1
0
mirror of https://github.com/bitwarden/browser.git synced 2024-12-21 16:18:28 +01:00

PM-3981 - SSO/2FA Comp bugfix for user unable to be JIT created in a TDE org with a require 2FA policy. We were trying to save the Org SSO Id in all post login scenarios instead of all post login success scenarios. 2FA required is a scenario in which the login would not be successful and no account will exist in state for data to be set on. (#6439)

This commit is contained in:
Jared Snider 2023-10-03 20:22:14 -04:00 committed by GitHub
parent 0a953b444a
commit 462daab322
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 10 deletions

View File

@ -76,12 +76,8 @@ export class SsoComponent {
state != null &&
this.checkState(state, qParams.state)
) {
// We are not using a query param to pass org identifier around specifically
// for the browser SSO case when it needs it on extension open after SSO success
// on the TDE login decryption options component
const ssoOrganizationIdentifier = this.getOrgIdentifierFromState(qParams.state);
await this.logIn(qParams.code, codeVerifier, ssoOrganizationIdentifier);
await this.stateService.setUserSsoOrganizationIdentifier(ssoOrganizationIdentifier);
}
} else if (
qParams.clientId != null &&
@ -183,14 +179,14 @@ export class SsoComponent {
return authorizeUrl;
}
private async logIn(code: string, codeVerifier: string, orgIdentifier: string) {
private async logIn(code: string, codeVerifier: string, orgSsoIdentifier: string): Promise<void> {
this.loggingIn = true;
try {
const credentials = new SsoLogInCredentials(
code,
codeVerifier,
this.redirectUri,
orgIdentifier
orgSsoIdentifier
);
this.formPromise = this.authService.logIn(credentials);
const authResult = await this.formPromise;
@ -199,9 +195,18 @@ export class SsoComponent {
await this.stateService.getAccountDecryptionOptions();
if (authResult.requiresTwoFactor) {
return await this.handleTwoFactorRequired(orgIdentifier);
return await this.handleTwoFactorRequired(orgSsoIdentifier);
}
// Everything after the 2FA check is considered a successful login
// Just have to figure out where to send the user
// Save off the OrgSsoIdentifier for use in the TDE flows
// - TDE login decryption options component
// - Browser SSO on extension open
// Note: you cannot set this in state before 2FA b/c there won't be an account in state.
await this.stateService.setUserSsoOrganizationIdentifier(orgSsoIdentifier);
const tdeEnabled = await this.isTrustedDeviceEncEnabled(
acctDecryptionOpts.trustedDeviceOption
);
@ -209,7 +214,7 @@ export class SsoComponent {
if (tdeEnabled) {
return await this.handleTrustedDeviceEncryptionEnabled(
authResult,
orgIdentifier,
orgSsoIdentifier,
acctDecryptionOpts
);
}
@ -223,13 +228,13 @@ export class SsoComponent {
if (requireSetPassword || authResult.resetMasterPassword) {
// Change implies going no password -> password in this case
return await this.handleChangePasswordRequired(orgIdentifier);
return await this.handleChangePasswordRequired(orgSsoIdentifier);
}
// Users enrolled in admin acct recovery can be forced to set a new password after
// having the admin set a temp password for them
if (authResult.forcePasswordReset == ForceResetPasswordReason.AdminForcePasswordReset) {
return await this.handleForcePasswordReset(orgIdentifier);
return await this.handleForcePasswordReset(orgSsoIdentifier);
}
// Standard SSO login success case

View File

@ -235,6 +235,11 @@ export class TwoFactorComponent extends CaptchaProtectedComponent implements OnI
return;
}
// Save off the OrgSsoIdentifier for use in the TDE flows
// - TDE login decryption options component
// - Browser SSO on extension open
await this.stateService.setUserSsoOrganizationIdentifier(this.orgIdentifier);
this.loginService.clearValues();
const acctDecryptionOpts: AccountDecryptionOptions =