Fix skip sso for apikey login (#1308)

* Improve mixing SSO login error * Skip SSO requirement for API key logins * Bypass MFA for apikey logins
2025-02-16 01:51:21 +01:00 · 2021-05-10 11:13:37 -05:00 · 2021-05-10 11:13:37 -05:00 · 354ff6e2cb
commit 354ff6e2cb
parent 70ab5b25a1
2 changed files with 17 additions and 4 deletions
--- a/src/Core/IdentityServer/BaseRequestValidator.cs
+++ b/src/Core/IdentityServer/BaseRequestValidator.cs
@ -87,7 +87,7 @@ namespace Bit.Core.IdentityServer
                return;
            }

-            var twoFactorRequirement = await RequiresTwoFactorAsync(user);
+            var twoFactorRequirement = await RequiresTwoFactorAsync(user, request.GrantType);
            if (twoFactorRequirement.Item1)
            {
                // Just defaulting it
@ -260,8 +260,14 @@ namespace Bit.Core.IdentityServer

        protected abstract void SetErrorResult(T context, Dictionary<string, object> customResponse);

-        private async Task<Tuple<bool, Organization>> RequiresTwoFactorAsync(User user)
+        private async Task<Tuple<bool, Organization>> RequiresTwoFactorAsync(User user, string grantType)
        {
+            if (grantType == "client_credentials")
+            {
+                // Do not require MFA for api key logins
+                return new Tuple<bool, Organization>(false, null);
+            }
+
            var individualRequired = _userManager.SupportsUserTwoFactor &&
                await _userManager.GetTwoFactorEnabledAsync(user) &&
                (await _userManager.GetValidTwoFactorProvidersAsync(user)).Count > 0;
@ -286,9 +292,10 @@ namespace Bit.Core.IdentityServer

        private async Task<bool> IsValidAuthTypeAsync(User user, string grantType)
        {
-            if (grantType == "authorization_code")
+            if (grantType == "authorization_code" || grantType == "client_credentials")
            {
                // Already using SSO to authorize, finish successfully
+                // Or login via api key, skip SSO requirement
                return true;
            }

--- a/src/Core/IdentityServer/CustomTokenRequestValidator.cs
+++ b/src/Core/IdentityServer/CustomTokenRequestValidator.cs
@ -87,7 +87,13 @@ namespace Bit.Core.IdentityServer
        }

        protected override void SetSsoResult(CustomTokenRequestValidationContext context, 
-            Dictionary<string, object> customResponse) => throw new System.NotImplementedException();
+            Dictionary<string, object> customResponse) 
+        {
+            context.Result.Error = "invalid_grant";
+            context.Result.ErrorDescription = "Single Sign on required.";
+            context.Result.IsError = true;
+            context.Result.CustomResponse = customResponse;
+        }

        protected override void SetErrorResult(CustomTokenRequestValidationContext context,
            Dictionary<string, object> customResponse)