Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

stable

Clone or download

Read-only

request #9717: OpenID Connect plugin can not create 2 authentication links for the same provider in the same request

Download Browse

The issue can be seen when one provider is set as unique authentication source, on the homepage the event LOGIN_ADDITIONAL_CONNECTOR and GET_LOGIN_URL are going to be called. Since these two events do not share state, the URL generated for the provider is going to be different: state signed with a different key and different nonce. We only store in the session one key to verify the state's signature and one expected nonce. During the same request, the generated states should all have the same signature key and nonce. Change-Id: I46e355a50614000302c3179718b6ae0509ef5518

+36 −16
Thomas Gerbet (tgerbet) 2016-12-09 11:26
Thomas Gerbet (tgerbet) 2016-12-09 11:26
73a0568806327d6d93caccb9c79256073a3f7065
ab832d28e832358b2ae42c7aba88ee0f4e0cd5e9
git #tuleap/stable/73a0568806327d6d93caccb9c79256073a3f7065

Modified Files

Side by side diff
Inline diff
Name
M plugins/openidconnectclient/include/OpenIDConnectClient/Authentication/StateFactory.php +9 −5 Go to diff View file
M plugins/openidconnectclient/tests/Authentication/StateFactoryTest.php +27 −11 Go to diff View file