[Koha-bugs] [Bug 34163] CSRF error if try OAuth2/OIDC after logout
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Jun 30 04:52:39 CEST 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163
--- Comment #2 from David Cook <dcook at prosentient.com.au> ---
Created attachment 152880
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=152880&action=edit
Bug 34163: Handle both anonymous userenv when generating CSRF tokens
An anonymous session might have a userenv which is undef or which is
a hashref of undef/empty values.
This patch generates the "anonymous" prefix for undef/empty 'id'
values, which prevents CSRF errors when logging in via OAuth2/OIDC
following a Koha logout.
Test plan:
Before applying patch:
1. Go to https://wiki.koha-community.org/wiki/Testing_SSO
2. Set up OpenID Connect realm, user, client, and Koha
integration to Keycloak for koha-testing-docker as noted in the wiki
3. Go to http://localhost:8080/cgi-bin/koha/opac-main.pl?logout.x=1
4. Click on OIDC "Log in with XXXX" button and log into IDP
5. Note that you're not logged in and you instead see an error message like:
"There was an error authenticating to external identity provider
wrong_csrf_token"
6. Apply patch
7. Go to "Sessions" section of the test realm in Keycloak
e.g. http://sso:8082/auth/admin/master/console/#/test/sessions
8. Click "Action" on the far right side of the screen
9. Choose "Sign out all active sessions"
After applying patch:
10. koha-plack --restart kohadev
11. Go to http://localhost:8080/cgi-bin/koha/opac-main.pl?logout.x=1
12. Click on OIDC "Log in with XXXX" button and log into IDP
13. Note that you're logged in
14. prove t/Token.t
15. Note all tests pass
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list