mirror of
https://github.com/logto-io/logto.git
synced 2025-01-13 21:30:30 -05:00
feat(core): implement SAML IdP response flow
implement SAML IdP respones flow
This commit is contained in:
parent
96fd7ba49f
commit
08928fffa4
3 changed files with 246 additions and 1 deletions
|
@ -1,10 +1,33 @@
|
||||||
|
import { parseJson } from '@logto/connector-kit';
|
||||||
|
import { BindingType } from '@logto/schemas';
|
||||||
|
import camelcaseKeys from 'camelcase-keys';
|
||||||
|
import { got } from 'got';
|
||||||
|
import saml from 'samlify';
|
||||||
import { z } from 'zod';
|
import { z } from 'zod';
|
||||||
|
|
||||||
|
import RequestError from '#src/errors/RequestError/index.js';
|
||||||
import koaGuard from '#src/middleware/koa-guard.js';
|
import koaGuard from '#src/middleware/koa-guard.js';
|
||||||
import type { AnonymousRouter, RouterInitArgs } from '#src/routes/types.js';
|
import type { AnonymousRouter, RouterInitArgs } from '#src/routes/types.js';
|
||||||
|
import { fetchOidcConfig, getUserInfo } from '#src/sso/OidcConnector/utils.js';
|
||||||
|
import { oidcTokenResponseGuard } from '#src/sso/types/oidc.js';
|
||||||
|
|
||||||
|
import assertThat from '../../utils/assert-that.js';
|
||||||
|
|
||||||
|
import { createSamlTemplateCallback, samlLogInResponseTemplate } from './utils.js';
|
||||||
|
|
||||||
|
const samlApplicationSignInCallbackQueryParametersGuard = z.union([
|
||||||
|
z.object({
|
||||||
|
code: z.string(),
|
||||||
|
iss: z.string(),
|
||||||
|
}),
|
||||||
|
z.object({
|
||||||
|
error: z.string(),
|
||||||
|
error_description: z.string().optional(),
|
||||||
|
}),
|
||||||
|
]);
|
||||||
|
|
||||||
export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter>(
|
export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter>(
|
||||||
...[router, { libraries }]: RouterInitArgs<T>
|
...[router, { libraries, queries }]: RouterInitArgs<T>
|
||||||
) {
|
) {
|
||||||
const {
|
const {
|
||||||
samlApplications: { getSamlIdPMetadataByApplicationId },
|
samlApplications: { getSamlIdPMetadataByApplicationId },
|
||||||
|
@ -29,4 +52,150 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
|
||||||
return next();
|
return next();
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
||||||
|
router.get(
|
||||||
|
'/saml-applications/:id/callback',
|
||||||
|
koaGuard({
|
||||||
|
params: z.object({ id: z.string() }),
|
||||||
|
status: [200],
|
||||||
|
}),
|
||||||
|
async (ctx, next) => {
|
||||||
|
const { id } = ctx.guard.params;
|
||||||
|
const queryParameters = ctx.request.query;
|
||||||
|
|
||||||
|
// Find the SAML application secret by application ID
|
||||||
|
const { applications, samlApplicationSecrets, samlApplicationConfigs } = queries;
|
||||||
|
const {
|
||||||
|
secret,
|
||||||
|
oidcClientMetadata: { redirectUris },
|
||||||
|
} = await applications.findApplicationById(id);
|
||||||
|
|
||||||
|
// Sign-in callback handler
|
||||||
|
const query = samlApplicationSignInCallbackQueryParametersGuard.safeParse(queryParameters);
|
||||||
|
|
||||||
|
if (!query.success) {
|
||||||
|
throw new RequestError('guard.invalid_input');
|
||||||
|
}
|
||||||
|
|
||||||
|
if ('error' in query.data) {
|
||||||
|
throw new RequestError({
|
||||||
|
code: 'oidc.invalid_request',
|
||||||
|
status: 400,
|
||||||
|
message: query.data.error_description,
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO: need to validate state for SP initiated SAML flow
|
||||||
|
const { code, iss } = query.data;
|
||||||
|
|
||||||
|
const { tokenEndpoint, userinfoEndpoint } = await fetchOidcConfig(iss);
|
||||||
|
|
||||||
|
const headers = {
|
||||||
|
Authorization: `Basic ${Buffer.from(`${id}:${secret}`, 'utf8').toString('base64')}`,
|
||||||
|
