search

flownative / flow-openidconnect-client

OpenID Connect Client SDK for Flow Framework
MIT License
6 stars 8 forks source link

JWT cookie is only set for first configured service #29

Closed bwaidelich closed 3 years ago

bwaidelich commented 3 years ago

The SetJwtCookieMiddleware skips setting (and deleting) the JWT cookie when the configured authentication provider does not match the one from the authenticated token. Since these options are configured globally this will lead to the middleware to skip setting the cookie when multiple OIDC services are configured.

Steps to reproduce

  1. Configure multiple services
Flownative:
  OpenIdConnect:
    Client:
      services:
        'service1':
          options: [...]
        'service2':
          options: [...]

Neos:
  Flow:
    security:
      authentication:
        providers:
          'Some.Package:OidcService1Provider':
            provider: 'Flownative\OpenIdConnect\Client\Authentication\OpenIdConnectProvider'
            providerOptions:
              jwtCookieName: 'some-cookie-name'
              serviceName: 'service1'
            # ...
          'Some.Package:OidcService2Provider':
            provider: 'Flownative\OpenIdConnect\Client\Authentication\OpenIdConnectProvider'
            providerOptions:
              jwtCookieName: 'some-cookie-name'
              serviceName: 'service2'
            # ...
  1. Authenticate

Expected behavior

After the OIDC redirect, a cookie "some-cookie-name" is set containing the JWT

Actual behavior

Depending on the loading order the cookie is only set for one of the services