@ -10,6 +10,19 @@ const OIDCStrategy = require('passport-azure-ad').OIDCStrategy
module . exports = {
init ( passport , conf ) {
// Workaround for Chrome's SameSite cookies
// cookieSameSite needs useCookieInsteadOfSession to work correctly.
// cookieEncryptionKeys is extracted from conf.cookieEncryptionKeyString.
// It's a concatnation of 44-character length strings each of which represents a single pair of key/iv.
// Valid cookieEncryptionKeys enables both cookieSameSite and useCookieInsteadOfSession.
const keyArray = [ ] ;
if ( conf . cookieEncryptionKeyString ) {
let keyString = conf . cookieEncryptionKeyString ;
while ( keyString . length >= 44 ) {
keyArray . push ( { key : keyString . substring ( 0 , 32 ) , iv : keyString . substring ( 32 , 44 ) } ) ;
keyString = keyString . substring ( 44 ) ;
}
}
passport . use ( 'azure' ,
new OIDCStrategy ( {
identityMetadata : conf . entryPoint ,
@ -19,7 +32,10 @@ module.exports = {
responseMode : 'form_post' ,
scope : [ 'profile' , 'email' , 'openid' ] ,
allowHttpForRedirectUrl : WIKI . IS _DEBUG ,
passReqToCallback : true
passReqToCallback : true ,
cookieSameSite : keyArray . length > 0 ,
useCookieInsteadOfSession : keyArray . length > 0 ,
cookieEncryptionKeys : keyArray
} , async ( req , iss , sub , profile , cb ) => {
const usrEmail = _ . get ( profile , '_json.email' , null ) || _ . get ( profile , '_json.preferred_username' )
try {