Fix CSP when using ONE_CLICK_SSO_LOGIN (#26901)

2023-09-13 19:54:04 +02:00 · 2023-09-13 19:54:04 +02:00 · a04ae16201
commit a04ae16201
parent 921c6fe654
3 changed files with 16 additions and 10 deletions
--- a/config/initializers/3_omniauth.rb
+++ b/config/initializers/3_omniauth.rb
@ -1,5 +1,9 @@
 # frozen_string_literal: true

+# OmniAuth providers need to be initialized before the CSP initializer
+# in `config/initializers/content_security_policy.rb`, which sets the
+# `form-action` directive based on them.
+
 Rails.application.config.middleware.use OmniAuth::Builder do
  # Vanilla omniauth strategies
 end
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@ -26,12 +26,14 @@ def sso_host

  provider = Devise.omniauth_configs[Devise.omniauth_providers[0]]
  @sso_host ||= begin
-    # using CAS
-    provider.cas_url if ENV['CAS_ENABLED'] == 'true'
-    # using SAML
-    provider.options[:idp_sso_target_url] if ENV['SAML_ENABLED'] == 'true'
-    # or using OIDC
-    ENV['OIDC_AUTH_ENDPOINT'] || (OpenIDConnect::Discovery::Provider::Config.discover!(ENV['OIDC_ISSUER']).authorization_endpoint if ENV['OIDC_ENABLED'] == 'true')
+    case provider.provider
+    when :cas
+      provider.cas_url
+    when :saml
+      provider.options[:idp_sso_target_url]
+    when :openid_connect
+      provider.options.dig(:client_options, :authorization_endpoint) || OpenIDConnect::Discovery::Provider::Config.discover!(provider.options[:issuer]).authorization_endpoint
+    end
  end
 end