mirror of
https://github.com/logto-io/logto.git
synced 2025-01-13 21:30:30 -05:00
feat(core): add SAML IdP GET /saml-applications/:id/callback
API (#6872)
* feat(core): implement SAML IdP response flow * refactor: update name ID format * refactor: refactor code * fix: add comments --------- Co-authored-by: simeng-li <simeng@silverhand.io>
This commit is contained in:
parent
ef795299ce
commit
0ba4d1d254
9 changed files with 703 additions and 45 deletions
36
packages/core/src/saml-applications/libraries/consts.ts
Normal file
36
packages/core/src/saml-applications/libraries/consts.ts
Normal file
|
@ -0,0 +1,36 @@
|
|||
export const samlLogInResponseTemplate = `
|
||||
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" InResponseTo="{InResponseTo}">
|
||||
<saml:Issuer>{Issuer}</saml:Issuer>
|
||||
<samlp:Status>
|
||||
<samlp:StatusCode Value="{StatusCode}"/>
|
||||
</samlp:Status>
|
||||
<saml:Assertion ID="{AssertionID}" Version="2.0" IssueInstant="{IssueInstant}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
|
||||
<saml:Issuer>{Issuer}</saml:Issuer>
|
||||
<saml:Subject>
|
||||
<saml:NameID Format="{NameIDFormat}">{NameID}</saml:NameID>
|
||||
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
|
||||
<saml:SubjectConfirmationData NotOnOrAfter="{SubjectConfirmationDataNotOnOrAfter}" Recipient="{SubjectRecipient}" InResponseTo="{InResponseTo}"/>
|
||||
</saml:SubjectConfirmation>
|
||||
</saml:Subject>
|
||||
<saml:Conditions NotBefore="{ConditionsNotBefore}" NotOnOrAfter="{ConditionsNotOnOrAfter}">
|
||||
<saml:AudienceRestriction>
|
||||
<saml:Audience>{Audience}</saml:Audience>
|
||||
</saml:AudienceRestriction>
|
||||
</saml:Conditions>
|
||||
{AttributeStatement}
|
||||
</saml:Assertion>
|
||||
</samlp:Response>`;
|
||||
|
||||
export const samlAttributeNameFormatBasic = 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic';
|
||||
|
||||
const samlValueXmlnsXsiString = 'xs:string';
|
||||
const samlValueXmlnsXsiInteger = 'xsd:integer';
|
||||
const samlValueXmlnsXsiBoolean = 'xsd:boolean';
|
||||
const samlValueXmlnsXsiDatetime = 'xsd:dateTime';
|
||||
|
||||
export const samlValueXmlnsXsi = {
|
||||
string: samlValueXmlnsXsiString,
|
||||
integer: samlValueXmlnsXsiInteger,
|
||||
boolean: samlValueXmlnsXsiBoolean,
|
||||
datetime: samlValueXmlnsXsiDatetime,
|
||||
};
|
|
@ -7,7 +7,7 @@ import {
|
|||
} from '@logto/schemas';
|
||||
import { generateStandardId } from '@logto/shared';
|
||||
import { removeUndefinedKeys } from '@silverhand/essentials';
|
||||
import * as saml from 'samlify';
|
||||
import saml from 'samlify';
|
||||
|
||||
import { EnvSet, getTenantEndpoint } from '#src/env-set/index.js';
|
||||
import RequestError from '#src/errors/RequestError/index.js';
|
||||
|
|
|
@ -1,14 +1,36 @@
|
|||
import { z } from 'zod';
|
||||
|
||||
