CSA-2 - Require user interaction for SSO redirect (#1948)

* CSA-2 - adding validation before redirecting for SSO login * Updating server to use generated and signed JWT for SSO redirect * Removing erroneous file * Removing erroneous file * Updating for PR feedback, adding domain_hint to Login and fixing invalid domain_hint name reference * Some code styling changes from PR feedback * Removing unnecessary JSON serialization * Couple small changes from PR feedback * Fixing linting errors * Update formatting in AccountController.cs * Remove unused dependency * Add token lifetime to settings * Use tokenable directly * Return defined models * Revert sso proj file changes * Check expiration validity when validating org * Show error message with expired token * Formatting fixes * Add SsoTokenLifetime to Sso settings * Fix build errors * Fix sql warnings Co-authored-by: Carlos J. Muentes <cmuentes@bitwarden.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: Matt Gibson <mgibson@bitwarden.com>
2025-07-01 08:02:49 -05:00 · 2022-06-01 13:23:52 -04:00
parent c27645265c
commit 14302efa2c
16 changed files with 267 additions and 56 deletions
--- a/src/Core/Models/Business/Tokenables/SsoTokenable.cs
+++ b/src/Core/Models/Business/Tokenables/SsoTokenable.cs
@ -0,0 +1,46 @@
+
+using System;
+using System.Text.Json.Serialization;
+using Bit.Core.Entities;
+using Bit.Core.Tokens;
+
+namespace Bit.Core.Models.Business.Tokenables
+{
+    public class SsoTokenable : ExpiringTokenable
+    {
+        public const string ClearTextPrefix = "BWUserPrefix_";
+        public const string DataProtectorPurpose = "SsoTokenDataProtector";
+        public const string TokenIdentifier = "ssoToken";
+
+        public Guid OrganizationId { get; set; }
+        public string DomainHint { get; set; }
+        public string Identifier { get; set; } = TokenIdentifier;
+
+        [JsonConstructor]
+        public SsoTokenable() { }
+
+        public SsoTokenable(Organization organization, double tokenLifetimeInSeconds) : this()
+        {
+            OrganizationId = organization?.Id ?? default;
+            DomainHint = organization?.Identifier;
+            ExpirationDate = DateTime.UtcNow.AddSeconds(tokenLifetimeInSeconds);
+        }
+
+        public bool TokenIsValid(Organization organization)
+        {
+            if (OrganizationId == default || DomainHint == default || organization == null || !Valid)
+            {
+                return false;
+            }
+
+            return organization.Identifier.Equals(DomainHint, StringComparison.InvariantCultureIgnoreCase)
+                && organization.Id.Equals(OrganizationId);
+        }
+
+        // Validates deserialized 
+        protected override bool TokenIsValid() =>
+            Identifier == TokenIdentifier
+            && OrganizationId != default
+            && !string.IsNullOrWhiteSpace(DomainHint);
+    }
+}