From 3b8cbe631f6d9a15220853cfc88a3ed36111a414 Mon Sep 17 00:00:00 2001
From: Chad Scharf <3904944+cscharf@users.noreply.github.com>
Date: Tue, 29 Sep 2020 17:06:17 -0400
Subject: [PATCH] Implemented new OIDC redirect behavior (#954)

---
 .../src/Portal/Models/SsoConfigDataViewModel.cs     |  5 +++++
 .../src/Portal/Models/SsoConfigEditViewModel.cs     |  9 +++++++++
 bitwarden_license/src/Portal/Views/Sso/Index.cshtml |  7 +++++++
 .../src/Sso/Controllers/AccountController.cs        |  3 ---
 .../DynamicAuthenticationSchemeProvider.cs          |  1 +
 src/Core/Models/Data/SsoConfigurationData.cs        |  2 ++
 src/Core/Resources/SharedResources.en.resx          | 13 +++++++++++++
 7 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/bitwarden_license/src/Portal/Models/SsoConfigDataViewModel.cs b/bitwarden_license/src/Portal/Models/SsoConfigDataViewModel.cs
index cc656503c..624e0f575 100644
--- a/bitwarden_license/src/Portal/Models/SsoConfigDataViewModel.cs
+++ b/bitwarden_license/src/Portal/Models/SsoConfigDataViewModel.cs
@@ -10,6 +10,7 @@ using U2F.Core.Utils;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Text.RegularExpressions;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 
 namespace Bit.Portal.Models
 {
@@ -26,6 +27,7 @@ namespace Bit.Portal.Models
             CallbackPath = configurationData.BuildCallbackPath(globalSettings.BaseServiceUri.Sso);
             SignedOutCallbackPath = configurationData.BuildSignedOutCallbackPath(globalSettings.BaseServiceUri.Sso);
             MetadataAddress = configurationData.MetadataAddress;
+            RedirectBehavior = configurationData.RedirectBehavior;
             GetClaimsFromUserInfoEndpoint = configurationData.GetClaimsFromUserInfoEndpoint;
             SpEntityId = configurationData.BuildSaml2ModulePath(globalSettings.BaseServiceUri.Sso);
             SpAcsUrl = configurationData.BuildSaml2AcsUrl(globalSettings.BaseServiceUri.Sso);
@@ -63,6 +65,8 @@ namespace Bit.Portal.Models
         public string SignedOutCallbackPath { get; set; }
         [Display(Name = "MetadataAddress")]
         public string MetadataAddress { get; set; }
+        [Display(Name = "RedirectBehavior")]
+        public OpenIdConnectRedirectBehavior RedirectBehavior { get; set; }
         [Display(Name = "GetClaimsFromUserInfoEndpoint")]
         public bool GetClaimsFromUserInfoEndpoint { get; set; }
 
@@ -190,6 +194,7 @@ namespace Bit.Portal.Models
                 ClientSecret = ClientSecret,
                 MetadataAddress = MetadataAddress,
                 GetClaimsFromUserInfoEndpoint = GetClaimsFromUserInfoEndpoint,
+                RedirectBehavior = RedirectBehavior,
                 IdpEntityId = IdpEntityId,
                 IdpBindingType = IdpBindingType,
                 IdpSingleSignOnServiceUrl = IdpSingleSignOnServiceUrl,
diff --git a/bitwarden_license/src/Portal/Models/SsoConfigEditViewModel.cs b/bitwarden_license/src/Portal/Models/SsoConfigEditViewModel.cs
index 62819e024..7d993a1eb 100644
--- a/bitwarden_license/src/Portal/Models/SsoConfigEditViewModel.cs
+++ b/bitwarden_license/src/Portal/Models/SsoConfigEditViewModel.cs
@@ -9,6 +9,7 @@ using Bit.Core.Models.Data;
 using Bit.Core.Models.Table;
 using Bit.Core.Services;
 using Bit.Core.Sso;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.Mvc.Rendering;
 
 namespace Bit.Portal.Models
@@ -54,6 +55,7 @@ namespace Bit.Portal.Models
         public List<SelectListItem> BindingTypes { get; set; }
         public List<SelectListItem> SigningBehaviors { get; set; }
         public List<SelectListItem> SigningAlgorithms { get; set; }
+        public List<SelectListItem> RedirectBehaviors { get; set; }
 
         public SsoConfig ToSsoConfig(Guid organizationId)
         {
@@ -103,6 +105,13 @@ namespace Bit.Portal.Models
 