import { EnvSet, getTenantEndpoint } from '#src/env-set/index.js';
|
||||
import RequestError from '#src/errors/RequestError/index.js';
|
||||
import koaGuard from '#src/middleware/koa-guard.js';
|
||||
import type { AnonymousRouter, RouterInitArgs } from '#src/routes/types.js';
|
||||
import assertThat from '#src/utils/assert-that.js';
|
||||
|
||||
import {
|
||||
generateAutoSubmitForm,
|
||||
createSamlResponse,
|
||||
handleOidcCallbackAndGetUserInfo,
|
||||
setupSamlProviders,
|
||||
buildSamlAppCallbackUrl,
|
||||
} from './utils.js';
|
||||
|
||||
const samlApplicationSignInCallbackQueryParametersGuard = z.union([
|
||||
z.object({
|
||||
code: z.string(),
|
||||
}),
|
||||
z.object({
|
||||
error: z.string(),
|
||||
error_description: z.string().optional(),
|
||||
}),
|
||||
]);
|
||||
|
||||
export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter>(
|
||||
...[router, { libraries }]: RouterInitArgs<T>
|
||||
...[router, { id: tenantId, libraries, queries, envSet }]: RouterInitArgs<T>
|
||||
) {
|
||||
const {
|
||||
samlApplications: { getSamlIdPMetadataByApplicationId },
|
||||
} = libraries;
|
||||
const { applications, samlApplicationSecrets, samlApplicationConfigs } = queries;
|
||||
|
||||
router.get(
|
||||
'/saml-applications/:id/metadata',
|
||||
|
@ -29,4 +51,71 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
|
|||
return next();
|
||||
}
|
||||
);
|
||||
|
||||
router.get(
|
||||
'/saml-applications/:id/callback',
|
||||
koaGuard({
|
||||
params: z.object({ id: z.string() }),
|
||||
// TODO: should be able to handle `state` and `redirectUri`
|
||||
query: samlApplicationSignInCallbackQueryParametersGuard,
|
||||
status: [200, 400],
|
||||
}),
|
||||
async (ctx, next) => {
|
||||
const {
|
||||
params: { id },
|
||||
query,
|
||||
} = ctx.guard;
|
||||
|
||||
// Handle error in query parameters
|
||||
if ('error' in query) {
|
||||
throw new RequestError({
|
||||
code: 'oidc.invalid_request',
|
||||
message: query.error_description,
|
||||
});
|
||||
}
|
||||
|
||||
// Get application configuration
|
||||
const {
|
||||
secret,
|
||||
oidcClientMetadata: { redirectUris },
|
||||
} = await applications.findApplicationById(id);
|
||||
|
||||
const tenantEndpoint = getTenantEndpoint(tenantId, EnvSet.values);
|
||||
assertThat(
|
||||
redirectUris[0] === buildSamlAppCallbackUrl(tenantEndpoint, id),
|
||||
'oidc.invalid_redirect_uri'
|
||||
);
|
||||
|
||||
// TODO: should be able to handle `state` and code verifier etc.
|
||||
const { code } = query;
|
||||
|
||||
// Handle OIDC callback and get user info
|
||||
const userInfo = await handleOidcCallbackAndGetUserInfo(
|
||||
code,
|
||||
id,
|
||||
secret,
|
||||
redirectUris[0],
|
||||
envSet.oidc.issuer
|
||||
);
|
||||
|
||||
// TODO: we will refactor the following code later, to reduce the DB query connections.
