Skip to content

[stable29] fix(Session): avoid password confirmation on SSO #45705

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
AndyScherzinger merged 1 commit into from
Jun 12, 2024
Merged

[stable29] fix(Session): avoid password confirmation on SSO #45705

AndyScherzinger merged 1 commit into from
Jun 12, 2024

Conversation

@backportbot
Copy link

@backportbot backportbot bot commented Jun 7, 2024
edited by blizzz
Loading

Backport of #43942

Warning, This backport's changes differ from the original and might be incomplete ⚠️

Todo

  • Review and resolve any conflicts
  • Amend HEAD commit to remove the line stating to skip CI

Learn more about backports at https://docs.nextcloud.com/server/stable/go.php?to=developer-backports.

@backportbot backportbot bot added this to the Nextcloud 29.0.3 milestone Jun 7, 2024
@blizzz blizzz closed this Jun 7, 2024
@blizzz blizzz force-pushed the backport/43942/stable29 branch from 760bbd1 to 4d123fd Compare June 7, 2024 09:49
@blizzz blizzz reopened this Jun 7, 2024
@blizzz blizzz marked this pull request as ready for review June 7, 2024 09:53
@blizzz blizzz mentioned this pull request Jun 11, 2024
Merged
3 tasks
@blizzz @AndyScherzinger
fix(Session): avoid password confirmation on SSO
f0494ec 
SSO backends like SAML and OIDC tried a trick to suppress password
confirmations as they are not possible by design. At least for SAML it was
not reliable when existing user backends where used as user repositories.

Now we are setting a special scope with the token, and also make sure that
the scope is taken over when tokens are regenerated.

Signed-off-by: Arthur Schiwon <[email protected]>
@AndyScherzinger AndyScherzinger force-pushed the backport/43942/stable29 branch from 4b25121 to f0494ec Compare June 11, 2024 18:19
@AndyScherzinger AndyScherzinger merged commit a51237a into stable29 Jun 12, 2024
@AndyScherzinger AndyScherzinger deleted the backport/43942/stable29 branch June 12, 2024 07:47
blizzz
blizzz reviewed Jun 12, 2024
View reviewed changes
lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php
return;
}
$scope = $token->getScopeAsArray();
if (isset($scope['sso-based-login']) && $scope['sso-based-login'] === true) {
Copy link
Member

@blizzz blizzz Jun 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just realized, the scope string is different in 30/master, password-unconfirmable, for the constants where introduced officially for 30 only, and there we had the changed name. I'll follow up with another PR to not introduce incompatibilities between 29 (and before) and 30.

@blizzz blizzz mentioned this pull request Jun 12, 2024
Merged
4 tasks
@adsche adsche mentioned this pull request Jun 28, 2024
Open
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@blizzz blizzz blizzz left review comments

@ChristophWurst ChristophWurst ChristophWurst approved these changes

@artonge artonge artonge approved these changes

Assignees

@blizzz blizzz

Labels

3. to review Waiting for reviews bug feature: authentication

Projects

None yet

Milestone

Nextcloud 29.0.3

Development

Successfully merging this pull request may close these issues.

5 participants

@ChristophWurst @blizzz @artonge @AndyScherzinger