[MNT-22836] - support PKCE code flow in SSO (#8884)

* [MNT-22836] - support PKCE code flow in SSO
2025-09-17 14:21:29 +00:00 · 2023-11-17 15:17:26 +01:00
parent eb8aaecef6
commit d14c116747
8 changed files with 24 additions and 17 deletions
--- a/demo-shell/src/app.config.json
+++ b/demo-shell/src/app.config.json
@@ -20,7 +20,8 @@
    "clientId": "alfresco",
    "scope": "openid profile email",
    "secret": "",
-    "implicitFlow": true,
+    "implicitFlow": false,
+    "codeFlow": true,
    "silentLogin": true,
    "redirectSilentIframeUri": "{protocol}//{hostname}{:port}/assets/silent-refresh.html",
    "redirectUri": "/",
--- a/docker/docker-entrypoint.d/30-sed-on-appconfig.sh
+++ b/docker/docker-entrypoint.d/30-sed-on-appconfig.sh
@@ -33,6 +33,11 @@ if [ -n "${APP_CONFIG_OAUTH2_IMPLICIT_FLOW}" ]; then
    -i "${NGINX_ENVSUBST_OUTPUT_DIR}/app.config.json"
 fi

+if [ -n "${APP_CONFIG_OAUTH2_CODE_FLOW}" ]; then
+  sed -e "s/\"codeFlow\": [^,]*/\"codeFlow\": ${APP_CONFIG_OAUTH2_CODE_FLOW}/g" \
+    -i "${NGINX_ENVSUBST_OUTPUT_DIR}/app.config.json"
+fi
+
 if [ -n "${APP_CONFIG_OAUTH2_SILENT_LOGIN}" ]; then
  sed -e "s/\"silentLogin\": [^,]*/\"silentLogin\": ${APP_CONFIG_OAUTH2_SILENT_LOGIN}/g" \
    -i "${NGINX_ENVSUBST_OUTPUT_DIR}/app.config.json"
--- a/docker/run.sh
+++ b/docker/run.sh
@@ -14,6 +14,7 @@ docker run --rm -it \
  --env APP_CONFIG_OAUTH2_HOST=$APP_CONFIG_OAUTH2_HOST \
  --env APP_CONFIG_OAUTH2_CLIENTID=$APP_CONFIG_OAUTH2_CLIENTID \
  --env APP_CONFIG_OAUTH2_IMPLICIT_FLOW=$APP_CONFIG_OAUTH2_IMPLICIT_FLOW \
+  --env APP_CONFIG_OAUTH2_IMPLICIT_FLOW=$APP_CONFIG_OAUTH2_CODE_FLOW \
  --env APP_CONFIG_OAUTH2_SILENT_LOGIN=$APP_CONFIG_OAUTH2_SILENT_LOGIN \
  --env APP_CONFIG_OAUTH2_REDIRECT_SILENT_IFRAME_URI=$APP_CONFIG_OAUTH2_REDIRECT_SILENT_IFRAME_URI \
  --env APP_CONFIG_BPM_HOST=$APP_CONFIG_BPM_HOST \
--- a/lib/core/src/lib/auth/oidc/auth-config.service.spec.ts
+++ b/lib/core/src/lib/auth/oidc/auth-config.service.spec.ts
@@ -149,7 +149,7 @@ describe('AuthConfigService', () => {
            const expectedConfig = {
                oidc: true,
                issuer: 'http://localhost:3000/auth/realms/alfresco',
-                redirectUri: 'http://localhost:3000/#/view/authentication-confirmation',
+                redirectUri: 'http://localhost:3000/#/view/authentication-confirmation/?',
                silentRefreshRedirectUri: 'http://localhost:3000/assets/silent-refresh.html',
                postLogoutRedirectUri: 'http://localhost:3000/#/logout',
                clientId: 'fakeClientId',
--- a/lib/core/src/lib/auth/oidc/auth-config.service.ts
+++ b/lib/core/src/lib/auth/oidc/auth-config.service.ts
@@ -19,7 +19,7 @@ import { Inject, Injectable } from '@angular/core';
 import { AuthConfig } from 'angular-oauth2-oidc';
 import { take } from 'rxjs/operators';
 import { AppConfigService } from '../../app-config/app-config.service';
-import { AuthModuleConfig, AUTH_MODULE_CONFIG } from './auth-config';
+import { AUTH_MODULE_CONFIG, AuthModuleConfig } from './auth-config';

 /**
 * Create auth configuration factory
@@ -84,7 +84,7 @@ export class AuthConfigService {

        // handle issue from the OIDC library with hashStrategy and implicitFlow, with would append &state to the url with would lead to error
        // `cannot match any routes`, and displaying the wildcard ** error page
-        return oauth2.implicitFlow && useHash ? `${redirectUri}/?` : redirectUri;
+        return (oauth2.codeFlow || oauth2.implicitFlow) && useHash ? `${redirectUri}/?` : redirectUri;
    }

    private getLocationOrigin() {
--- a/lib/core/src/lib/login/components/login.component.html
+++ b/lib/core/src/lib/login/components/login.component.html
@@ -44,7 +44,7 @@
                            </div>
                        </div>

-                        <div *ngIf="!implicitFlow">
+                        <div *ngIf="!ssoLogin">

                            <!--USERNAME FIELD-->
                            <div
@@ -169,7 +169,7 @@
                                </mat-checkbox>
                            </div>
                        </div>
-                        <div *ngIf="implicitFlow">
+                        <div *ngIf="ssoLogin">
                            <button
                                type="button"
                                (click)="implicitLogin()"
--- a/lib/core/src/lib/login/components/login.component.spec.ts
+++ b/lib/core/src/lib/login/components/login.component.spec.ts
@@ -721,7 +721,7 @@ describe('LoginComponent', () => {
                fixture.detectChanges();

                fixture.whenStable().then(() => {
-                    expect(component.implicitFlow).toBe(false);
+                    expect(component.ssoLogin).toBe(false);
                    expect(component.redirectToImplicitLogin).toHaveBeenCalled();
                });

@@ -734,7 +734,7 @@ describe('LoginComponent', () => {
                fixture.detectChanges();

                fixture.whenStable().then(() => {
-                    expect(component.implicitFlow).toBe(true);
+                    expect(component.ssoLogin).toBe(true);
                });

            }));
--- a/lib/core/src/lib/login/components/login.component.ts
+++ b/lib/core/src/lib/login/components/login.component.ts
@@ -111,7 +111,7 @@ export class LoginComponent implements OnInit, OnDestroy {
    @Output()
    executeSubmit = new EventEmitter<LoginSubmitEvent>();

-    implicitFlow: boolean = false;
+    ssoLogin: boolean = false;

    form: UntypedFormGroup;
    isError: boolean = false;
@@ -155,8 +155,8 @@ export class LoginComponent implements OnInit, OnDestroy {
                const oauth = this.appConfig.oauth2;
                if (oauth?.silentLogin) {
                    this.redirectToImplicitLogin();
-                } else if (oauth?.implicitFlow) {
-                    this.implicitFlow = true;
+                } else if (oauth?.implicitFlow || oauth?.codeFlow) {
+                    this.ssoLogin = true;
                }
            }