Allow use Azure Authorization Flow to login and avoid problems with thirdy party cookies

4 months ago · ab830d7662
parent ece5753ebb
commit ab830d7662
2 changed files with 42 additions and 3 deletions
--- a/server/modules/authentication/azure/authentication.js
+++ b/server/modules/authentication/azure/authentication.js
@ -23,19 +23,35 @@ module.exports = {
        keyString = keyString.substring(44);
      }
    }
+	
+	// If a client secret was passed, then we use code flow! 
+	// If not, just use the same value previous version of wiki.js!
+	// Same for response mode. We want query respondeMode to avoid depending on cookies!
+	let respType = conf.clientSecret ? 'code' : 'id_token'
+	let respMode = conf.clientSecret ? 'query' : 'form_post'
+	let issuerList;
+	
+	if(conf.issuerList){
+		// List of issuers.
+		// Expect each line containing the issuer definition!
+		issuerList = conf.issuerList.split('\n');
+	}
+	
    passport.use(conf.key,
      new OIDCStrategy({
        identityMetadata: conf.entryPoint,
        clientID: conf.clientId,
        redirectUrl: conf.callbackURL,
-        responseType: 'id_token',
-        responseMode: 'form_post',
+        responseType: respType,
+        responseMode: respMode,
        scope: ['profile', 'email', 'openid'],
-        allowHttpForRedirectUrl: WIKI.IS_DEBUG,
+        allowHttpForRedirectUrl: (WIKI.IS_DEBUG || conf.allowHttp),
        passReqToCallback: true,
        cookieSameSite: keyArray.length > 0,
        useCookieInsteadOfSession: keyArray.length > 0,
        cookieEncryptionKeys: keyArray
+		,clientSecret: conf.clientSecret
+		,issuer: issuerList
      }, async (req, iss, sub, profile, cb) => {
        const usrEmail = _.get(profile, '_json.email', null) || _.get(profile, '_json.preferred_username')
        try {
--- a/server/modules/authentication/azure/definition.yml
+++ b/server/modules/authentication/azure/definition.yml
@ -27,3 +27,26 @@ props:
    title: Cookie Encryption Key String
    hint: Random string with 44-character length.  Setting this enables workaround for Chrome's SameSite cookies.
    order: 3
+  allowHttp:
+    type: Boolean
+    title: Allow Http
+    hint: Enable HTTP for redirect URIs, ideal for localhost use without requiring debug mode in Wiki.js.
+    default: false
+    order: 4
+  clientSecret:
+    type: String
+    title: Client Secret
+    hint: When configured, this setting mandates the module to exclusively utilize the Authorization Code Flow for authentication. To enable this, you are required to create a secret within the Azure Portal. This is achieved by accessing the "Authentication" section found in the settings of your registered application.
+    order: 5
+  issuerList:
+    type: String
+    title: Alternate Issuer List
+    multiline: true
+    hint: '
+        Alternate issuers to allow. Each line should specify an issuer string. A typical format for the v2 endpoint resembles: https://login.microsoftonline.com/YOUR-TENANT-ID/v2.0. 
+        Pro Tip: To retrieve metadata about your tenant, navigate to https://login.microsoftonline.com/TENANT-NAME/v2.0/.well-known/openid-configuration in your web browser. 
+        For instance, to obtain information for a tenant named example.com, you would visit: https://login.microsoftonline.com/example.com/v2.0/.well-known/openid-configuration. This URL provides detailed metadata concerning the specified tenant.
+        Locate the "issuer" field, which holds the issuer string. Simply copy its contents and paste them here for use.
+        Useful when using common or organizations endpoints (for multi-tenant auths).
+     '
+    order: 6