OS2sandbox / sandbox-myndighedsidentitet-issues

Sandbox issuetracker for an OS2 configured IdP and SSO provider Authentik
https://goauthentik.io/
Creative Commons Zero v1.0 Universal
5 stars 0 forks source link

Redirection without hitting the "My Applications" landing page? #46

Open janhalen opened 8 months ago

janhalen commented 8 months ago

When you sign in to e.g. Zulip via the zulip test url, you end up in the "My applications" landing page inside Authentik.

The expected behaviour would be to end up directly in the app you tried to acces via the url. The choice between the different enrolled apps is just confusing to a simple user just wanting SSO to Zulip or Nextcloud.

image

nicolas-semaphor commented 8 months ago

Agreed, this should be fixable in the flow manager somehow. It will only occur upon first login, if the kombit user isn't already signed in, but It's still undesired behavior.

janhalen commented 8 months ago

Maybe this? https://goauthentik.io/docs/flow/context/#redirect-string

(I havent checked with the current flow, what the url is set to)

nicolas-semaphor commented 8 months ago

That sounds absolutely spot on, good find. Will check to see if can make an easy fix.

nicolas-semaphor commented 4 months ago

this may have been a bug. I just tested on a newer image with a home brewed RubySAML service provider. After being redirected to AK and signing in, I get send directly back to my simple Ruby app, without seing the my application ~apge~ page.

nicolas-semaphor commented 4 months ago

Although, this example uses the SAML Provider, and not the OIDC provider that might have caused the redirect to the My Applications page. I will test with the OIDC provider instead.

janhalen commented 4 months ago

this may have been a bug. I just tested on a newer image with a home brewed RubySAML service provider. After being redirected to AK and signing in, I get send directly back to my simple Ruby app, without seing the my application ~apge~ page.

nicolas-semaphor commented 4 months ago

Unfortunately not, for that we would need a SAML IdP mock servce. In this case I made a very simple SAML Service provider, which logged in using an Authentik SAML Provider. I'll gladly share though.

require 'onelogin/ruby-saml'
require 'sinatra'

enable :sessions

OneLogin::RubySaml::Logging.logger = Logger.new 'ruby-saml.log'
WEBrick::HTTPRequest.const_set("MAX_URI_LENGTH", 10240)

def saml_settings

  idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
  validate_cert = true
  settings = idp_metadata_parser.parse_remote(
    "<saml_idp_metadata_url>",
    validate_cert,
  )

  settings.assertion_consumer_service_url = "<host>/saml/acs"
  settings.sp_entity_id                   = "<host>/saml/metadata"

  return settings
end

get '/' do
  if session[:nameid]
    return '<p>Welcome <b>' + session[:nameid] + '</b>!</p>'
  else
    redirect '/saml/login'
  end
end

get '/saml/metadata' do
  meta = OneLogin::RubySaml::Metadata.new
  content_type 'text/xml'
  meta.generate saml_settings
end

get '/saml/login' do
  request = OneLogin::RubySaml::Authrequest.new  
  redir_url = request.create saml_settings
  redirect redir_url
end

get '/test/authnrequest' do
  request = OneLogin::RubySaml::Authrequest.new
  content_type 'text/xml'
  return request.create_authentication_xml_doc(saml_settings).to_s
end  

post '/saml/acs' do
  response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], :settings => saml_settings)
  if response.is_valid?
    session[:nameid] = response.nameid
    session[:attributes] = response.attributes

    puts "\nAttributes in Assertion:"
    session[:attributes].each do
      |key, value| puts "#{key} => '#{value[0]}'"
    end
    puts ""

    # Login.
    redirect '/'
  else
    authorize_failure
  end
end
janhalen commented 1 month ago

Although, this example uses the SAML Provider, and not the OIDC provider that might have caused the redirect to the My Applications page. I will test with the OIDC provider instead.

Has this been tested and verified as a misconfiguration in the flow? Does it need more work?

janhalen commented 3 weeks ago

Need to test again with newest Authentik release build