|
||||
// Get SAML configuration
|
||||
const { metadata } = await getSamlIdPMetadataByApplicationId(id);
|
||||
const { privateKey } =
|
||||
await samlApplicationSecrets.findActiveSamlApplicationSecretByApplicationId(id);
|
||||
const { entityId, acsUrl } =
|
||||
await samlApplicationConfigs.findSamlApplicationConfigByApplicationId(id);
|
||||
|
||||
assertThat(entityId, 'application.saml.entity_id_required');
|
||||
assertThat(acsUrl, 'application.saml.acs_url_required');
|
||||
|
||||
// Setup SAML providers and create response
|
||||
const { idp, sp } = setupSamlProviders(metadata, privateKey, entityId, acsUrl);
|
||||
const { context, entityEndpoint } = await createSamlResponse(idp, sp, userInfo);
|
||||
|
||||
// Return auto-submit form
|
||||
ctx.body = generateAutoSubmitForm(entityEndpoint, context);
|
||||
return next();
|
||||
}
|
||||
);
|
||||
}
|
||||
|
|
178
packages/core/src/saml-applications/routes/utils.test.ts
Normal file
178
packages/core/src/saml-applications/routes/utils.test.ts
Normal file
|
@ -0,0 +1,178 @@
|
|||
import nock from 'nock';
|
||||
import type { IdentityProviderInstance, ServiceProviderInstance } from 'samlify';
|
||||
|
||||
import {
|
||||
createSamlTemplateCallback,
|
||||
exchangeAuthorizationCode,
|
||||
getUserInfo,
|
||||
setupSamlProviders,
|
||||
} from './utils.js';
|
||||
|
||||
const { jest } = import.meta;
|
||||
|
||||
describe('createSamlTemplateCallback', () => {
|
||||
const mockIdp = {
|
||||
entityMeta: {
|
||||
getEntityID: () => 'idp-entity-id',
|
||||
},
|
||||
entitySetting: {
|
||||
nameIDFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
|
||||
},
|
||||
createLoginResponse: jest.fn(),
|
||||
parseLoginRequest: jest.fn(),
|
||||
entityType: 'idp',
|
||||
getEntitySetting: jest.fn(),
|
||||
};
|
||||
|
||||
const mockSp = {
|
||||
entityMeta: {
|
||||
getAssertionConsumerService: () => 'https://sp.example.com/acs',
|
||||
getEntityID: () => 'sp-entity-id',
|
||||
},
|
||||
createLoginRequest: jest.fn(),
|
||||
parseLoginResponse: jest.fn(),
|
||||
entitySetting: {},
|
||||
entityType: 'sp',
|
||||
};
|
||||
|
||||
const mockUser = {
|
||||
sub: 'user123',
|
||||
email: 'user@example.com',
|
||||
name: 'Test User',
|
||||
};
|
||||
|
||||
it('should create SAML template callback with correct values', () => {
|
||||
const callback = createSamlTemplateCallback(
|
||||
mockIdp as unknown as IdentityProviderInstance,
|
||||
mockSp as unknown as ServiceProviderInstance,
|
||||
mockUser
|
||||
);
|
||||
|
||||
const result = callback('ID:NameID:attrEmail:attrName');
|
||||
const generatedId = result.id.replace('ID_', '');
|
||||
|
||||
expect(result.id).toBe('ID_' + generatedId);
|
||||
expect(typeof result.context).toBe('string');
|
||||
});
|
||||
});
|
||||
|
||||
describe('exchangeAuthorizationCode', () => {
|
||||
const mockTokenEndpoint = 'https://auth.example.com/token';
|
||||
const mockCode = 'auth-code';
|
||||
const mockClientId = 'client-id';
|
||||
const mockClientSecret = 'client-secret';
|
||||
const mockRedirectUri = 'https://app.example.com/callback';
|
||||
|
||||
afterEach(() => {
|
||||
nock.cleanAll();
|
||||
});
|
||||
|
||||
it('should exchange authorization code successfully', async () => {
|
||||
