsoUser table, which holds the `externalId`.
/// The claims on the external identity are used to determine an `externalId`, and that is used to find the appropriate `SsoUser` and `User` records.
/// </summary>
private async Task<(User user, string provider, string providerUserId, IEnumerable<Claim> claims, SsoConfigurationData config)>
@@ -485,7 +477,7 @@ public class AccountController : Controller
allowedStatuses: [OrganizationUserStatusType.Accepted, OrganizationUserStatusType.Confirmed]);
// Since we're in the auto-provisioning logic, this means that the user exists, but they have not
// Since we're in the auto-provisioning logic, this means that the user exists, but they have not
// authenticated with the org's SSO provider before now (otherwise we wouldn't be auto-provisioning them).
// We've verified that the user is Accepted or Confnirmed, so we can create an SsoUser link and proceed
// with authentication.

18
src/Core/Resources/SharedResources.en.resx
View File

@@ -394,24 +394,9 @@
<data name="InvalidSchemeConfigurationError" xml:space="preserve">
<value>The configured authentication scheme is not valid: "{0}"</value>
</data>
<data name="NoSchemeOrHandlerForSsoConfigurationFoundError" xml:space="preserve">
<value>No scheme or handler for this SSO configuration found.</value>
</data>
<data name="SsoNotEnabledForOrganizationError" xml:space="preserve">
<value>SSO is not yet enabled for this organization.</value>
</data>
<data name="SsoConfigurationNotFoundForOrganizationError" xml:space="preserve">
<value>No SSO configuration exists for this organization.</value>
</data>
<data name="SsoNotAllowedForOrganizationError" xml:space="preserve">
<value>SSO is not allowed for this organization.</value>
</data>
<data name="OrganizationNotFoundByIdentifierError" xml:space="preserve">
<value>Organization not found from identifier.</value>
</data>
<data name="NoOrganizationIdentifierProvidedError" xml:space="preserve">
<value>No organization identifier provided.</value>
</data>
<data name="InvalidAuthenticationOptionsForSaml2SchemeError" xml:space="preserve">
<value>Invalid authentication options provided to SAML2 scheme.</value>
</data>
@@ -691,4 +676,7 @@
<data name="InvalidSsoRedirectToken" xml:space="preserve">
<value>Single sign on redirect token is invalid or expired.</value>
</data>
<data name="SsoInvalidIdentifierError" xml:space="preserve">
<value>Invalid SSO identifier</value>
</data>
</root>