'Content-Type': 'application/x-www-form-urlencoded',
|
||||||
|
};
|
||||||
|
|
||||||
|
const tokenRequestParameters = new URLSearchParams({
|
||||||
|
grant_type: 'authorization_code',
|
||||||
|
code,
|
||||||
|
client_id: id,
|
||||||
|
redirect_uri: redirectUris[0] ?? '',
|
||||||
|
});
|
||||||
|
|
||||||
|
// TODO: error handling
|
||||||
|
// Exchange the authorization code for an access token
|
||||||
|
const httpResponse = await got.post(tokenEndpoint, {
|
||||||
|
body: tokenRequestParameters.toString(),
|
||||||
|
headers,
|
||||||
|
});
|
||||||
|
|
||||||
|
const result = oidcTokenResponseGuard.safeParse(parseJson(httpResponse.body));
|
||||||
|
|
||||||
|
if (!result.success) {
|
||||||
|
throw new RequestError({
|
||||||
|
code: 'oidc.invalid_token',
|
||||||
|
status: 400,
|
||||||
|
message: 'Invalid token response',
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
const { accessToken } = camelcaseKeys(result.data);
|
||||||
|
|
||||||
|
assertThat(accessToken, new RequestError('oidc.access_denied'));
|
||||||
|
|
||||||
|
const userInfo = await getUserInfo(accessToken, userinfoEndpoint);
|
||||||
|
|
||||||
|
const { metadata } = await getSamlIdPMetadataByApplicationId(id);
|
||||||
|
const { privateKey } =
|
||||||
|
await samlApplicationSecrets.findActiveSamlApplicationSecretByApplicationId(id);
|
||||||
|
const { entityId, acsUrl } =
|
||||||
|
await samlApplicationConfigs.findSamlApplicationConfigByApplicationId(id);
|
||||||
|
|
||||||
|
assertThat(entityId && acsUrl, 'application.saml.entity_id_required');
|
||||||
|
|
||||||
|
// eslint-disable-next-line new-cap
|
||||||
|
const idp = saml.IdentityProvider({
|
||||||
|
metadata,
|
||||||
|
privateKey,
|
||||||
|
isAssertionEncrypted: false,
|
||||||
|
loginResponseTemplate: {
|
||||||
|
context: samlLogInResponseTemplate,
|
||||||
|
attributes: [
|
||||||
|
{
|
||||||
|
name: 'email',
|
||||||
|
valueTag: 'email',
|
||||||
|
nameFormat: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic',
|
||||||
|
valueXsiType: 'xs:string',
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: 'name',
|
||||||
|
valueTag: 'name',
|
||||||
|
nameFormat: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic',
|
||||||
|
valueXsiType: 'xs:string',
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
|
});
|
||||||
|
|
||||||
|
const binding = acsUrl.binding ?? BindingType.Post;
|
||||||
|
|
||||||
|
// eslint-disable-next-line new-cap
|
||||||
|
const sp = saml.ServiceProvider({
|
||||||
|
entityID: entityId,
|
||||||
|
assertionConsumerService: [
|
||||||
|
{
|
||||||
|
Binding: binding,
|
||||||
|
Location: acsUrl.url,
|
||||||
|
},
|
||||||
|
],
|
||||||
|
});
|
||||||
|
|
||||||
|
// TODO: fix binding method
|
||||||
|
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
|
||||||
|
const { context, entityEndpoint } = await idp.createLoginResponse(
|
||||||
|
sp,
|
||||||
|
// @ts-expect-error --fix request object later
|
||||||
|
null,
|
||||||
|
'post',
|
||||||
|
userInfo,
|
||||||
|
createSamlTemplateCallback(idp, sp, userInfo)
|
||||||
|
);
|
||||||
|
|
||||||
|
ctx.body = `
|
||||||
|
<html>
|
||||||
|
<body>
|
||||||
|
<form id="redirectForm" action="${entityEndpoint}" method="POST">
|
||||||
|
<input type="hidden" name="SAMLResponse" value="${context}" />
|
||||||
|
<input type="submit" value="Submit" />
|
||||||
|
</form>
|
||||||
|
<script>
|
||||||
|
document.getElementById('redirectForm').submit();
|
||||||
|
</script>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
`;
|
||||||
|
|
||||||
|
return next();
|
||||||
|
}
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
74
packages/core/src/saml-applications/routes/utils.ts
Normal file
74
packages/core/src/saml-applications/routes/utils.ts