const mockResponse = {
|
||||
access_token: 'access-token',
|
||||
token_type: 'Bearer',
|
||||
expires_in: 3600,
|
||||
scope: 'openid profile email',
|
||||
id_token: 'mock.id.token',
|
||||
};
|
||||
|
||||
const expectedAuthHeader = `Basic ${Buffer.from(
|
||||
`${mockClientId}:${mockClientSecret}`,
|
||||
'utf8'
|
||||
).toString('base64')}`;
|
||||
|
||||
nock('https://auth.example.com')
|
||||
.post('/token', {
|
||||
grant_type: 'authorization_code',
|
||||
code: mockCode,
|
||||
client_id: mockClientId,
|
||||
redirect_uri: mockRedirectUri,
|
||||
})
|
||||
.matchHeader('Authorization', expectedAuthHeader)
|
||||
.matchHeader('Content-Type', 'application/x-www-form-urlencoded')
|
||||
.reply(200, JSON.stringify(mockResponse));
|
||||
|
||||
const result = await exchangeAuthorizationCode(mockTokenEndpoint, {
|
||||
code: mockCode,
|
||||
clientId: mockClientId,
|
||||
clientSecret: mockClientSecret,
|
||||
redirectUri: mockRedirectUri,
|
||||
});
|
||||
|
||||
expect(result).toMatchObject({
|
||||
accessToken: mockResponse.access_token,
|
||||
tokenType: mockResponse.token_type,
|
||||
expiresIn: mockResponse.expires_in,
|
||||
scope: mockResponse.scope,
|
||||
idToken: mockResponse.id_token,
|
||||
});
|
||||
});
|
||||
|
||||
it('should throw error when token response is invalid', async () => {
|
||||
nock('https://auth.example.com').post('/token').reply(200, { invalid: 'response' });
|
||||
|
||||
await expect(
|
||||
exchangeAuthorizationCode(mockTokenEndpoint, {
|
||||
code: mockCode,
|
||||
clientId: mockClientId,
|
||||
clientSecret: mockClientSecret,
|
||||
})
|
||||
).rejects.toMatchObject({
|
||||
code: 'oidc.invalid_token',
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('getUserInfo', () => {
|
||||
const mockAccessToken = 'access-token';
|
||||
const mockUserinfoEndpoint = 'https://auth.example.com/userinfo';
|
||||
|
||||
afterEach(() => {
|
||||
nock.cleanAll();
|
||||
});
|
||||
|
||||
it('should get user info successfully', async () => {
|
||||
const mockUserInfo = {
|
||||
sub: 'user123',
|
||||
email: 'user@example.com',
|
||||
name: 'Test User',
|
||||
};
|
||||
|
||||
nock('https://auth.example.com')
|
||||
.get('/userinfo')
|
||||
.matchHeader('Authorization', `Bearer ${mockAccessToken}`)
|
||||
.reply(200, mockUserInfo);
|
||||
|
||||
const result = await getUserInfo(mockAccessToken, mockUserinfoEndpoint);
|
||||
expect(result).toMatchObject(mockUserInfo);
|
||||
});
|
||||
|
||||
it('should throw error when user info response is invalid', async () => {
|
||||
nock('https://auth.example.com')
|
||||
.get('/userinfo')
|
||||
.matchHeader('Authorization', `Bearer ${mockAccessToken}`)
|
||||
.reply(200, { invalid: 'response' });
|
||||
|
||||
await expect(getUserInfo(mockAccessToken, mockUserinfoEndpoint)).rejects.toMatchObject({
|
||||
code: 'oidc.invalid_request',
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('setupSamlProviders', () => {
|
||||
it('should setup SAML providers with correct configuration', () => {
|
||||
const mockMetadata = '<EntityDescriptor>...</EntityDescriptor>';
|
||||
const mockPrivateKey = '-----BEGIN PRIVATE KEY-----...';
|
||||
const mockEntityId = 'https://sp.example.com';
|
||||
const mockAcsUrl = {
|
||||
