Skip to content

Master #1338

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Master #1338

wants to merge 1 commit into from

Conversation

@AMDoellal
Copy link

@AMDoellal AMDoellal commented Sep 23, 2025

Signed-off-by: aldo [email protected]

Description

The redirection logic after successful OIDC login has been adjusted to prevent redirection to the callback or login page. This prevents an infinite loop that previously led to a ‘Maximum call stack size exceeded’ error. This improves the stability of the login flow and ensures correct redirection after successful authentication.

Addressed Issue

This change fixes the issue from Issue #5098.

Checklist

@owasp-dt-bot
Copy link

owasp-dt-bot commented Sep 23, 2025

🎉 Snyk checks have passed. No issues have been found so far.

security/snyk check is complete. No issues have been found. (View Details)

@AMDoellal AMDoellal mentioned this pull request Sep 23, 2025
Open
2 tasks
@sebdanielsson
Copy link

sebdanielsson commented Nov 12, 2025

@nscuro can you take a look at this? Currently preventing SSO with Entra, and a couple of other IDPs I believe.

@sebdanielsson
Copy link

sebdanielsson commented Nov 12, 2025
edited
Loading

Fixes DependencyTrack/dependency-track#5098

nscuro
nscuro reviewed Nov 14, 2025
View reviewed changes
public/static/oidc-callback.html
window.location.href = redirectTo && isUrlSaveForRedirect(redirectTo) ? redirectTo : "../";
const redirectTo = user.state;
// Verhindere Redirect auf Callback- oder Login-Seite
const forbiddenRedirects = [window.location.pathname, '/login', 'oidc-callback.html'];
Copy link
Member

@nscuro nscuro Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Preventing a redirect to /login would break OIDC authentication entirely, since that is where the actual authentication with DT happens:

frontend/src/views/pages/Login.vue

Lines 266 to 281 in 8fd757b

// oidcUser will only be set when coming from oidc-callback.html
if (oidcUser === null) {
return;
}
// Exchange OAuth2 Access Token for a JWT issued by Dependency-Track
const url = this.$api.BASE_URL + '/' + this.$api.URL_USER_OIDC_LOGIN;
const requestBody = {
accessToken: oidcUser.access_token,
idToken: oidcUser.id_token,
};
const config = {
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
};

Was this fix tested?

@nscuro
Copy link
Member

nscuro commented Nov 14, 2025

Related: #1380

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nscuro nscuro nscuro left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@AMDoellal @owasp-dt-bot @sebdanielsson @nscuro