Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stable26] fix(Session): avoid password confirmation on SSO #45812

Merged
merged 4 commits into from
Jun 18, 2024
Merged

[stable26] fix(Session): avoid password confirmation on SSO #45812

merged 4 commits into from
Jun 18, 2024

Conversation

blizzz
Copy link
Member

@blizzz blizzz commented Jun 12, 2024
edited
Loading

Backport of #43942 and #45809

With same adjustments as in #45703 (comment)

@blizzz blizzz added bug 3. to review Waiting for reviews labels Jun 12, 2024
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 12, 2024
View reviewed changes
core/Controller/OCJSController.php Fixed Show fixed Hide fixed
core/Controller/OCJSController.php Fixed Show fixed Hide fixed
core/Controller/OCJSController.php Fixed Show fixed Hide fixed
core/Controller/OCJSController.php Fixed Show fixed Hide fixed
lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php Fixed Show fixed Hide fixed
lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php Fixed Show fixed Hide fixed
lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php Fixed Show fixed Hide fixed
lib/private/Template/JSConfigHelper.php Fixed Show fixed Hide fixed
lib/private/Template/JSConfigHelper.php Fixed Show fixed Hide fixed
lib/private/Template/JSConfigHelper.php Fixed Show fixed Hide fixed
@blizzz
fix(Session): avoid password confirmation on SSO
eea5e1c 
SSO backends like SAML and OIDC tried a trick to suppress password
confirmations as they are not possible by design. At least for SAML it was
not reliable when existing user backends where used as user repositories.

Now we are setting a special scope with the token, and also make sure that
the scope is taken over when tokens are regenerated.

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
@blizzz
fix(Token): make new scope future compatible
0f5c8f9 
- "password-unconfirmable" is the effective name for 30, but a draft
  name was backported.

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
@blizzz
style(PHP): remove unacceptable empty lines
06c64fd 
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
@blizzz blizzz added 4. to release Ready to be released and/or waiting for tests to finish and removed 3. to review Waiting for reviews labels Jun 12, 2024
@blizzz

This comment was marked as resolved.

Sign in to view
@blizzz
test(unit): adjust testSSO scenario and test class
527bc5d 
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
@blizzz blizzz merged commit 72feb5a into stable26 Jun 18, 2024
36 of 38 checks passed
@blizzz blizzz deleted the backport/43942/stable26 branch June 18, 2024 17:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChristophWurst ChristophWurst ChristophWurst approved these changes

@artonge artonge artonge approved these changes

@juliushaertl juliushaertl Awaiting requested review from juliushaertl

Assignees
No one assigned
Labels
4. to release Ready to be released and/or waiting for tests to finish bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@blizzz @ChristophWurst @artonge