Closed jwomackgsa closed 3 months ago
alflokken
commented
3 months ago Thanks for the feedback and for identifying the oversight in the form close regex! 👍
I updated the urlCloseCondition based on your suggestion. Provided that you specify redirect_uri in the request, this should resolve the issue where the form closes prematurely. (Note that redirect_uri is optional in authorization requests.)
Let me know if you agree that this solves your issue, and I will publish a new release!
jwomackgsa
commented
3 months ago I ran some quick tests with the new commit code and its still matching improperly when I provide the $redirect_uri. Here is an example of the test I used based on similar urls my process flows through.
$url = "https://example.com/sso/idps/MTLS/mtlscallback?state=aWh3dWxvSFBQU0ZnRG15UENHa&code=522b2c449565"
$url2 = "http://localhost:8181/authorization-code/callback"
$url3 = "http://localhost:8181/authorization-code/callback?code=vrDYh_BHFTYHdv4-jIlOmdw3&state=QU0ZnRG15"
$redirect_uri = "http://localhost:8181/authorization-code/callback"
$regex = "$redirect_uri?.*(?:code=([^&]+)|error=([^&]+))|^$redirect_uri"
if ( $url -match $regex ) { write-host "url matches" }
if ( $url2 -match $regex ) { write-host "url2 matches" }
if ( $url3 -match $regex ) { write-host "url3 matches" }This test shows that regex matches each URL matches so I think the regex needs a bit more tweaks to work.
Edit: The ideal regex will not match on $url but will match on $url2 and $url3
alflokken
commented
3 months ago Let's try again. I think this is a better solution.
Does this solve the problem? 😅
jwomackgsa
commented
3 months ago Hi Yes this looks like it will works. Thanks for the help!
alflokken
commented
3 months ago Thanks, a new version has been published. 👍
First off thanks for all the work on this PS Module. My company is rolling out Okta and I have been trying to find a good windows friendly OIDC client that we can pull down token responses to ensure the right values are passing. When I used standard MFA login such as username, Okta Verify the authorization flow works just fine, however when I select the certificate based login Okta redirects me to a secondary idp which does the certificate validation. Once that part is done, the web form closes and errors out on state mismatch. I added some logging to the module to dump the websource url and its not the $redirect_uri but another url on the okta side that was handling the certificate authentication but it just so happens to have both "code" and "state" query parameters. I looked at the logic of the webview form close regex and its matching on $redirect_uri or code= or error= in the url. I don't know if this was the intent but its what was causing my error.
I instead updated the regex to be like
$redirect_uri?.*(?:code=([^&]+)|error=([^&]+))so that it matches the actual redirect uri with a code or error query parameter. This lets my secondary idp redirect to contain the code parameter and it not close the window and grab the wrong url.If you think this is a change you would accept, I would be happy to submit a PR for this.