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
|
||||
url: 'https://sp.example.com/acs',
|
||||
};
|
||||
|
||||
const { idp, sp } = setupSamlProviders(mockMetadata, mockPrivateKey, mockEntityId, mockAcsUrl);
|
||||
|
||||
expect(idp).toBeDefined();
|
||||
expect(sp).toBeDefined();
|
||||
expect(sp.entityMeta.getEntityID()).toBe(mockEntityId);
|
||||
});
|
||||
});
|
304
packages/core/src/saml-applications/routes/utils.ts
Normal file
304
packages/core/src/saml-applications/routes/utils.ts
Normal file
|
@ -0,0 +1,304 @@
|
|||
import { parseJson } from '@logto/connector-kit';
|
||||
import { generateStandardId } from '@logto/shared';
|
||||
import { tryThat, appendPath } from '@silverhand/essentials';
|
||||
import camelcaseKeys from 'camelcase-keys';
|
||||
import saml from 'samlify';
|
||||
import { ZodError, z } from 'zod';
|
||||
|
||||
import RequestError from '#src/errors/RequestError/index.js';
|
||||
import {
|
||||
fetchOidcConfigRaw,
|
||||
getRawUserInfoResponse,
|
||||
handleTokenExchange,
|
||||
} from '#src/sso/OidcConnector/utils.js';
|
||||
import { idTokenProfileStandardClaimsGuard } from '#src/sso/types/oidc.js';
|
||||
import { type IdTokenProfileStandardClaims } from '#src/sso/types/oidc.js';
|
||||
import assertThat from '#src/utils/assert-that.js';
|
||||
|
||||
import {
|
||||
samlLogInResponseTemplate,
|
||||
samlAttributeNameFormatBasic,
|
||||
samlValueXmlnsXsi,
|
||||
} from '../libraries/consts.js';
|
||||
|
||||
/**
|
||||
* Determines the SAML NameID format and value based on the user's claims and IdP's NameID format.
|
||||
* Supports email and persistent formats.
|
||||
*
|
||||
* @param user - The user's standard claims
|
||||
* @param idpNameIDFormat - The NameID format(s) specified by the IdP (optional)
|
||||
* @returns An object containing the NameIDFormat and NameID
|
||||
*/
|
||||
const buildSamlAssertionNameId = (
|
||||
user: IdTokenProfileStandardClaims,
|
||||
idpNameIDFormat?: string | string[]
|
||||
): { NameIDFormat: string; NameID: string } => {
|
||||
if (idpNameIDFormat) {
|
||||
// Get the first name ID format
|
||||
const format = Array.isArray(idpNameIDFormat) ? idpNameIDFormat[0] : idpNameIDFormat;
|
||||
// If email format is specified, try to use email first
|
||||
if (
|
||||
format === saml.Constants.namespace.format.emailAddress &&
|
||||
user.email &&
|
||||
user.email_verified
|
||||
) {
|
||||
return {
|
||||
NameIDFormat: format,
|
||||
NameID: user.email,
|
||||
};
|
||||
}
|
||||
// For other formats or when email is not available, use sub
|
||||
if (format === saml.Constants.namespace.format.persistent) {
|
||||
return {
|
||||
NameIDFormat: format,
|
||||
NameID: user.sub,
|
||||
};
|
||||
}
|
||||
}
|
||||
// No nameIDFormat specified, use default logic
|
||||
// Use email if available
|
||||
if (user.email && user.email_verified) {
|
||||
return {
|
||||
NameIDFormat: saml.Constants.namespace.format.emailAddress,
|
||||
NameID: user.email,
|
||||
};
|
||||
}
|
||||
// Fallback to persistent format with user.sub
|
||||
return {
|
||||
NameIDFormat: saml.Constants.namespace.format.persistent,
|
||||
NameID: user.sub,
|
||||
};
|
||||
};
|
||||
|
||||
export const createSamlTemplateCallback =
|
||||
(
|
||||
