18F · mitchellhenke · Dec 6, 2023 · Nov 2, 2023 · Nov 28, 2023 · Nov 30, 2023
diff --git a/app/controllers/concerns/secure_headers_concern.rb b/app/controllers/concerns/secure_headers_concern.rb
@@ -3,6 +3,7 @@ module SecureHeadersConcern
 
   def apply_secure_headers_override
     return if stored_url_for_user.blank?
+    return unless IdentityConfig.store.openid_connect_content_security_form_action_enabled
 
     authorize_form = OpenidConnectAuthorizeForm.new(authorize_params)
     return unless authorize_form.valid?

diff --git a/app/controllers/openid_connect/authorization_controller.rb b/app/controllers/openid_connect/authorization_controller.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module OpenidConnect
   class AuthorizationController < ApplicationController
     include FullyAuthenticatable
@@ -73,7 +75,16 @@ def ial_context
     def handle_successful_handoff
       track_events
       SpHandoffBounce::AddHandoffTimeToSession.call(sp_session)
-      redirect_to @authorize_form.success_redirect_uri, allow_other_host: true
+      if IdentityConfig.store.openid_connect_redirect_interstitial_enabled
+        @oidc_redirect_uri = @authorize_form.success_redirect_uri
+        render(
+          'openid_connect/shared/redirect',
+          layout: false,
+        )
+      else
+        redirect_to @authorize_form.success_redirect_uri, allow_other_host: true
+      end
+
       delete_branded_experience
     end
 
@@ -97,6 +108,7 @@ def build_authorize_form_from_params
     end
 
     def secure_headers_override
+      return unless IdentityConfig.store.openid_connect_content_security_form_action_enabled
       csp_uris = SecureHeadersAllowList.csp_with_sp_redirect_uris(
         @authorize_form.redirect_uri,
         @authorize_form.service_provider.redirect_uris,
@@ -117,11 +129,18 @@ def pre_validate_authorize_form
         ),
       )
       return if result.success?
+      redirect_uri = result.extra[:redirect_uri]
 
-      if (redirect_uri = result.extra[:redirect_uri])
-        redirect_to redirect_uri, allow_other_host: true
-      else
+      if redirect_uri.nil?
         render :error
+      elsif IdentityConfig.store.openid_connect_redirect_interstitial_enabled
+        @oidc_redirect_uri = redirect_uri
+        render(
+          'openid_connect/shared/redirect',
+          layout: false,
+        )
+      else
+        redirect_to redirect_uri, allow_other_host: true
       end
     end
 

diff --git a/app/controllers/openid_connect/logout_controller.rb b/app/controllers/openid_connect/logout_controller.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module OpenidConnect
   class LogoutController < ApplicationController
     include SecureHeadersConcern
@@ -29,10 +31,18 @@ def delete
         irs_attempts_api_tracker.logout_initiated(success: result.success?)
 
         sign_out
-        redirect_to(
-          redirect_uri,
-          allow_other_host: true,
-        )
+        if IdentityConfig.store.openid_connect_redirect_interstitial_enabled
+          @oidc_redirect_uri = redirect_uri
+          render(
+            'openid_connect/shared/redirect',
+            layout: false,
+          )
+        else
+          redirect_to(
+            redirect_uri,
+            allow_other_host: true,
+          )
+        end
       else
         render :error
       end
@@ -42,6 +52,7 @@ def delete
 
     def apply_logout_secure_headers_override(redirect_uri, service_provider)
       return if service_provider.nil? || redirect_uri.nil?
+      return unless IdentityConfig.store.openid_connect_content_security_form_action_enabled
 
       uris = SecureHeadersAllowList.csp_with_sp_redirect_uris(
         redirect_uri,
@@ -82,10 +93,19 @@ def handle_successful_logout_request(result, redirect_uri)
         irs_attempts_api_tracker.logout_initiated(success: result.success?)
 
         sign_out
-        redirect_to(
-          redirect_uri,
-          allow_other_host: true,
-        )
+
+        if IdentityConfig.store.openid_connect_redirect_interstitial_enabled
+          @oidc_redirect_uri = redirect_uri
+          render(
+            'openid_connect/shared/redirect',
+            layout: false,
+          )
+        else
+          redirect_to(
+            redirect_uri,
+            allow_other_host: true,
+          )
+        end
       end
     end
 

