Fix certificates for proxy communication and optional openid nonce is…

…sues (#974) * fix root certs * bump version * remove nonce check on the frontend * remove nonce
DefGuard · Jan 28, 2025 · 5cd8992 · 5cd8992
1 parent 185c0ba
commit 5cd8992
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 8 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "defguard"
-version = "1.2.1"
+version = "1.2.2"
 edition = "2021"
 license-file = "LICENSE.md"
 homepage = "https://defguard.net/"
@@ -84,7 +84,7 @@ tokio = { version = "1", features = [
 ] }
 tokio-stream = "0.1"
 tokio-util = "0.7"
-tonic = { version = "0.12", features = ["gzip", "tls", "tls-roots"] }
+tonic = { version = "0.12", features = ["gzip", "tls", "tls-native-roots"] }
 tonic-health = "0.12"
 totp-lite = { version = "2.0" }
 tower-http = { version = "0.6", features = ["fs", "trace"] }

diff --git a/src/grpc/mod.rs b/src/grpc/mod.rs
@@ -455,7 +455,7 @@ pub async fn run_grpc_bidi_stream(
         let tls = ClientTlsConfig::new().ca_certificate(Certificate::from_pem(ca));
         endpoint.tls_config(tls)?
     } else {
-        endpoint
+        endpoint.tls_config(ClientTlsConfig::new().with_enabled_roots())?
     };
 
     loop {

diff --git a/web/src/pages/allow/OpenidAllowPage.tsx b/web/src/pages/allow/OpenidAllowPage.tsx
@@ -27,7 +27,6 @@ export const OpenidAllowPage = () => {
   const [scope, setScope] = useState<string | null>('');
   const [responseType, setResponseType] = useState<string | null>('');
   const [clientId, setClientId] = useState<string | null>('');
-  const [nonce, setNonce] = useState<string | null>('');
   const [redirectUri, setRedirectUri] = useState<string | null>('');
   const [state, setState] = useState<string | null>('');
   const [name, setName] = useState<string | null>('');
@@ -42,15 +41,16 @@ export const OpenidAllowPage = () => {
   const { LL } = useI18nContext();
 
   const paramsValid = useMemo(() => {
-    const check = [scope, responseType, clientId, nonce, redirectUri, state];
+    // nonce is optional in the auth code flow, just pass it as is further if it's in the params
+    const check = [scope, responseType, clientId, redirectUri, state];
     for (const item of check) {
       if (typeof item === 'undefined' || item === null) {
         toaster.error('OpenID Params invalid.');
         return false;
       }
     }
     return true;
-  }, [clientId, nonce, redirectUri, responseType, scope, state, toaster]);
+  }, [clientId, redirectUri, responseType, scope, state, toaster]);
 
   const handleSubmit = useCallback(
     (allow: boolean) => {
@@ -68,7 +68,6 @@ export const OpenidAllowPage = () => {
     setScope(params.get('scope'));
     setResponseType(params.get('response_type'));
     setClientId(params.get('client_id'));
-    setNonce(params.get('nonce'));
     setState(params.get('state'));
     setRedirectUri(params.get('redirect_uri'));
   }, [params]);