idp: saml.IdentityProviderInstance,
|
||||
sp: saml.ServiceProviderInstance,
|
||||
user: IdTokenProfileStandardClaims
|
||||
) =>
|
||||
(template: string) => {
|
||||
const assertionConsumerServiceUrl = sp.entityMeta.getAssertionConsumerService(
|
||||
saml.Constants.wording.binding.post
|
||||
);
|
||||
|
||||
const { nameIDFormat } = idp.entitySetting;
|
||||
const { NameIDFormat, NameID } = buildSamlAssertionNameId(user, nameIDFormat);
|
||||
|
||||
const id = `ID_${generateStandardId()}`;
|
||||
const now = new Date();
|
||||
const expireAt = new Date(now.getTime() + 10 * 60 * 1000); // 10 minutes later
|
||||
|
||||
const tagValues = {
|
||||
ID: id,
|
||||
AssertionID: `ID_${generateStandardId()}`,
|
||||
Destination: assertionConsumerServiceUrl,
|
||||
Audience: sp.entityMeta.getEntityID(),
|
||||
EntityID: sp.entityMeta.getEntityID(),
|
||||
SubjectRecipient: assertionConsumerServiceUrl,
|
||||
Issuer: idp.entityMeta.getEntityID(),
|
||||
IssueInstant: now.toISOString(),
|
||||
AssertionConsumerServiceURL: assertionConsumerServiceUrl,
|
||||
StatusCode: saml.Constants.StatusCode.Success,
|
||||
ConditionsNotBefore: now.toISOString(),
|
||||
ConditionsNotOnOrAfter: expireAt.toISOString(),
|
||||
SubjectConfirmationDataNotOnOrAfter: expireAt.toISOString(),
|
||||
NameIDFormat,
|
||||
NameID,
|
||||
// TODO: should get the request ID from the input parameters, pending https://github.com/logto-io/logto/pull/6881.
|
||||
InResponseTo: 'null',
|
||||
/**
|
||||
* User attributes for SAML response
|
||||
*
|
||||
* @todo Support custom attribute mapping
|
||||
* @see {@link https://github.com/tngan/samlify/blob/master/src/libsaml.ts#L275-L300|samlify implementation}
|
||||
*
|
||||
* @remarks
|
||||
* By examining the code provided in the link above, we can define all the attributes supported by the attribute mapping here. Only the attributes defined in the `loginResponseTemplate.attributes` added when creating the IdP instance will appear in the SAML response.
|
||||
*/
|
||||
attrSub: user.sub,
|
||||
attrEmail: user.email,
|
||||
attrName: user.name,
|
||||
};
|
||||
|
||||
const context = saml.SamlLib.replaceTagsByValue(template, tagValues);
|
||||
|
||||
return {
|
||||
id,
|
||||
context,
|
||||
};
|
||||
};
|
||||
|
||||
export const exchangeAuthorizationCode = async (
|
||||
tokenEndpoint: string,
|
||||
{
|
||||
code,
|
||||
clientId,
|
||||
clientSecret,
|
||||
redirectUri,
|
||||
}: {
|
||||
code: string;
|
||||
clientId: string;
|
||||
clientSecret: string;
|
||||
redirectUri?: string;
|
||||
}
|
||||
) => {
|
||||
const result = await handleTokenExchange(tokenEndpoint, {
|
||||
code,
|
||||
clientId,
|
||||
clientSecret,
|
||||
redirectUri,
|
||||
});
|
||||
|
||||
if (!result.success) {
|
||||
throw new RequestError({
|
||||
code: 'oidc.invalid_token',
|
||||
message: 'Invalid token response',
|
||||
});
|
||||
}
|
||||
|
||||
return camelcaseKeys(result.data);
|
||||
};
|
||||
|
||||
export const createSamlResponse = async (
|
||||
idp: saml.IdentityProviderInstance,
|
||||
sp: saml.ServiceProviderInstance,
|
||||
userInfo: IdTokenProfileStandardClaims
|
||||
): Promise<{ context: string; entityEndpoint: string }> => {
|
||||
// TODO: fix binding method
|
||||
