Change OIDC dummy identifier (#6263)

* Change OIDC dummy identifier * Update src/sso.rs Co-authored-by: Helmut K. C. Tessarek <tessarek@evermeet.cx> * Use Org uuid as identifier --------- Co-authored-by: Helmut K. C. Tessarek <tessarek@evermeet.cx> Co-authored-by: Mathijs van Veluw <black.dex@gmail.com>
2025-10-20 13:50:39 +03:00 · 2025-10-13 21:28:37 +02:00
parent e83faad8d2
commit 3f010a50af
3 changed files with 9 additions and 9 deletions
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -367,7 +367,7 @@ async fn post_set_password(data: Json<SetPasswordData>, headers: Headers, mut co

    if let Some(identifier) = data.org_identifier {
        if identifier != crate::sso::FAKE_IDENTIFIER {
-            let org = match Organization::find_by_name(&identifier, &mut conn).await {
+            let org = match Organization::find_by_uuid(&identifier.into(), &mut conn).await {
                None => err!("Failed to retrieve the associated organization"),
                Some(org) => org,
            };
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@@ -339,7 +339,7 @@ async fn get_user_collections(headers: Headers, mut conn: DbConn) -> Json<Value>
 }

 // Called during the SSO enrollment
-// The `identifier` should be the value returned by `get_org_domain_sso_details`
+// The `identifier` should be the value returned by `get_org_domain_sso_verified`
 // The returned `Id` will then be passed to `get_master_password_policy` which will mainly ignore it
 #[get("/organizations/<identifier>/auto-enroll-status")]
 async fn get_auto_enroll_status(identifier: &str, headers: Headers, mut conn: DbConn) -> JsonResult {
@@ -349,7 +349,7 @@ async fn get_auto_enroll_status(identifier: &str, headers: Headers, mut conn: Db
            None => None,
        }
    } else {
-        Organization::find_by_name(identifier, &mut conn).await
+        Organization::find_by_uuid(&identifier.into(), &mut conn).await
    };

    let (id, identifier, rp_auto_enroll) = match org {
@@ -977,17 +977,17 @@ async fn get_org_domain_sso_verified(data: Json<OrgDomainDetails>, mut conn: DbC
    let identifiers = match Organization::find_org_user_email(&data.email, &mut conn)
        .await
        .into_iter()
-        .map(|o| o.name)
-        .collect::<Vec<String>>()
+        .map(|o| (o.name, o.uuid.to_string()))
+        .collect::<Vec<(String, String)>>()
    {
        v if !v.is_empty() => v,
-        _ => vec![crate::sso::FAKE_IDENTIFIER.to_string()],
+        _ => vec![(crate::sso::FAKE_IDENTIFIER.to_string(), crate::sso::FAKE_IDENTIFIER.to_string())],
    };

    Ok(Json(json!({
        "object": "list",
-        "data": identifiers.into_iter().map(|identifier| json!({
-            "organizationName": identifier,     // appear unused
+        "data": identifiers.into_iter().map(|(name, identifier)| json!({
+            "organizationName": name,           // appear unused
            "organizationIdentifier": identifier,
            "domainName": CONFIG.domain(),      // appear unused
        })).collect::<Vec<Value>>()
--- a/src/sso.rs
+++ b/src/sso.rs
@@ -19,7 +19,7 @@ use crate::{
    CONFIG,
 };

-pub static FAKE_IDENTIFIER: &str = "Vaultwarden";
+pub static FAKE_IDENTIFIER: &str = "VW_DUMMY_IDENTIFIER_FOR_OIDC";

 static AC_CACHE: Lazy<Cache<OIDCState, AuthenticatedUser>> =
    Lazy::new(|| Cache::builder().max_capacity(1000).time_to_live(Duration::from_secs(10 * 60)).build());