mirror of
https://github.com/zitadel/zitadel.git
synced 2025-12-06 16:52:18 +00:00
3c99cf82f8
# Which Problems Are Solved
Currently if a user signs in using an IdP, once they sign out of
Zitadel, the corresponding IdP session is not terminated. This can be
the desired behavior. In some cases, e.g. when using a shared computer
it results in a potential security risk, since a follower user might be
able to sign in as the previous using the still open IdP session.
# How the Problems Are Solved
- Admins can enabled a federated logout option on SAML IdPs through the
Admin and Management APIs.
- During the termination of a login V1 session using OIDC end_session
endpoint, Zitadel will check if an IdP was used to authenticate that
session.
- In case there was a SAML IdP used with Federated Logout enabled, it
will intercept the logout process, store the information into the shared
cache and redirect to the federated logout endpoint in the V1 login.
- The V1 login federated logout endpoint checks every request on an
existing cache entry. On success it will create a SAML logout request
for the used IdP and either redirect or POST to the configured SLO
endpoint. The cache entry is updated with a `redirected` state.
- A SLO endpoint is added to the `/idp` handlers, which will handle the
SAML logout responses. At the moment it will check again for an existing
federated logout entry (with state `redirected`) in the cache. On
success, the user is redirected to the initially provided
`post_logout_redirect_uri` from the end_session request.
# Additional Changes
None
# Additional Context
- This PR merges the https://github.com/zitadel/zitadel/pull/9841 and
https://github.com/zitadel/zitadel/pull/9854 to main, additionally
updating the docs on Entra ID SAML.
- closes #9228
- backport to 3.x
---------
Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com>
Co-authored-by: Zach Hirschtritt <zachary.hirschtritt@klaviyo.com>
(cherry picked from commit 2cf3ef4de4)
255 lines
8.7 KiB
Go
255 lines
8.7 KiB
Go
package login
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
"net/url"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/gorilla/csrf"
|
|
"github.com/gorilla/mux"
|
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
http_utils "github.com/zitadel/zitadel/internal/api/http"
|
|
"github.com/zitadel/zitadel/internal/api/http/middleware"
|
|
_ "github.com/zitadel/zitadel/internal/api/ui/login/statik"
|
|
auth_repository "github.com/zitadel/zitadel/internal/auth/repository"
|
|
"github.com/zitadel/zitadel/internal/auth/repository/eventsourcing"
|
|
"github.com/zitadel/zitadel/internal/cache"
|
|
"github.com/zitadel/zitadel/internal/cache/connector"
|
|
"github.com/zitadel/zitadel/internal/command"
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/domain/federatedlogout"
|
|
"github.com/zitadel/zitadel/internal/form"
|
|
"github.com/zitadel/zitadel/internal/query"
|
|
"github.com/zitadel/zitadel/internal/static"
|
|
)
|
|
|
|
type Login struct {
|
|
endpoint string
|
|
router http.Handler
|
|
renderer *Renderer
|
|
parser *form.Parser
|
|
command *command.Commands
|
|
query *query.Queries
|
|
staticStorage static.Storage
|
|
authRepo auth_repository.Repository
|
|
externalSecure bool
|
|
consolePath string
|
|
oidcAuthCallbackURL func(context.Context, string) string
|
|
samlAuthCallbackURL func(context.Context, string) string
|
|
idpConfigAlg crypto.EncryptionAlgorithm
|
|
userCodeAlg crypto.EncryptionAlgorithm
|
|
caches *Caches
|
|
}
|
|
|
|
type Config struct {
|
|
LanguageCookieName string
|
|
CSRFCookieName string
|
|
