git.koha-community.org Git - koha.git/commit

Bug 33675: Add CSRF protection to OAuth/OIDC authentication

This patch makes the OAuth/OIDC client pass a `state` parameter with a
CSRF protection token, to be validated back when the flow returns to
Koha.

Ideally, the Mojolicious::Plugin::OAuth2 library should deal with this
implicitly, probably making use of JWT. But as of now, this is the best
way to implement it.

To test:
1. Have a working SSO solution (ktd --sso)
2. Click to login using SSO
=> SUCCESS: Notice a 'state' parameter on the URL, looks like a random
thing
3. When you login, no error is reported

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 5d191f21e5760994575c6954dba88544f06afe4e)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>

author	Tomas Cohen Arazi <tomascohen@theke.io>
	Wed, 10 May 2023 13:45:23 +0000 (10:45 -0300)
committer	Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
	Thu, 8 Jun 2023 16:58:14 +0000 (16:58 +0000)
commit	45f21c492e8e16fad9c42ded9fda27871ac8ce3b
tree	225f57fcff53313c880ad27a3379187c3a12d620	tree \| snapshot
parent	9bd219768e042c4b735acf0bde1a8b4eb7d707dd	commit \| diff