1
0
mirror of https://github.com/bitwarden/browser.git synced 2025-01-02 18:17:46 +01:00

PM-3981 - SSO/2FA Comp bugfix for user unable to be JIT created in a TDE org with a require 2FA policy. We were trying to save the Org SSO Id in all post login scenarios instead of all post login success scenarios. 2FA required is a scenario in which the login would not be successful and no account will exist in state for data to be set on. (#6439)

This commit is contained in:
Jared Snider 2023-10-03 20:22:14 -04:00 committed by GitHub
parent 0a953b444a
commit 462daab322
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 10 deletions

View File

@ -76,12 +76,8 @@ export class SsoComponent {
state != null && state != null &&
this.checkState(state, qParams.state) this.checkState(state, qParams.state)
) { ) {
// We are not using a query param to pass org identifier around specifically
// for the browser SSO case when it needs it on extension open after SSO success
// on the TDE login decryption options component
const ssoOrganizationIdentifier = this.getOrgIdentifierFromState(qParams.state); const ssoOrganizationIdentifier = this.getOrgIdentifierFromState(qParams.state);
await this.logIn(qParams.code, codeVerifier, ssoOrganizationIdentifier); await this.logIn(qParams.code, codeVerifier, ssoOrganizationIdentifier);
await this.stateService.setUserSsoOrganizationIdentifier(ssoOrganizationIdentifier);
} }
} else if ( } else if (
qParams.clientId != null && qParams.clientId != null &&
@ -183,14 +179,14 @@ export class SsoComponent {
return authorizeUrl; return authorizeUrl;
} }
private async logIn(code: string, codeVerifier: string, orgIdentifier: string) { private async logIn(code: string, codeVerifier: string, orgSsoIdentifier: string): Promise<void> {
this.loggingIn = true; this.loggingIn = true;
try { try {
const credentials = new SsoLogInCredentials( const credentials = new SsoLogInCredentials(
code, code,
codeVerifier, codeVerifier,
this.redirectUri, this.redirectUri,
orgIdentifier orgSsoIdentifier
); );
this.formPromise = this.authService.logIn(credentials); this.formPromise = this.authService.logIn(credentials);
const authResult = await this.formPromise; const authResult = await this.formPromise;
@ -199,9 +195,18 @@ export class SsoComponent {
await this.stateService.getAccountDecryptionOptions(); await this.stateService.getAccountDecryptionOptions();
if (authResult.requiresTwoFactor) { if (authResult.requiresTwoFactor) {
return await this.handleTwoFactorRequired(orgIdentifier); return await this.handleTwoFactorRequired(orgSsoIdentifier);
} }
// Everything after the 2FA check is considered a successful login
// Just have to figure out where to send the user
// Save off the OrgSsoIdentifier for use in the TDE flows
// - TDE login decryption options component
// - Browser SSO on extension open
// Note: you cannot set this in state before 2FA b/c there won't be an account in state.
await this.stateService.setUserSsoOrganizationIdentifier(orgSsoIdentifier);
const tdeEnabled = await this.isTrustedDeviceEncEnabled( const tdeEnabled = await this.isTrustedDeviceEncEnabled(
acctDecryptionOpts.trustedDeviceOption acctDecryptionOpts.trustedDeviceOption
); );
@ -209,7 +214,7 @@ export class SsoComponent {
if (tdeEnabled) { if (tdeEnabled) {
return await this.handleTrustedDeviceEncryptionEnabled( return await this.handleTrustedDeviceEncryptionEnabled(
authResult, authResult,
orgIdentifier, orgSsoIdentifier,
acctDecryptionOpts acctDecryptionOpts
); );
} }
@ -223,13 +228,13 @@ export class SsoComponent {
if (requireSetPassword || authResult.resetMasterPassword) { if (requireSetPassword || authResult.resetMasterPassword) {
// Change implies going no password -> password in this case // Change implies going no password -> password in this case
return await this.handleChangePasswordRequired(orgIdentifier); return await this.handleChangePasswordRequired(orgSsoIdentifier);
} }
// Users enrolled in admin acct recovery can be forced to set a new password after // Users enrolled in admin acct recovery can be forced to set a new password after
// having the admin set a temp password for them // having the admin set a temp password for them
if (authResult.forcePasswordReset == ForceResetPasswordReason.AdminForcePasswordReset) { if (authResult.forcePasswordReset == ForceResetPasswordReason.AdminForcePasswordReset) {
return await this.handleForcePasswordReset(orgIdentifier); return await this.handleForcePasswordReset(orgSsoIdentifier);
} }
// Standard SSO login success case // Standard SSO login success case

View File

@ -235,6 +235,11 @@ export class TwoFactorComponent extends CaptchaProtectedComponent implements OnI
return; return;
} }
// Save off the OrgSsoIdentifier for use in the TDE flows
// - TDE login decryption options component
// - Browser SSO on extension open
await this.stateService.setUserSsoOrganizationIdentifier(this.orgIdentifier);
this.loginService.clearValues(); this.loginService.clearValues();
const acctDecryptionOpts: AccountDecryptionOptions = const acctDecryptionOpts: AccountDecryptionOptions =