OIDC login at non-default location
johntyner opened this issue · 2 comments
johntyner commented
The problem
When logging in via OIDC, cryptr hard-codes the path so that OIDC backends at other paths do not work.
Environment
- Cryptr version (or git revision) that exhibits the issue: 0.5.0
- Desktop OS/version used to run Cryptr: Linux
- Vault version: 1.8.2
Details
The path used by the application is hard coded as v1/auth/oidc/oidc/auth_url. The login screen should accept the OIDC backend location and then use something more like 'v1/auth/' + path + '/oidc/auth_url'.
Other information
I have very little experience with Node programming. I tried (unsuccessfully) to build and run the package locally to make the necessary changes and test them out. The developer console says something about Failed to load resource: net::ERR_FILE_NOT_FOUND webcomponents-lite.js:1 and Failed to load resource: net::ERR_FILE_NOT_FOUND fuse.min.js:1. I'm attaching a diff of the code changes I made in the hope that you can correct any mistakes I made and complete the changes.
diff --git a/app/elements/login-form.html b/app/elements/login-form.html
index 9a43621..3969f33 100644
--- a/app/elements/login-form.html
+++ b/app/elements/login-form.html
@@ -169,6 +169,8 @@ limitations under the License.
</div>
<div>
<iron-a11y-keys target="[[targetrole]]" keys="enter" on-keys-pressed="_login"></iron-a11y-keys>
+ <iron-a11y-keys target="[[targetpath]]" keys="enter" on-keys-pressed="_login"></iron-a11y-keys>
+ <paper-input id="pathfield" value="{{path}}" label="Path (optional)" disabled="{{loading}}"></paper-input>
<paper-input id="rolefield" value="{{role}}" label="Role (optional)" disabled="{{loading}}"></paper-input>
</div>
</iron-pages>
@@ -214,6 +216,9 @@ limitations under the License.
targetpass: {
value: function() { return this.$.passfield; }
},
+ targetpath: {
+ value: function() { return this.$.pathfield; }
+ },
targetrole: {
value: function() { return this.$.rolefield; }
},
@@ -238,6 +243,10 @@ limitations under the License.
password: String,
authURL: String,
listMountsURL: String,
+ path: {
+ type: String,
+ value: ''
+ },
role: {
type: String,
value: ''
@@ -334,7 +343,7 @@ limitations under the License.
else if (this.page === 0) this.$.passfieldldap.autofocus = true;
else if (this.page === 2) this.$.passfield.autofocus = true;
else if (this.page === 3) {
- this.$.rolefield.autofocus = true;
+ this.$.pathfield.autofocus = true;
if (!(this.oidcStarted)) this.$.oidctoast.open();
}
},
@@ -379,7 +388,7 @@ limitations under the License.
this.body = {"password": this.password };
} else if (this.page == 3) {
if (this.oidcStarted) {
- this.oidcURL = this.url + 'v1/auth/oidc/oidc/auth_url'
+ this.oidcURL = this.url + 'v1/auth/' + this.path + '/oidc/auth_url'
this.oidcBody = {"redirect_uri": "http://localhost:8250/oidc/callback", "role": this.role}
this.loading = true;
this.$.oidcReq.generateRequest();johntyner commented
I managed to get things working, here is the updated patch:
diff --git a/app/elements/login-form.html b/app/elements/login-form.html
index 9a43621..eb50495 100644
--- a/app/elements/login-form.html
+++ b/app/elements/login-form.html
@@ -169,6 +169,8 @@ limitations under the License.
</div>
<div>
<iron-a11y-keys target="[[targetrole]]" keys="enter" on-keys-pressed="_login"></iron-a11y-keys>
+ <iron-a11y-keys target="[[targetpath]]" keys="enter" on-keys-pressed="_login"></iron-a11y-keys>
+ <paper-input id="pathfield" value="{{path}}" label="Path (optional)" disabled="{{loading}}"></paper-input>
<paper-input id="rolefield" value="{{role}}" label="Role (optional)" disabled="{{loading}}"></paper-input>
</div>
</iron-pages>
@@ -214,6 +216,9 @@ limitations under the License.
targetpass: {
value: function() { return this.$.passfield; }
},
+ targetpath: {
+ value: function() { return this.$.pathfield; }
+ },
targetrole: {
value: function() { return this.$.rolefield; }
},
@@ -238,6 +243,10 @@ limitations under the License.
password: String,
authURL: String,
listMountsURL: String,
+ path: {
+ type: String,
+ value: ''
+ },
role: {
type: String,
value: ''
@@ -334,7 +343,7 @@ limitations under the License.
else if (this.page === 0) this.$.passfieldldap.autofocus = true;
else if (this.page === 2) this.$.passfield.autofocus = true;
else if (this.page === 3) {
- this.$.rolefield.autofocus = true;
+ this.$.pathfield.autofocus = true;
if (!(this.oidcStarted)) this.$.oidctoast.open();
}
},
@@ -379,7 +388,10 @@ limitations under the License.
this.body = {"password": this.password };
} else if (this.page == 3) {
if (this.oidcStarted) {
- this.oidcURL = this.url + 'v1/auth/oidc/oidc/auth_url'
+ var path = 'oidc'
+ if (this.path != '')
+ path = this.path
+ this.oidcURL = this.url + 'v1/auth/' + path + '/oidc/auth_url'
this.oidcBody = {"redirect_uri": "http://localhost:8250/oidc/callback", "role": this.role}
this.loading = true;
this.$.oidcReq.generateRequest();
@@ -533,8 +545,11 @@ limitations under the License.
}
},
_oidcAuth: function(data) {
+ var path = 'oidc'
+ if (this.path != '')
+ path = this.path
this.authMethod = 'GET';
- this.authURL = this.url + 'v1/auth/oidc/oidc/callback?code=' + data.code + '&state=' + data.state;
+ this.authURL = this.url + 'v1/auth/' + path + '/oidc/callback?code=' + data.code + '&state=' + data.state;
this.body = '';
this.header = '';
this.push('authRequests', this.$.testReq.generateRequest());