PM-3981 - SSO/2FA Comp bugfix for user unable to be JIT created in a TDE org with a require 2FA policy. We were trying to save the Org SSO Id in all post login scenarios instead of all post login success scenarios. 2FA required is a scenario in which the login would not be successful and no account will exist in state for data to be set on. (#6439)
This commit is contained in:
Jared Snider
GitHub
parent
0a953b444a
commit
462daab322
|
|
@ -76,12 +76,8 @@ export class SsoComponent {
|
||||||
state != null &&
|
state != null &&
|
||||||
this.checkState(state, qParams.state)
|
this.checkState(state, qParams.state)
|
||||||
) {
|
) {
|
||||||
// We are not using a query param to pass org identifier around specifically
|
|
||||||
// for the browser SSO case when it needs it on extension open after SSO success
|
|
||||||
// on the TDE login decryption options component
|
|
||||||
const ssoOrganizationIdentifier = this.getOrgIdentifierFromState(qParams.state);
|
const ssoOrganizationIdentifier = this.getOrgIdentifierFromState(qParams.state);
|
||||||
await this.logIn(qParams.code, codeVerifier, ssoOrganizationIdentifier);
|
await this.logIn(qParams.code, codeVerifier, ssoOrganizationIdentifier);
|
||||||
await this.stateService.setUserSsoOrganizationIdentifier(ssoOrganizationIdentifier);
|
|
||||||
}
|
}
|
||||||
} else if (
|
} else if (
|
||||||
qParams.clientId != null &&
|
qParams.clientId != null &&
|
||||||
|
|
@ -183,14 +179,14 @@ export class SsoComponent {
|
||||||
return authorizeUrl;
|
return authorizeUrl;
|
||||||
}
|
}
|
||||||
|
|
||||||
private async logIn(code: string, codeVerifier: string, orgIdentifier: string) {
|
private async logIn(code: string, codeVerifier: string, orgSsoIdentifier: string): Promise<void> {
|
||||||
this.loggingIn = true;
|
this.loggingIn = true;
|
||||||
try {
|
try {
|
||||||
const credentials = new SsoLogInCredentials(
|
const credentials = new SsoLogInCredentials(
|
||||||
code,
|
code,
|
||||||
codeVerifier,
|
codeVerifier,
|
||||||
this.redirectUri,
|
this.redirectUri,
|
||||||
orgIdentifier
|
orgSsoIdentifier
|
||||||
);
|
);
|
||||||
this.formPromise = this.authService.logIn(credentials);
|
this.formPromise = this.authService.logIn(credentials);
|
||||||
const authResult = await this.formPromise;
|
const authResult = await this.formPromise;
|
||||||
|
|
@ -199,9 +195,18 @@ export class SsoComponent {
|
||||||
await this.stateService.getAccountDecryptionOptions();
|
await this.stateService.getAccountDecryptionOptions();
|
||||||
|
|
||||||
if (authResult.requiresTwoFactor) {
|
if (authResult.requiresTwoFactor) {
|
||||||
return await this.handleTwoFactorRequired(orgIdentifier);
|
return await this.handleTwoFactorRequired(orgSsoIdentifier);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Everything after the 2FA check is considered a successful login
|
||||||
|
// Just have to figure out where to send the user
|
||||||
|
|
||||||
|
// Save off the OrgSsoIdentifier for use in the TDE flows
|
||||||
|
// - TDE login decryption options component
|
||||||
|
// - Browser SSO on extension open
|
||||||
|
// Note: you cannot set this in state before 2FA b/c there won't be an account in state.
|
||||||
|
await this.stateService.setUserSsoOrganizationIdentifier(orgSsoIdentifier);
|
||||||
|
|
||||||
const tdeEnabled = await this.isTrustedDeviceEncEnabled(
|
const tdeEnabled = await this.isTrustedDeviceEncEnabled(
|
||||||
acctDecryptionOpts.trustedDeviceOption
|
acctDecryptionOpts.trustedDeviceOption
|
||||||
);
|
);
|
||||||
|
|
@ -209,7 +214,7 @@ export class SsoComponent {
|
||||||
if (tdeEnabled) {
|
if (tdeEnabled) {
|
||||||
return await this.handleTrustedDeviceEncryptionEnabled(
|
return await this.handleTrustedDeviceEncryptionEnabled(
|
||||||
authResult,
|
authResult,
|
||||||
orgIdentifier,
|
orgSsoIdentifier,
|
||||||
acctDecryptionOpts
|
acctDecryptionOpts
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
@ -223,13 +228,13 @@ export class SsoComponent {
|
||||||
|
|
||||||
if (requireSetPassword || authResult.resetMasterPassword) {
|
if (requireSetPassword || authResult.resetMasterPassword) {
|
||||||
// Change implies going no password -> password in this case
|
// Change implies going no password -> password in this case
|
||||||
return await this.handleChangePasswordRequired(orgIdentifier);
|
return await this.handleChangePasswordRequired(orgSsoIdentifier);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Users enrolled in admin acct recovery can be forced to set a new password after
|
// Users enrolled in admin acct recovery can be forced to set a new password after
|
||||||
// having the admin set a temp password for them
|
// having the admin set a temp password for them
|
||||||
if (authResult.forcePasswordReset == ForceResetPasswordReason.AdminForcePasswordReset) {
|
if (authResult.forcePasswordReset == ForceResetPasswordReason.AdminForcePasswordReset) {
|
||||||
return await this.handleForcePasswordReset(orgIdentifier);
|
return await this.handleForcePasswordReset(orgSsoIdentifier);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Standard SSO login success case
|
// Standard SSO login success case
|
||||||
|
|
|
||||||
|
|
@ -235,6 +235,11 @@ export class TwoFactorComponent extends CaptchaProtectedComponent implements OnI
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Save off the OrgSsoIdentifier for use in the TDE flows
|
||||||
|
// - TDE login decryption options component
|
||||||
|
// - Browser SSO on extension open
|
||||||
|
await this.stateService.setUserSsoOrganizationIdentifier(this.orgIdentifier);
|
||||||
|
|
||||||
this.loginService.clearValues();
|
this.loginService.clearValues();
|
||||||
|
|
||||||
const acctDecryptionOpts: AccountDecryptionOptions =
|
const acctDecryptionOpts: AccountDecryptionOptions =
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue