fix: enable passport-azure-ad workaround for SameSite cookies (#2567)
This adds cookieEncryptionKeyString configuration in the Azure AD authentication module. It represents an array of cookie encryption strings and enables workaround for SameSite cookies.
This commit is contained in:
parent
a6bf2412d7
commit
a3513b1bdf
@ -10,6 +10,19 @@ const OIDCStrategy = require('passport-azure-ad').OIDCStrategy
|
|||||||
|
|
||||||
module.exports = {
|
module.exports = {
|
||||||
init (passport, conf) {
|
init (passport, conf) {
|
||||||
|
// Workaround for Chrome's SameSite cookies
|
||||||
|
// cookieSameSite needs useCookieInsteadOfSession to work correctly.
|
||||||
|
// cookieEncryptionKeys is extracted from conf.cookieEncryptionKeyString.
|
||||||
|
// It's a concatnation of 44-character length strings each of which represents a single pair of key/iv.
|
||||||
|
// Valid cookieEncryptionKeys enables both cookieSameSite and useCookieInsteadOfSession.
|
||||||
|
const keyArray = [];
|
||||||
|
if (conf.cookieEncryptionKeyString) {
|
||||||
|
let keyString = conf.cookieEncryptionKeyString;
|
||||||
|
while (keyString.length >= 44) {
|
||||||
|
keyArray.push({ key: keyString.substring(0, 32), iv: keyString.substring(32, 44) });
|
||||||
|
keyString = keyString.substring(44);
|
||||||
|
}
|
||||||
|
}
|
||||||
passport.use('azure',
|
passport.use('azure',
|
||||||
new OIDCStrategy({
|
new OIDCStrategy({
|
||||||
identityMetadata: conf.entryPoint,
|
identityMetadata: conf.entryPoint,
|
||||||
@ -19,7 +32,10 @@ module.exports = {
|
|||||||
responseMode: 'form_post',
|
responseMode: 'form_post',
|
||||||
scope: ['profile', 'email', 'openid'],
|
scope: ['profile', 'email', 'openid'],
|
||||||
allowHttpForRedirectUrl: WIKI.IS_DEBUG,
|
allowHttpForRedirectUrl: WIKI.IS_DEBUG,
|
||||||
passReqToCallback: true
|
passReqToCallback: true,
|
||||||
|
cookieSameSite: keyArray.length > 0,
|
||||||
|
useCookieInsteadOfSession: keyArray.length > 0,
|
||||||
|
cookieEncryptionKeys: keyArray
|
||||||
}, async (req, iss, sub, profile, cb) => {
|
}, async (req, iss, sub, profile, cb) => {
|
||||||
const usrEmail = _.get(profile, '_json.email', null) || _.get(profile, '_json.preferred_username')
|
const usrEmail = _.get(profile, '_json.email', null) || _.get(profile, '_json.preferred_username')
|
||||||
try {
|
try {
|
||||||
|
@ -22,4 +22,8 @@ props:
|
|||||||
title: Client ID
|
title: Client ID
|
||||||
hint: The client ID of your application in AAD (Azure Active Directory)
|
hint: The client ID of your application in AAD (Azure Active Directory)
|
||||||
order: 2
|
order: 2
|
||||||
|
cookieEncryptionKeyString:
|
||||||
|
type: String
|
||||||
|
title: Cookie Encryption Key String
|
||||||
|
hint: Random string with 44-character length. Setting this enables workaround for Chrome's SameSite cookies.
|
||||||
|
order: 3
|
||||||
|
Loading…
Reference in New Issue
Block a user