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
|
||||
const { context, entityEndpoint } = await idp.createLoginResponse(
|
||||
sp,
|
||||
// @ts-expect-error --fix request object later
|
||||
null,
|
||||
'post',
|
||||
userInfo,
|
||||
createSamlTemplateCallback(idp, sp, userInfo)
|
||||
);
|
||||
|
||||
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
|
||||
return { context, entityEndpoint };
|
||||
};
|
||||
|
||||
export const generateAutoSubmitForm = (actionUrl: string, samlResponse: string): string => {
|
||||
return `
|
||||
<html>
|
||||
<body>
|
||||
<form id="redirectForm" action="${actionUrl}" method="POST">
|
||||
<input type="hidden" name="SAMLResponse" value="${samlResponse}" />
|
||||
</form>
|
||||
<script>
|
||||
window.onload = function() {
|
||||
document.getElementById('redirectForm').submit();
|
||||
};
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
`;
|
||||
};
|
||||
|
||||
export const getUserInfo = async (
|
||||
accessToken: string,
|
||||
userinfoEndpoint: string
|
||||
): Promise<IdTokenProfileStandardClaims & Record<string, unknown>> => {
|
||||
const body = await getRawUserInfoResponse(accessToken, userinfoEndpoint);
|
||||
const result = idTokenProfileStandardClaimsGuard.catchall(z.unknown()).safeParse(parseJson(body));
|
||||
|
||||
if (!result.success) {
|
||||
throw new RequestError({
|
||||
code: 'oidc.invalid_request',
|
||||
message: 'Invalid user info response',
|
||||
details: result.error.flatten(),
|
||||
});
|
||||
}
|
||||
|
||||
return result.data;
|
||||
};
|
||||
|
||||
// Helper functions for SAML callback
|
||||
export const handleOidcCallbackAndGetUserInfo = async (
|
||||
code: string,
|
||||
applicationId: string,
|
||||
secret: string,
|
||||
redirectUri: string,
|
||||
issuer: string
|
||||
) => {
|
||||
// Get OIDC configuration
|
||||
const { tokenEndpoint, userinfoEndpoint } = await tryThat(
|
||||
async () => fetchOidcConfigRaw(issuer),
|
||||
(error) => {
|
||||
if (error instanceof ZodError) {
|
||||
throw new RequestError({
|
||||
code: 'oidc.invalid_request',
|
||||
message: error.message,
|
||||
error: error.flatten(),
|
||||
});
|
||||
}
|
||||
|
||||
throw error;
|
||||
}
|
||||
);
|
||||
|
||||
// Exchange authorization code for tokens
|
||||
const { accessToken } = await exchangeAuthorizationCode(tokenEndpoint, {
|
||||
code,
|
||||
clientId: applicationId,
|
||||
clientSecret: secret,
|
||||
redirectUri,
|
||||
});
|
||||
|
||||
assertThat(accessToken, new RequestError('oidc.access_denied'));
|
||||
|
||||
// Get user info using access token
|
||||
return getUserInfo(accessToken, userinfoEndpoint);
|
||||
};
|
||||
|
||||
export const setupSamlProviders = (
|
||||
metadata: string,
|
||||
privateKey: string,
|
||||
entityId: string,
|
||||
acsUrl: { binding: string; url: string }
|
||||
) => {
|
||||
// eslint-disable-next-line new-cap
|
||||
const idp = saml.IdentityProvider({
|
||||
metadata,
|
||||
privateKey,
|
||||
isAssertionEncrypted: false,
|
||||
loginResponseTemplate: {
|
||||
context: samlLogInResponseTemplate,
|
||||
attributes: [
|
||||
{
|
||||
name: 'email',
|
||||
valueTag: 'email',
|
||||
nameFormat: samlAttributeNameFormatBasic,
|
||||
valueXsiType: samlValueXmlnsXsi.string,
|
||||
},