diff --git a/app/views/openid_connect/shared/redirect.html.erb b/app/views/openid_connect/shared/redirect.html.erb
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <title><%= t('headings.redirecting') %> | <%= APP_NAME %></title>
+    <%= stylesheet_link_tag 'application', media: 'all' %>
+    <%= render_stylesheet_once_tags %>
+    <meta content="0;url=<%= @oidc_redirect_uri %>" http-equiv="refresh" />
+  </head>
+  <body class="tablet:bg-primary-lighter">
+  </body>
+</html>
diff --git a/app/views/saml_idp/shared/saml_post_binding.html.erb b/app/views/saml_idp/shared/saml_post_binding.html.erb
@@ -2,7 +2,7 @@
 <html>
   <head>
     <meta charset="utf-8" />
-    <title><%= t('.redirecting') %> | <%= APP_NAME %></title>
+    <title><%= t('headings.redirecting') %> | <%= APP_NAME %></title>
     <%= csrf_meta_tags %>
     <%= stylesheet_link_tag 'application', media: 'all' %>
     <%= render_stylesheet_once_tags %>

diff --git a/config/application.yml.default b/config/application.yml.default
@@ -211,6 +211,8 @@ multi_region_kms_migration_jobs_profile_timeout: 120
 multi_region_kms_migration_jobs_user_count: 1000
 multi_region_kms_migration_jobs_user_timeout: 120
 mx_timeout: 3
+openid_connect_redirect_interstitial_enabled: true
+openid_connect_content_security_form_action_enabled: false
 otp_delivery_blocklist_maxretry: 10
 otp_valid_for: 10
 otp_expiration_warning_seconds: 150
@@ -470,6 +472,8 @@ production:
   logins_per_ip_track_only_mode: true
   newrelic_license_key: ''
   nonessential_email_banlist: '[]'
+  openid_connect_redirect_interstitial_enabled: false
+  openid_connect_content_security_form_action_enabled: true
   otp_delivery_blocklist_findtime: 5
   participate_in_dap: true
   password_pepper:

diff --git a/config/locales/headings/en.yml b/config/locales/headings/en.yml
@@ -56,6 +56,7 @@ en:
     piv_cac_setup:
       already_associated: The PIV/CAC you presented is associated with another user.
       new: Use your PIV/CAC card to secure your account
+    redirecting: Redirecting
     residential_address: Current residential address
     session_timeout_warning: Need more time?
     sign_in_existing_users: Sign in for existing users

diff --git a/config/locales/headings/es.yml b/config/locales/headings/es.yml
@@ -56,6 +56,7 @@ es:
     piv_cac_setup:
       already_associated: La PIV/CAC que has presentado está asociada a otro usuario.
       new: Use su tarjeta PIV/CAC para asegurar su cuenta
+    redirecting: Redirigiendo
     residential_address: Dirección residencial actual
     session_timeout_warning: '¿Necesita más tiempo?'
     sign_in_existing_users: Iniciar sesión para usuarios existentes

diff --git a/config/locales/headings/fr.yml b/config/locales/headings/fr.yml
@@ -59,6 +59,7 @@ fr:
       already_associated: La carte PIV/CAC que vous avez présentée est associée à un
         autre utilisateur.
       new: Utilisez votre carte PIV/CAC pour sécuriser votre compte
+    redirecting: Redirection
     residential_address: Adresse de résidence actuelle
     session_timeout_warning: Vous avez besoin de plus de temps?
     sign_in_existing_users: S’identifier pour les utilisateurs existants

diff --git a/config/locales/saml_idp/en.yml b/config/locales/saml_idp/en.yml
@@ -10,4 +10,3 @@ en:
         no_js: JavaScript seems to be turned off in your browser. Normally this step
           happens automatically, but because you have JavaScript turned off,
           please click the submit button to continue signing in or signing out.
-        redirecting: Redirecting
diff --git a/config/locales/saml_idp/es.yml b/config/locales/saml_idp/es.yml
@@ -11,4 +11,3 @@ es:
           paso se realiza automáticamente, pero debido a que tiene JavaScript
           desactivado, haga clic en el botón Enviar para continuar iniciando o
           cerrando la sesión.
-        redirecting: Redirigiendo
diff --git a/config/locales/saml_idp/fr.yml b/config/locales/saml_idp/fr.yml
@@ -11,4 +11,3 @@ fr:
           cette étape se déroule automatiquement, mais parce que vous avez
           désactivé le JavaScript, veuillez cliquer sur le lien « soumettre »
           pour continuer ou pour vous déconnecter.
-        redirecting: Redirection
diff --git a/lib/identity_config.rb b/lib/identity_config.rb
@@ -322,6 +322,8 @@ def self.build_store(config_map)
     config.add(:mx_timeout, type: :integer)
     config.add(:newrelic_license_key, type: :string)
     config.add(:nonessential_email_banlist, type: :json)
+    config.add(:openid_connect_redirect_interstitial_enabled, type: :boolean)
+    config.add(:openid_connect_content_security_form_action_enabled, type: :boolean)
     config.add(:otp_delivery_blocklist_findtime, type: :integer)
     config.add(:otp_delivery_blocklist_maxretry, type: :integer)
     config.add(:otp_expiration_warning_seconds, type: :integer)