nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-05 13:08:17 -05:00
Code

Fix skip sso for apikey login (#1308)

Browse Source 
* Improve mixing SSO login error

* Skip SSO requirement for API key logins

* Bypass MFA for apikey logins
This commit is contained in:
Matt Gibson 2021-05-10 11:13:37 -05:00 committed by GitHub
parent 70ab5b25a1
commit 354ff6e2cb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/Core/IdentityServer/BaseRequestValidator.cs
View File

@ -87,7 +87,7 @@ namespace Bit.Core.IdentityServer
return; return;
} }
var twoFactorRequirement = await RequiresTwoFactorAsync(user); var twoFactorRequirement = await RequiresTwoFactorAsync(user, request.GrantType);
if (twoFactorRequirement.Item1) if (twoFactorRequirement.Item1)
{ {
// Just defaulting it // Just defaulting it
@ -260,8 +260,14 @@ namespace Bit.Core.IdentityServer
protected abstract void SetErrorResult(T context, Dictionary<string, object> customResponse); protected abstract void SetErrorResult(T context, Dictionary<string, object> customResponse);
private async Task<Tuple<bool, Organization>> RequiresTwoFactorAsync(User user) private async Task<Tuple<bool, Organization>> RequiresTwoFactorAsync(User user, string grantType)
{ {
if (grantType == "client_credentials")
{
// Do not require MFA for api key logins
return new Tuple<bool, Organization>(false, null);
}
var individualRequired = _userManager.SupportsUserTwoFactor && var individualRequired = _userManager.SupportsUserTwoFactor &&
await _userManager.GetTwoFactorEnabledAsync(user) && await _userManager.GetTwoFactorEnabledAsync(user) &&
(await _userManager.GetValidTwoFactorProvidersAsync(user)).Count > 0; (await _userManager.GetValidTwoFactorProvidersAsync(user)).Count > 0;
@ -286,9 +292,10 @@ namespace Bit.Core.IdentityServer
private async Task<bool> IsValidAuthTypeAsync(User user, string grantType) private async Task<bool> IsValidAuthTypeAsync(User user, string grantType)
{ {
if (grantType == "authorization_code") if (grantType == "authorization_code" || grantType == "client_credentials")
{ {
// Already using SSO to authorize, finish successfully // Already using SSO to authorize, finish successfully
// Or login via api key, skip SSO requirement
return true; return true;
} }

8
src/Core/IdentityServer/CustomTokenRequestValidator.cs
View File

@ -87,7 +87,13 @@ namespace Bit.Core.IdentityServer
} }
protected override void SetSsoResult(CustomTokenRequestValidationContext context, protected override void SetSsoResult(CustomTokenRequestValidationContext context,
Dictionary<string, object> customResponse) => throw new System.NotImplementedException(); Dictionary<string, object> customResponse)
{
context.Result.Error = "invalid_grant";
context.Result.ErrorDescription = "Single Sign on required.";
context.Result.IsError = true;
context.Result.CustomResponse = customResponse;
}
protected override void SetErrorResult(CustomTokenRequestValidationContext context, protected override void SetErrorResult(CustomTokenRequestValidationContext context,
Dictionary<string, object> customResponse) Dictionary<string, object> customResponse)