Cache middleware.CacheConfig
|
|
AssetCache middleware.CacheConfig
|
|
|
|
// LoginV2
|
|
DefaultOTPEmailURLV2 string
|
|
}
|
|
|
|
const (
|
|
login = "LOGIN"
|
|
HandlerPrefix = "/ui/login"
|
|
DefaultLoggedOutPath = HandlerPrefix + EndpointLogoutDone
|
|
)
|
|
|
|
func CreateLogin(
|
|
config Config,
|
|
command *command.Commands,
|
|
query *query.Queries,
|
|
authRepo *eventsourcing.EsRepository,
|
|
staticStorage static.Storage,
|
|
consolePath string,
|
|
oidcAuthCallbackURL, samlAuthCallbackURL func(context.Context, string) string,
|
|
externalSecure bool,
|
|
userAgentCookie, issuerInterceptor, oidcInstanceHandler, samlInstanceHandler, assetCache, accessHandler mux.MiddlewareFunc,
|
|
userCodeAlg, idpConfigAlg crypto.EncryptionAlgorithm,
|
|
csrfCookieKey []byte,
|
|
cacheConnectors connector.Connectors,
|
|
federateLogoutCache cache.Cache[federatedlogout.Index, string, *federatedlogout.FederatedLogout],
|
|
) (*Login, error) {
|
|
login := &Login{
|
|
oidcAuthCallbackURL: oidcAuthCallbackURL,
|
|
samlAuthCallbackURL: samlAuthCallbackURL,
|
|
externalSecure: externalSecure,
|
|
consolePath: consolePath,
|
|
command: command,
|
|
query: query,
|
|
staticStorage: staticStorage,
|
|
authRepo: authRepo,
|
|
idpConfigAlg: idpConfigAlg,
|
|
userCodeAlg: userCodeAlg,
|
|
}
|
|
csrfInterceptor := createCSRFInterceptor(config.CSRFCookieName, csrfCookieKey, externalSecure, login.csrfErrorHandler())
|
|
cacheInterceptor := createCacheInterceptor(config.Cache.MaxAge, config.Cache.SharedMaxAge, assetCache)
|
|
security := middleware.SecurityHeaders(csp(), login.cspErrorHandler)
|
|
|
|
login.router = CreateRouter(login, middleware.TelemetryHandler(IgnoreInstanceEndpoints...), oidcInstanceHandler, samlInstanceHandler, csrfInterceptor, cacheInterceptor, security, userAgentCookie, issuerInterceptor, accessHandler)
|
|
login.renderer = CreateRenderer(HandlerPrefix, staticStorage, config.LanguageCookieName)
|
|
login.parser = form.NewParser()
|
|
|
|
var err error
|
|
login.caches, err = startCaches(context.Background(), cacheConnectors, federateLogoutCache)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return login, nil
|
|
}
|
|
|
|
func csp() *middleware.CSP {
|
|
csp := middleware.DefaultSCP
|
|
csp.ObjectSrc = middleware.CSPSourceOptsSelf()
|
|
csp.StyleSrc = csp.StyleSrc.AddNonce()
|
|
csp.ScriptSrc = csp.ScriptSrc.AddNonce().
|
|
// SAML POST ACS
|
|
AddHash("sha256", "AjPdJSbZmeWHnEc5ykvJFay8FTWeTeRbs9dutfZ0HqE=").
|
|
// SAML POST SLO
|
|
AddHash("sha256", "4Su6mBWzEIFnH4pAGMOuaeBrstwJN4Z3pq/s1Kn4/KQ=")
|
|
return &csp
|
|
}
|
|
|
|
func createCSRFInterceptor(cookieName string, csrfCookieKey []byte, externalSecure bool, errorHandler http.Handler) func(http.Handler) http.Handler {
|
|
path := "/"
|
|
return func(handler http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if strings.HasPrefix(r.URL.Path, EndpointResources) {
|
|
handler.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
// ignore form post callback
|
|
// it will redirect to the "normal" callback, where the cookie is set again
|
|
if (r.URL.Path == EndpointExternalLoginCallbackFormPost || r.URL.Path == EndpointSAMLACS) && r.Method == http.MethodPost {
|
|
handler.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
// by default we use SameSite Lax and the externalSecure (TLS) for the secure flag
|
|
sameSiteMode := csrf.SameSiteLaxMode
|
|
secureOnly := externalSecure
|
|
instance := authz.GetInstance(r.Context())
|
|
// in case of `allow iframe`...
|
|
if len(instance.SecurityPolicyAllowedOrigins()) > 0 {
|
|
// ... we need to change to SameSite none ...