             SigningAlgorithms = SamlSigningAlgorithms.GetEnumerable().Select(a =>
                 new SelectListItem(a, a)).ToList();
+
+            RedirectBehaviors = Enum.GetNames(typeof(OpenIdConnectRedirectBehavior))
+                .Select(behavior => new SelectListItem
+                {
+                    Value = behavior,
+                    Text = i18nService.T(behavior),
+                }).ToList();
         }
     }
 }
diff --git a/bitwarden_license/src/Portal/Views/Sso/Index.cshtml b/bitwarden_license/src/Portal/Views/Sso/Index.cshtml
index a1cc17b44..775a1aa17 100644
--- a/bitwarden_license/src/Portal/Views/Sso/Index.cshtml
+++ b/bitwarden_license/src/Portal/Views/Sso/Index.cshtml
@@ -119,6 +119,13 @@
                     <input asp-for="Data.MetadataAddress" class="form-control">
                 </div>
             </div>
+            <div class="row">
+                <div class="col-7 form-group">
+                    <label asp-for="Data.RedirectBehavior">@i18nService.T("RedirectBehavior")</label>
+                    <select asp-for="Data.RedirectBehavior" asp-items="Model.RedirectBehaviors"
+                            class="form-control"></select>
+                </div>
+            </div>
             <div class="row">
                 <div class="col-7 form-group">
                     <div class="form-check">
diff --git a/bitwarden_license/src/Sso/Controllers/AccountController.cs b/bitwarden_license/src/Sso/Controllers/AccountController.cs
index b11f79850..1d184b451 100644
--- a/bitwarden_license/src/Sso/Controllers/AccountController.cs
+++ b/bitwarden_license/src/Sso/Controllers/AccountController.cs
@@ -21,9 +21,6 @@ using System.Linq;
 using System.Security.Claims;
 using System.Threading.Tasks;
 using Bit.Core.Models.Api;
-using Microsoft.AspNetCore.WebUtilities;
-using Microsoft.Extensions.Primitives;
-using System.Net;
 
 namespace Bit.Sso.Controllers
 {
diff --git a/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs b/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
index 3f12d690b..7ea586815 100644
--- a/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
+++ b/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
@@ -315,6 +315,7 @@ namespace Bit.Core.Business.Sso
                 SignedOutCallbackPath = config.BuildSignedOutCallbackPath(),
                 MetadataAddress = config.MetadataAddress,
                 // Prevents URLs that go beyond 1024 characters which may break for some servers
+                AuthenticationMethod = config.RedirectBehavior,
                 GetClaimsFromUserInfoEndpoint = config.GetClaimsFromUserInfoEndpoint,
             };
 
diff --git a/src/Core/Models/Data/SsoConfigurationData.cs b/src/Core/Models/Data/SsoConfigurationData.cs
index fe6e96103..aa71ec6df 100644
--- a/src/Core/Models/Data/SsoConfigurationData.cs
+++ b/src/Core/Models/Data/SsoConfigurationData.cs
@@ -1,6 +1,7 @@
 using System;
 using Bit.Core.Enums;
 using Bit.Core.Sso;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 
 namespace Bit.Core.Models.Data
 {
@@ -17,6 +18,7 @@ namespace Bit.Core.Models.Data
         public string ClientId { get; set; }
         public string ClientSecret { get; set; }
         public string MetadataAddress { get; set; }
+        public OpenIdConnectRedirectBehavior RedirectBehavior { get; set; } = OpenIdConnectRedirectBehavior.FormPost;
         public bool GetClaimsFromUserInfoEndpoint { get; set; }
 
         // SAML2 IDP
diff --git a/src/Core/Resources/SharedResources.en.resx b/src/Core/Resources/SharedResources.en.resx
index ffd9246ae..3df8e72c0 100644
--- a/src/Core/Resources/SharedResources.en.resx
+++ b/src/Core/Resources/SharedResources.en.resx
@@ -526,4 +526,17 @@
   <data name="UserAlreadyExistsUseLinkViaSso" xml:space="preserve">
     <value>User already exists, please link account to SSO after logging in</value>
   </data>
+  <data name="RedirectGet" xml:space="preserve">
+    <value>Redirect GET</value>
+    <comment>An OIDC Connect Redirect Behavior, Redirect; Emits a 302 response 
+    to redirect the user agent to the OpenID Connect provider using a GET request.</comment>
+  </data>
+  <data name="FormPost" xml:space="preserve">
+    <value>Form POST</value>
+    <comment>An OIDC Connect Redirect Behavior, Form POST; Emits an HTML form to
+      redirect the user agent to the OpenID Connect provider using a POST request.</comment>
+  </data>
+  <data name="RedirectBehavior" xml:space="preserve">
+    <value>OIDC Redirect Behavior</value>
+  </data>
 </root>