Make sure hash is carried over when OIDC is only auth type for ODS

Signed-off-by: Craig Perkins <[email protected]>
opensearch-project · Aug 25, 2023 · b877019 · b877019
1 parent 6672cdb
commit b877019
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 13 deletions.
diff --git a/server/auth/types/openid/openid_auth.ts b/server/auth/types/openid/openid_auth.ts
@@ -25,13 +25,17 @@ import {
   LifecycleResponseFactory,
   AuthToolkit,
   IOpenSearchDashboardsResponse,
+  AuthResult,
 } from 'opensearch-dashboards/server';
 import HTTP from 'http';
 import HTTPS from 'https';
 import { PeerCertificate } from 'tls';
 import { Server, ServerStateCookieOptions } from '@hapi/hapi';
 import { SecurityPluginConfigType } from '../../..';
-import { SecuritySessionCookie } from '../../../session/security_cookie';
+import {
+  SecuritySessionCookie,
+  clearOldVersionCookieValue,
+} from '../../../session/security_cookie';
 import { OpenIdAuthRoutes } from './routes';
 import { AuthenticationType } from '../authentication_type';
 import { callTokenEndpoint } from './helper';
@@ -118,6 +122,22 @@ export class OpenIdAuthentication extends AuthenticationType {
     }
   }
 
+  private generateNextUrl(request: OpenSearchDashboardsRequest): string {
+    const path =
+      this.coreSetup.http.basePath.serverBasePath +
+      (request.url.pathname || '/app/opensearch-dashboards');
+    return escape(path);
+  }
+
+  private redirectOIDCCapture = (request: OpenSearchDashboardsRequest, toolkit: AuthToolkit) => {
+    const nextUrl = this.generateNextUrl(request);
+    const clearOldVersionCookie = clearOldVersionCookieValue(this.config);
+    return toolkit.redirected({
+      location: `${this.coreSetup.http.basePath.serverBasePath}/auth/openid/captureUrlFragment?nextUrl=${nextUrl}`,
+      'set-cookie': clearOldVersionCookie,
+    });
+  };
+
   private createWreckClient(): typeof wreck {
     const wreckHttpsOption: WreckHttpsOptions = {};
     if (this.config.openid?.root_ca) {
@@ -266,18 +286,9 @@ export class OpenIdAuthentication extends AuthenticationType {
     request: OpenSearchDashboardsRequest,
     response: LifecycleResponseFactory,
     toolkit: AuthToolkit
-  ): IOpenSearchDashboardsResponse {
+  ): IOpenSearchDashboardsResponse | AuthResult {
     if (this.isPageRequest(request)) {
-      // nextUrl is a key value pair
-      const nextUrl = composeNextUrlQueryParam(
-        request,
-        this.coreSetup.http.basePath.serverBasePath
-      );
-      return response.redirected({
-        headers: {
-          location: `${this.coreSetup.http.basePath.serverBasePath}${OPENID_AUTH_LOGIN}?${nextUrl}`,
-        },
-      });
+      return this.redirectOIDCCapture(request, toolkit);
     } else {
       return response.unauthorized();
     }

diff --git a/server/auth/types/openid/routes.ts b/server/auth/types/openid/routes.ts
@@ -24,7 +24,9 @@ import {
   OpenSearchDashboardsRequest,
   Logger,
 } from '../../../../../../src/core/server';
-import { SecuritySessionCookie } from '../../../session/security_cookie';
+import {
+  SecuritySessionCookie,
+} from '../../../session/security_cookie';
 import { SecurityPluginConfigType } from '../../..';
 import { OpenIdAuthConfig } from './openid_auth';
 import { SecurityClient } from '../../../backend/opensearch_security_client';