|
|
sameSiteMode = csrf.SameSiteNoneMode
|
|
// ... and since SameSite none requires the secure flag, we'll set it for TLS and for localhost
|
|
// (regardless of the TLS / externalSecure settings)
|
|
secureOnly = externalSecure || http_utils.DomainContext(r.Context()).RequestedDomain() == "localhost"
|
|
}
|
|
csrf.Protect(csrfCookieKey,
|
|
csrf.Secure(secureOnly),
|
|
csrf.CookieName(http_utils.SetCookiePrefix(cookieName, externalSecure, http_utils.PrefixHost)),
|
|
csrf.Path(path),
|
|
csrf.ErrorHandler(errorHandler),
|
|
csrf.SameSite(sameSiteMode),
|
|
)(handler).ServeHTTP(w, r)
|
|
})
|
|
}
|
|
}
|
|
|
|
func createCacheInterceptor(maxAge, sharedMaxAge time.Duration, assetCache mux.MiddlewareFunc) func(http.Handler) http.Handler {
|
|
return func(handler http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if strings.HasPrefix(r.URL.Path, EndpointDynamicResources) {
|
|
assetCache.Middleware(handler).ServeHTTP(w, r)
|
|
return
|
|
}
|
|
if strings.HasPrefix(r.URL.Path, EndpointResources) {
|
|
middleware.AssetsCacheInterceptor(maxAge, sharedMaxAge).Handler(handler).ServeHTTP(w, r)
|
|
return
|
|
}
|
|
middleware.NoCacheInterceptor().Handler(handler).ServeHTTP(w, r)
|
|
})
|
|
}
|
|
}
|
|
|
|
func (l *Login) Handler() http.Handler {
|
|
return l.router
|
|
}
|
|
|
|
func (l *Login) getClaimedUserIDsOfOrgDomain(ctx context.Context, orgName string) ([]string, error) {
|
|
orgDomain, err := domain.NewIAMDomainName(orgName, http_utils.DomainContext(ctx).RequestedDomain())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
loginName, err := query.NewUserPreferredLoginNameSearchQuery("@"+orgDomain, query.TextEndsWithIgnoreCase)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
users, err := l.query.SearchUsers(ctx, &query.UserSearchQueries{Queries: []query.SearchQuery{loginName}}, "", nil)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
userIDs := make([]string, len(users.Users))
|
|
for i, user := range users.Users {
|
|
userIDs[i] = user.ID
|
|
}
|
|
return userIDs, nil
|
|
}
|
|
|
|
func setContext(ctx context.Context, resourceOwner string) context.Context {
|
|
data := authz.CtxData{
|
|
UserID: login,
|
|
OrgID: resourceOwner,
|
|
}
|
|
return authz.SetCtxData(ctx, data)
|
|
}
|
|
|
|
func setUserContext(ctx context.Context, userID, resourceOwner string) context.Context {
|
|
data := authz.CtxData{
|
|
UserID: userID,
|
|
OrgID: resourceOwner,
|
|
}
|
|
return authz.SetCtxData(ctx, data)
|
|
}
|
|
|
|
func (l *Login) baseURL(ctx context.Context) string {
|
|
return http_utils.DomainContext(ctx).Origin() + HandlerPrefix
|
|
}
|
|
|
|
type Caches struct {
|
|
idpFormCallbacks cache.Cache[idpFormCallbackIndex, string, *idpFormCallback]
|
|
federatedLogouts cache.Cache[federatedlogout.Index, string, *federatedlogout.FederatedLogout]
|
|
}
|
|
|
|
func startCaches(background context.Context, connectors connector.Connectors, federateLogoutCache cache.Cache[federatedlogout.Index, string, *federatedlogout.FederatedLogout]) (_ *Caches, err error) {
|
|
caches := new(Caches)
|
|
caches.idpFormCallbacks, err = connector.StartCache[idpFormCallbackIndex, string, *idpFormCallback](background, []idpFormCallbackIndex{idpFormCallbackIndexRequestID}, cache.PurposeIdPFormCallback, connectors.Config.IdPFormCallbacks, connectors)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
caches.federatedLogouts = federateLogoutCache
|
|
return caches, nil
|
|
}
|
|
|
|
type idpFormCallbackIndex int
|
|
|
|
const (
|
|
idpFormCallbackIndexUnspecified idpFormCallbackIndex = iota
|
|
idpFormCallbackIndexRequestID
|
|
)
|
|
|
|
type idpFormCallback struct {
|
|
InstanceID string
|
|
State string
|
|
Form url.Values
|
|
}
|
|
|
|
// Keys implements cache.Entry
|
|
func (c *idpFormCallback) Keys(i idpFormCallbackIndex) []string {
|
|
if i == idpFormCallbackIndexRequestID {
|
|
return []string{idpFormCallbackKey(c.InstanceID, c.State)}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func idpFormCallbackKey(instanceID, state string) string {
|
|
return instanceID + "-" + state
|
|
}
|