Normal file
|
@ -0,0 +1,74 @@
|
||||||
|
import { generateStandardId } from '@logto/shared';
|
||||||
|
import saml from 'samlify';
|
||||||
|
|
||||||
|
import { type idTokenProfileStandardClaims } from '#src/sso/types/oidc.js';
|
||||||
|
|
||||||
|
export const samlLogInResponseTemplate = `
|
||||||
|
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" InResponseTo="{InResponseTo}">
|
||||||
|
<saml:Issuer>{Issuer}</saml:Issuer>
|
||||||
|
<samlp:Status>
|
||||||
|
<samlp:StatusCode Value="{StatusCode}"/>
|
||||||
|
</samlp:Status>
|
||||||
|
<saml:Assertion ID="{AssertionID}" Version="2.0" IssueInstant="{IssueInstant}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
|
||||||
|
<saml:Issuer>{Issuer}</saml:Issuer>
|
||||||
|
<saml:Subject>
|
||||||
|
<saml:NameID Format="{NameIDFormat}">{NameID}</saml:NameID>
|
||||||
|
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
|
||||||
|
<saml:SubjectConfirmationData NotOnOrAfter="{SubjectConfirmationDataNotOnOrAfter}" Recipient="{SubjectRecipient}" InResponseTo="{InResponseTo}"/>
|
||||||
|
</saml:SubjectConfirmation>
|
||||||
|
</saml:Subject>
|
||||||
|
<saml:Conditions NotBefore="{ConditionsNotBefore}" NotOnOrAfter="{ConditionsNotOnOrAfter}">
|
||||||
|
<saml:AudienceRestriction>
|
||||||
|
<saml:Audience>{Audience}</saml:Audience>
|
||||||
|
</saml:AudienceRestriction>
|
||||||
|
</saml:Conditions>
|
||||||
|
{AttributeStatement}
|
||||||
|
</saml:Assertion>
|
||||||
|
</samlp:Response>`;
|
||||||
|
|
||||||
|
export const createSamlTemplateCallback =
|
||||||
|
(
|
||||||
|
idp: saml.IdentityProviderInstance,
|
||||||
|
sp: saml.ServiceProviderInstance,
|
||||||
|
user: idTokenProfileStandardClaims
|
||||||
|
) =>
|
||||||
|
(template: string) => {
|
||||||
|
const assertionConsumerServiceUrl = sp.entityMeta.getAssertionConsumerService(
|
||||||
|
saml.Constants.wording.binding.post
|
||||||
|
);
|
||||||
|
|
||||||
|
const { nameIDFormat } = idp.entitySetting;
|
||||||
|
const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
|
||||||
|
|
||||||
|
const id = `ID_${generateStandardId()}`;
|
||||||
|
const now = new Date();
|
||||||
|
const expireAt = new Date(now.getTime() + 10 * 60 * 1000); // 10 minutes later
|
||||||
|
|
||||||
|
const tagValues = {
|
||||||
|
ID: id,
|
||||||
|
AssertionID: `ID_${generateStandardId()}`,
|
||||||
|
Destination: assertionConsumerServiceUrl,
|
||||||
|
Audience: sp.entityMeta.getEntityID(),
|
||||||
|
EntityID: sp.entityMeta.getEntityID(),
|
||||||
|
SubjectRecipient: assertionConsumerServiceUrl,
|
||||||
|
Issuer: idp.entityMeta.getEntityID(),
|
||||||
|
IssueInstant: now.toISOString(),
|
||||||
|
AssertionConsumerServiceURL: assertionConsumerServiceUrl,
|
||||||
|
StatusCode: 'urn:oasis:names:tc:SAML:2.0:status:Success',
|
||||||
|
ConditionsNotBefore: now.toISOString(),
|
||||||
|
ConditionsNotOnOrAfter: expireAt.toISOString(),
|
||||||
|
SubjectConfirmationDataNotOnOrAfter: expireAt.toISOString(),
|
||||||
|
NameIDFormat: selectedNameIDFormat,
|
||||||
|
NameID: user.sub,
|
||||||
|
InResponseTo: 'null',
|
||||||
|
attrEmail: user.email,
|
||||||
|
attrName: user.name,
|
||||||
|
};
|
||||||
|
|
||||||
|
const context = saml.SamlLib.replaceTagsByValue(template, tagValues);
|
||||||
|
|
||||||
|
return {
|
||||||
|
id,
|
||||||
|
context,
|
||||||
|
};
|
||||||
|
};
|
|
@ -77,3 +77,5 @@ export const idTokenProfileStandardClaimsGuard = z.object({
|
||||||
profile: z.string().nullish(),
|
profile: z.string().nullish(),
|
||||||
nonce: z.string().nullish(),
|
nonce: z.string().nullish(),
|
||||||
});
|
});
|
||||||
|
|
||||||
|
export type idTokenProfileStandardClaims = z.infer<typeof idTokenProfileStandardClaimsGuard>;
|
||||||
|
|
Loading…
Add table
Reference in a new issue