FSN#37583 Authenticatie via JWT

svn path=/Website/trunk/; revision=30624
2016-09-07 19:31:22 +00:00
parent a2fe16b441
commit 7b55681de7
1 changed files with 42 additions and 30 deletions
--- a/APPL/Shared/loginTry.asp
+++ b/APPL/Shared/loginTry.asp
@@ -110,17 +110,6 @@ if (user_key < 0 && jwt)
    if (claim.err)
        shared.internal_error("Invalid JWT: " + claim.err);

-    // We staan nooit twee keer dezelfde signature toe. Voorkomt alle replay-aanvallen
-    // Iets verderop onthouden we signature
-    var sql = "SELECT prs_perslid_key, fac_session_data "
-            + "  FROM fac_session "
-            + " WHERE fac_session_expire > sysdate "
-            + "   AND fac_session_sessionid_hash = " + safe.quoted_sql(claim.signature64);
-    var oRs = Oracle.Execute( sql );
-    if (!oRs.eof)
-        shared.internal_error("Invalid JWT: it has been used before.");
-    oRs.Close();
-
    var sql = "SELECT *"
            + "  FROM fac_idp"
            + " WHERE fac_idp_issuer = " + safe.quoted_sql(claim.payload.iss);
@@ -132,6 +121,20 @@ if (user_key < 0 && jwt)
    if (verify.err)
        shared.internal_error("Invalid JWT: " + verify.err);

+    if (!oRs("fac_idp_duration").Value) // single use tokens wil ik niet weer zien
+    {
+        // Voorkomt alle replay-aanvallen
+        // Iets verderop onthouden we signature
+        var sql = "SELECT prs_perslid_key, fac_session_data "
+                + "  FROM fac_session "
+                + " WHERE fac_session_expire > sysdate "
+                + "   AND fac_session_sessionid_hash = " + safe.quoted_sql(claim.signature64);
+        var oRs = Oracle.Execute( sql );
+        if (!oRs.eof)
+            shared.internal_error("Invalid JWT: it has been used before.");
+        oRs.Close();
+    }
+
    // en claim.jit registreren/ controleren in fac_session
    var isFACFACinternal = oRs("fac_idp_internal").Value != 0;
    if (isFACFACinternal && !claim.payload.fclt_realuser)
@@ -171,24 +174,27 @@ if (user_key < 0 && jwt)
            shared.internal_error("This IDP can only be used for users with WEB_FACFAC.");
        }

-        // Ongeldige lukken de volgende keer ook niet. Geldige wil ik niet weer zien
-        // De expiretijd gaat er alleen over wanneer ik mag opruimen. Neem daarbij uur speling
-        var agent = String(Request.ServerVariables("HTTP_USER_AGENT"));
-        var ip = String(Request.ServerVariables("REMOTE_ADDR"));
-        var sql = "INSERT INTO fac_session"
-               + "    (fac_session_sessionid_hash,"
-               + "     fac_session_data,"
-               + "     prs_perslid_key,"
-               + "     fac_session_expire,"
-               + "     fac_session_useragent,"
-               + "     fac_session_ip)"
-               + " VALUES(" + safe.quoted_sql(claim.signature64) + ", "
-               + "      'JWT replay preventer',"
-               +        user_key + ","
-               + "      SYSDATE + 1/24 + 1/24/60/60 * " + oRs("fac_idp_clockskew").Value + ", "
-               +        safe.quoted_sql(agent, 256) + ","
-               +        safe.quoted_sql(ip, 64) + ")";
-        Oracle.Execute(sql);
+        if (!oRs("fac_idp_duration").Value) // single use tokens wil ik niet weer zien
+        {                                   // ook al zijn ze alleen geldig van -clockskew tot +clockskew
+            // Ongeldige lukken de volgende keer ook niet. Geldige wil ik niet weer zien
+            // De expiretijd gaat er alleen over wanneer ik mag opruimen. Neem daarbij uur speling
+            var agent = String(Request.ServerVariables("HTTP_USER_AGENT"));
+            var ip = String(Request.ServerVariables("REMOTE_ADDR"));
+            var sql = "INSERT INTO fac_session"
+                   + "    (fac_session_sessionid_hash,"
+                   + "     fac_session_data,"
+                   + "     prs_perslid_key,"
+                   + "     fac_session_expire,"
+                   + "     fac_session_useragent,"
+                   + "     fac_session_ip)"
+                   + " VALUES(" + safe.quoted_sql(claim.signature64) + ", "
+                   + "      'JWT replay preventer',"
+                   +        user_key + ","
+                   + "      SYSDATE + 1/24 + 1/24/60/60 * " + oRs("fac_idp_clockskew").Value + ", "
+                   +        safe.quoted_sql(agent, 256) + ","
+                   +        safe.quoted_sql(ip, 64) + ")";
+            Oracle.Execute(sql);
+        }

        // Onthouden hoe je bent binnengekomen zodat logout naar logout_url kan leiden
        Session("idp_key") = oRs("fac_idp_key").Value;
@@ -236,6 +242,10 @@ if (user_key < 0 && getQParam("sso", ""))
        var ip = String(Request.ServerVariables("REMOTE_ADDR"));
        ip_ok = IP.inAnySubnet(ip, ip_restrict);
        __Log("SSO IP-restrictie {0} versus remote {1}: {2}".format(ip_restrict, ip, ip_ok));
+        if (!ip_ok)
+        {   // Always allow Private networks (RFC 1918)
+            ip_ok = IP.inAnySubnet(ip, "192.168.0.0/16,172.16.0.0/12,10.0.0.0/8");
+        }
    }

    if (!ip_ok)
@@ -252,7 +262,9 @@ if (user_key < 0 && getQParam("sso", ""))
    }
    var audience = oRs("fac_idp_audience").Value;
    var issuer = oRs("fac_idp_issuer").Value;
-    var url = oRs("fac_idp_remote_loginurl").Value + "?aud=" + safe.url(audience) + "&iss=" + safe.url(issuer) ;
+    var url = oRs("fac_idp_remote_loginurl").Value;
+    url += (url.indexOf("?")>=0?"&":"?") + "fac_id=" + customerId;
+    url += "&aud=" + safe.url(audience) + "&iss=" + safe.url(issuer) ;
    var redirect_uri = HTTP.urlzelf() + "/";
    var return_to = String(Request.ServerVariables("URL")).substr(rooturl.length) + "?" + String(Request.ServerVariables("QUERY_STRING"));
    return_to = return_to.replace(/^\/default.asp/i, "/"); // default.asp vooraan hoeft niet, ik wil cleane url