https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42719
Bug ID: 42719
Summary: OAuth/OIDC login crashes with 500 when no CGISESSID
cookie exists (IdP-initiated flow)
Initiative type: ---
Sponsorship ---
status:
Product: Koha
Version: Main
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P5 - low
Component: Authentication
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
CC: [email protected]
When a user initiates login from the IdP (e.g. clicking an app tile in Okta),
they are redirected directly to Koha's
/api/v1/oauth/login/{provider}/{interface} endpoint without ever visiting a
Koha page first.
Since no Koha page was visited, no session exists and no CGISESSID cookie is
present. The code at Koha::REST::V1::OAuth::Client line 99 calls:
$c->req->cookie('CGISESSID')->value
This crashes with:
Can't call method "value" on an undefined value
The fix is to create a session on-the-fly when the initial OAuth request has no
existing session cookie. This supports IdP-initiated SSO flows while preserving
CSRF protection (the state parameter is still bound to the session via the
browser's cookie jar).
The same guard is needed on the callback branch's check_csrf call รข if the
cookie is missing on callback, redirect with an error instead of crashing.
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
