]> git.koha-community.org Git - koha.git/commit
Bug 33675: Add CSRF protection to OAuth/OIDC authentication
authorTomas Cohen Arazi <tomascohen@theke.io>
Wed, 10 May 2023 13:45:23 +0000 (10:45 -0300)
committerTomas Cohen Arazi <tomascohen@theke.io>
Fri, 19 May 2023 12:20:54 +0000 (09:20 -0300)
commit5d191f21e5760994575c6954dba88544f06afe4e
tree6687a07c512c73fa24651741325e4003fcb920aa
parentf436bc639c9a1eeb1e14eeb38f3ffabc7bdd32f9
Bug 33675: Add CSRF protection to OAuth/OIDC authentication

This patch makes the OAuth/OIDC client pass a `state` parameter with a
CSRF protection token, to be validated back when the flow returns to
Koha.

Ideally, the Mojolicious::Plugin::OAuth2 library should deal with this
implicitly, probably making use of JWT. But as of now, this is the best
way to implement it.

To test:
1. Have a working SSO solution (ktd --sso)
2. Click to login using SSO
=> SUCCESS: Notice a 'state' parameter on the URL, looks like a random
thing
3. When you login, no error is reported

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Koha/REST/V1/OAuth/Client.pm