CSA-2 - Require user interaction for SSO redirect (#1948)

* CSA-2 - adding validation before redirecting for SSO login * Updating server to use generated and signed JWT for SSO redirect * Removing erroneous file * Removing erroneous file * Updating for PR feedback, adding domain_hint to Login and fixing invalid domain_hint name reference * Some code styling changes from PR feedback * Removing unnecessary JSON serialization * Couple small changes from PR feedback * Fixing linting errors * Update formatting in AccountController.cs * Remove unused dependency * Add token lifetime to settings * Use tokenable directly * Return defined models * Revert sso proj file changes * Check expiration validity when validating org * Show error message with expired token * Formatting fixes * Add SsoTokenLifetime to Sso settings * Fix build errors * Fix sql warnings Co-authored-by: Carlos J. Muentes <cmuentes@bitwarden.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: Matt Gibson <mgibson@bitwarden.com>
2025-07-01 08:02:49 -05:00 · 2022-06-01 13:23:52 -04:00
parent c27645265c
commit 14302efa2c
16 changed files with 267 additions and 56 deletions
--- a/src/Core/Models/Business/Tokenables/SsoTokenable.cs
+++ b/src/Core/Models/Business/Tokenables/SsoTokenable.cs
@ -0,0 +1,46 @@
+
+using System;
+using System.Text.Json.Serialization;
+using Bit.Core.Entities;
+using Bit.Core.Tokens;
+
+namespace Bit.Core.Models.Business.Tokenables
+{
+    public class SsoTokenable : ExpiringTokenable
+    {
+        public const string ClearTextPrefix = "BWUserPrefix_";
+        public const string DataProtectorPurpose = "SsoTokenDataProtector";
+        public const string TokenIdentifier = "ssoToken";
+
+        public Guid OrganizationId { get; set; }
+        public string DomainHint { get; set; }
+        public string Identifier { get; set; } = TokenIdentifier;
+
+        [JsonConstructor]
+        public SsoTokenable() { }
+
+        public SsoTokenable(Organization organization, double tokenLifetimeInSeconds) : this()
+        {
+            OrganizationId = organization?.Id ?? default;
+            DomainHint = organization?.Identifier;
+            ExpirationDate = DateTime.UtcNow.AddSeconds(tokenLifetimeInSeconds);
+        }
+
+        public bool TokenIsValid(Organization organization)
+        {
+            if (OrganizationId == default || DomainHint == default || organization == null || !Valid)
+            {
+                return false;
+            }
+
+            return organization.Identifier.Equals(DomainHint, StringComparison.InvariantCultureIgnoreCase)
+                && organization.Id.Equals(OrganizationId);
+        }
+
+        // Validates deserialized 
+        protected override bool TokenIsValid() =>
+            Identifier == TokenIdentifier
+            && OrganizationId != default
+            && !string.IsNullOrWhiteSpace(DomainHint);
+    }
+}
--- a/src/Core/Resources/SharedResources.en.resx
+++ b/src/Core/Resources/SharedResources.en.resx
@ -679,4 +679,10 @@
  <data name="IdpSingleSignOnServiceUrlInvalid" xml:space="preserve">
    <value>Single sign on service URL contains illegal characters.</value>
  </data>
+  <data name="SsoRedirectTokenValidationMissing" xml:space="preserve">
+    <value>Single sign on redirect token is missing from the request.</value>
+  </data>
+  <data name="InvalidSsoRedirectToken" xml:space="preserve">
+    <value>Single sign on redirect token is invalid or expired.</value>
+  </data>
 </root>
--- a/src/Core/Settings/GlobalSettings.cs
+++ b/src/Core/Settings/GlobalSettings.cs
@ -67,7 +67,7 @@ namespace Bit.Core.Settings
        public virtual AmazonSettings Amazon { get; set; } = new AmazonSettings();
        public virtual ServiceBusSettings ServiceBus { get; set; } = new ServiceBusSettings();
        public virtual AppleIapSettings AppleIap { get; set; } = new AppleIapSettings();
-        public virtual SsoSettings Sso { get; set; } = new SsoSettings();
+        public virtual ISsoSettings Sso { get; set; } = new SsoSettings();
        public virtual StripeSettings Stripe { get; set; } = new StripeSettings();
        public virtual ITwoFactorAuthSettings TwoFactorAuth { get; set; } = new TwoFactorAuthSettings();

@ -461,9 +461,10 @@ namespace Bit.Core.Settings
            public bool AppInReview { get; set; }
        }

-        public class SsoSettings
+        public class SsoSettings : ISsoSettings
        {
            public int CacheLifetimeInSeconds { get; set; } = 60;
+            public double SsoTokenLifetimeInSeconds { get; set; } = 5;
        }

        public class CaptchaSettings
--- a/src/Core/Settings/IGlobalSettings.cs
+++ b/src/Core/Settings/IGlobalSettings.cs
@ -14,5 +14,6 @@
        IConnectionStringSettings Storage { get; set; }
        IBaseServiceUriSettings BaseServiceUri { get; set; }
        ITwoFactorAuthSettings TwoFactorAuth { get; set; }
+        ISsoSettings Sso { get; set; }
    }
 }
--- a/src/Core/Settings/ISsoSettings.cs
+++ b/src/Core/Settings/ISsoSettings.cs
@ -0,0 +1,8 @@
+namespace Bit.Core.Settings
+{
+    public interface ISsoSettings
+    {
+        int CacheLifetimeInSeconds { get; set; }
+        double SsoTokenLifetimeInSeconds { get; set; }
+    }
+}