admin/ludikevent_crm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: forcer session save et retry automatique pour SSO invalid state

Browse Source 
Sauvegarde explicite de la session avant la redirection OAuth pour
garantir la persistance du state parameter. Retry automatique du
flow SSO en cas d'InvalidStateAuthenticationException.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Serreau Jovann
2026-03-26 09:03:23 +01:00
parent 9a04b30913
commit 2c43d8f0ce
4 changed files with 16 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/Controller/EtlController.php
View File

@@ -1077,7 +1077,7 @@ class EtlController extends AbstractController
} }
#[Route('/etl/connect/keycloak', name: 'connect_keycloak_etl_start')] #[Route('/etl/connect/keycloak', name: 'connect_keycloak_etl_start')]
public function connectKeycloakEtlStart(ClientRegistry $clientRegistry): Response public function connectKeycloakEtlStart(ClientRegistry $clientRegistry, Request $request): Response
{ {
$response = $clientRegistry $response = $clientRegistry
->getClient('keycloak_etl') ->getClient('keycloak_etl')
@@ -1085,6 +1085,8 @@ class EtlController extends AbstractController
$response->headers->set('Cache-Control', 'no-store, no-cache, must-revalidate'); $response->headers->set('Cache-Control', 'no-store, no-cache, must-revalidate');
$response->headers->set('Pragma', 'no-cache'); $response->headers->set('Pragma', 'no-cache');
$request->getSession()->save();
return $response; return $response;
} }

4
src/Controller/HomeController.php
View File

@@ -26,7 +26,7 @@ class HomeController extends AbstractController
{ {
#[Route('/intranet/connect/keycloak', name: 'connect_keycloak_start')] #[Route('/intranet/connect/keycloak', name: 'connect_keycloak_start')]
public function connect(ClientRegistry $clientRegistry): Response public function connect(ClientRegistry $clientRegistry, Request $request): Response
{ {
$response = $clientRegistry $response = $clientRegistry
->getClient('keycloak') ->getClient('keycloak')
@@ -34,6 +34,8 @@ class HomeController extends AbstractController
$response->headers->set('Cache-Control', 'no-store, no-cache, must-revalidate'); $response->headers->set('Cache-Control', 'no-store, no-cache, must-revalidate');
$response->headers->set('Pragma', 'no-cache'); $response->headers->set('Pragma', 'no-cache');
$request->getSession()->save();
return $response; return $response;
} }

5
src/Security/EtlKeycloakAuthenticator.php
View File

@@ -17,6 +17,7 @@ use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport; use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface; use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
use Symfony\Component\Uid\Uuid; use Symfony\Component\Uid\Uuid;
use KnpU\OAuth2ClientBundle\Security\Exception\InvalidStateAuthenticationException;
class EtlKeycloakAuthenticator extends OAuth2Authenticator implements AuthenticationEntryPointInterface class EtlKeycloakAuthenticator extends OAuth2Authenticator implements AuthenticationEntryPointInterface
{ {
@@ -89,6 +90,10 @@ class EtlKeycloakAuthenticator extends OAuth2Authenticator implements Authentica
public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
{ {
if ($exception instanceof InvalidStateAuthenticationException) {
return new RedirectResponse($this->router->generate('connect_keycloak_etl_start'));
}
$message = strtr($exception->getMessageKey(), $exception->getMessageData()); $message = strtr($exception->getMessageKey(), $exception->getMessageData());
return new Response($message, Response::HTTP_FORBIDDEN); return new Response($message, Response::HTTP_FORBIDDEN);
} }

5
src/Security/KeycloakAuthenticator.php
View File

@@ -18,6 +18,7 @@ use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport; use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface; use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
use Symfony\Component\Uid\Uuid; use Symfony\Component\Uid\Uuid;
use KnpU\OAuth2ClientBundle\Security\Exception\InvalidStateAuthenticationException;
class KeycloakAuthenticator extends OAuth2Authenticator implements AuthenticationEntryPointInterface class KeycloakAuthenticator extends OAuth2Authenticator implements AuthenticationEntryPointInterface
{ {
@@ -91,6 +92,10 @@ class KeycloakAuthenticator extends OAuth2Authenticator implements Authenticatio
public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
{ {
if ($exception instanceof InvalidStateAuthenticationException) {
return new RedirectResponse($this->router->generate('connect_keycloak_start'));
}
$message = strtr($exception->getMessageKey(), $exception->getMessageData()); $message = strtr($exception->getMessageKey(), $exception->getMessageData());
return new Response($message, Response::HTTP_FORBIDDEN); return new Response($message, Response::HTTP_FORBIDDEN);
} }