5.x.OIDC fix post endsession and authorize #425

gianpaolo-tndigit · 2023-09-21T10:55:15Z

add ignore path for CSRF for:
"/endsession"
"/oauth/authorize"

to permit POST request as specifics OIDC

src/main/java/it/smartcommunitylab/aac/config/SecurityConfig.java

matteo-s · 2023-10-24T11:09:12Z

src/main/java/it/smartcommunitylab/aac/config/OAuth2UserSecurityConfig.java

@@ -106,8 +107,10 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        // match only user endpoints
        http
            .requestMatcher(getRequestMatcher())
-            //                .authorizeRequests().anyRequest().authenticated().and()
-            .authorizeRequests(authorizeRequests -> authorizeRequests.anyRequest().hasAnyAuthority(Config.R_USER))
+            //.authorizeRequests().anyRequest().authenticated().and()


please format according to prettier and checkstyle rules

resolve with 17c2c28

…ecurityConfig

gianpaolo-tndigit closed this Sep 21, 2023

gianpaolo-tndigit reopened this Sep 21, 2023

gianpaolo-tndigit changed the base branch from master to 5.x September 21, 2023 11:02

matteo-s requested changes Sep 22, 2023

View reviewed changes

src/main/java/it/smartcommunitylab/aac/config/SecurityConfig.java Outdated Show resolved Hide resolved

gianpaolo-tndigit assigned matteo-s Sep 26, 2023

gianpaolo-tndigit added enhancement oidc labels Oct 3, 2023

matteo-s reviewed Oct 23, 2023

View reviewed changes

src/main/java/it/smartcommunitylab/aac/config/SecurityConfig.java Outdated Show resolved Hide resolved

matteo-s reviewed Oct 24, 2023

View reviewed changes

gianpaolo-tndigit and others added 5 commits November 3, 2023 14:53

fix #360 #424: disable CSRF for /endsession and /oauth/authorize

7659931

removed /endsession from this SecurityConfig and moved to OAuth2UserS…

13b42fe

…ecurityConfig

removed EndSesionEndpoint unused import

db81b2b

refactor with prettier

6c09602

prettier on updated config files

db4a2d5

matteo-s force-pushed the 5.x.oidc-fix-post branch from a2f42af to db4a2d5 Compare November 3, 2023 13:53

matteo-s merged commit 7b66254 into 5.x Nov 3, 2023

This was referenced Nov 23, 2023

authorize is possibile only by GET and not by POST #424

Closed

OIDC Rp endsession POST not supported #360

Closed

gianpaolo-tndigit deleted the 5.x.oidc-fix-post branch November 28, 2023 15:51

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

5.x.OIDC fix post endsession and authorize #425

5.x.OIDC fix post endsession and authorize #425

gianpaolo-tndigit commented Sep 21, 2023

matteo-s Oct 24, 2023

gianpaolo-tndigit Oct 25, 2023

5.x.OIDC fix post endsession and authorize #425

5.x.OIDC fix post endsession and authorize #425

Conversation

gianpaolo-tndigit commented Sep 21, 2023

matteo-s Oct 24, 2023

Choose a reason for hiding this comment

gianpaolo-tndigit Oct 25, 2023

Choose a reason for hiding this comment