fix(oauth2): prevent profile redirect during OIDC consent flow

During an OIDC authorization code flow, users were intermittently
redirected to the IDP profile page instead of back to the client
application after submitting the consent form.

Author: smarcet

app/Strategies/OAuth2LoginStrategy.php

@@ -61,8 +61,10 @@ public function getLogin()
     {
         Log::debug("OAuth2LoginStrategy::getLogin");
 
-        if (!Auth::guest())
-            return Redirect::action("UserController@getProfile");
+        if (!Auth::guest()) {
+            Log::debug("OAuth2LoginStrategy::getLogin user already authenticated, redirecting to auth endpoint");
+            return Redirect::action("OAuth2\OAuth2ProviderController@auth");
+        }
 
         $this->login_hint_process_strategy->process();
 

app/libs/OAuth2/GrantTypes/InteractiveGrantType.php

@@ -461,7 +461,16 @@ protected function processUserHint(OAuth2AuthenticationRequest $request, Client
         $token_hint = $request->getIdTokenHint();
         $otp_login_hint = $request->getOTPLoginHint();
 
-        Log::debug(sprintf("InteractiveGrant::processUserHint request %s client %s", $request->__toString(), $client->getId()));
+        Log::debug
+        (
+            sprintf
+            (
+                "InteractiveGrant::processUserHint request %s client %s",
+                $request->__toString(),
+                $client->getId()
+            )
+        );
+
         // process login hint
         $user = null;
         if (!empty($otp_login_hint) && !empty ($login_hint)
@@ -484,7 +493,7 @@ protected function processUserHint(OAuth2AuthenticationRequest $request, Client
                 $user    = $this->auth_service->getUserById($user_id);
             }
             $request->markParamAsProcessed(OAuth2Protocol::OAuth2Protocol_LoginHint);
-        } else if(!empty($token_hint)) {
+        } else if(!empty($token_hint) && !$request->isProcessedParam(OAuth2Protocol::OAuth2Protocol_IDTokenHint)) {
             Log::debug("InteractiveGrant::processUserHint processing Token hint...");
 
             $jwt = BasicJWTFactory::build($token_hint);
@@ -544,6 +553,7 @@ protected function processUserHint(OAuth2AuthenticationRequest $request, Client
 
             $this->auth_service->reloadSession($jti->getValue());
 
+            $request->markParamAsProcessed(OAuth2Protocol::OAuth2Protocol_IDTokenHint);
         }
         if(!is_null($user))
         {
@@ -689,6 +699,15 @@ protected function shouldForceReLogin(OAuth2AuthorizationRequest $request, IClie
      */
     protected function mustAuthenticateUser(OAuth2AuthorizationRequest $request, Client $client)
     {
+        Log::debug
+        (
+            sprintf
+            (
+                "InteractiveGrant::mustAuthenticateUser: request %s client %s",
+                $request->__toString(),
+                $client->getClientId()
+            )
+        );
 
         if ($request instanceof OAuth2AuthenticationRequest) {
             try {
@@ -702,19 +721,22 @@ protected function mustAuthenticateUser(OAuth2AuthorizationRequest $request, Cli
                 throw $ex;
             }
             catch (Exception $ex){
-                Log::warning($ex);
+                Log::warning("InteractiveGrant::mustAuthenticateUser processUserHint generic error", [ 'error' => $ex]);
+                $this->auth_service->logout(false);
                 return true;
             }
         }
 
         if($this->shouldPromptLogin($request))
         {
+            Log::warning("InteractiveGrant::mustAuthenticateUser: shouldPromptLogin");
             $this->auth_service->logout(false);
             return true;
         }
 
         if($this->shouldForceReLogin($request, $client))
         {
+            Log::warning("InteractiveGrant::mustAuthenticateUser: shouldForceReLogin");
             $this->auth_service->logout(false);
             return true;
         }