|
||||
{
|
||||
name: 'name',
|
||||
valueTag: 'name',
|
||||
nameFormat: samlAttributeNameFormatBasic,
|
||||
valueXsiType: samlValueXmlnsXsi.string,
|
||||
},
|
||||
],
|
||||
},
|
||||
nameIDFormat: [
|
||||
saml.Constants.namespace.format.emailAddress,
|
||||
saml.Constants.namespace.format.persistent,
|
||||
],
|
||||
});
|
||||
|
||||
// eslint-disable-next-line new-cap
|
||||
const sp = saml.ServiceProvider({
|
||||
entityID: entityId,
|
||||
assertionConsumerService: [
|
||||
{
|
||||
Binding: acsUrl.binding,
|
||||
Location: acsUrl.url,
|
||||
},
|
||||
],
|
||||
});
|
||||
|
||||
return { idp, sp };
|
||||
};
|
||||
|
||||
export const buildSamlAppCallbackUrl = (baseUrl: URL, samlApplicationId: string) =>
|
||||
appendPath(baseUrl, `api/saml-applications/${samlApplicationId}/callback`).toString();
|
|
@ -159,14 +159,19 @@ describe('fetchToken', () => {
|
|||
})
|
||||
);
|
||||
|
||||
expect(postMock).toBeCalledWith({
|
||||
url: oidcConfigResponseCamelCase.tokenEndpoint,
|
||||
form: {
|
||||
expect(postMock).toBeCalledWith(oidcConfigResponseCamelCase.tokenEndpoint, {
|
||||
body: new URLSearchParams({
|
||||
grant_type: 'authorization_code',
|
||||
client_id: oidcConfig.clientId,
|
||||
client_secret: oidcConfig.clientSecret,
|
||||
code: data.code,
|
||||
client_id: oidcConfig.clientId,
|
||||
redirect_uri: redirectUri,
|
||||
}).toString(),
|
||||
headers: {
|
||||
'Content-Type': 'application/x-www-form-urlencoded',
|
||||
Authorization: `Basic ${Buffer.from(
|
||||
`${oidcConfig.clientId}:${oidcConfig.clientSecret}`,
|
||||
'utf8'
|
||||
).toString('base64')}`,
|
||||
},
|
||||
});
|
||||
});
|
||||
|
|
|
@ -3,7 +3,7 @@ import { assert } from '@silverhand/essentials';
|
|||
import camelcaseKeys, { type CamelCaseKeys } from 'camelcase-keys';
|
||||
import { got, HTTPError } from 'got';
|
||||
import { createRemoteJWKSet, jwtVerify, type JWTVerifyOptions } from 'jose';
|
||||
import { z } from 'zod';
|
||||
import { z, ZodError } from 'zod';
|
||||
|
||||
import {
|
||||
SsoConnectorConfigErrorCodes,
|
||||
|
@ -20,30 +20,34 @@ import {
|
|||
type OidcTokenResponse,
|
||||
} from '../types/oidc.js';
|
||||
|
||||
/**
|
||||
* Fetch the full-list of OIDC config from the issuer. Throws error if config is invalid.
|
||||
*
|
||||
* @param issuer The issuer URL
|
||||
* @returns The full-list of OIDC config
|
||||
*/
|
||||
export const fetchOidcConfigRaw = async (issuer: string) => {
|
||||
const { body } = await got.get(`${issuer}/.well-known/openid-configuration`, {
|
||||
responseType: 'json',
|
||||
});
|
||||
|
||||
return camelcaseKeys(oidcConfigResponseGuard.parse(body));
|
||||
};
|
||||
|
||||
export const fetchOidcConfig = async (
|
||||
issuer: string
|
||||
): Promise<CamelCaseKeys<OidcConfigResponse>> => {
|
||||
try {
|
||||
const { body } = await got.get(`${issuer}/.well-known/openid-configuration`, {
|
||||
responseType: 'json',
|
||||
});
|
||||
|
||||
const result = oidcConfigResponseGuard.safeParse(body);
|
||||
|
||||
if (!result.success) {
|
||||
return await fetchOidcConfigRaw(issuer);
|
||||
} catch (error: unknown) {
|
||||
if (error instanceof ZodError) {
|
||||
throw new SsoConnectorError(SsoConnectorErrorCodes.InvalidConfig, {
|
||||
config: { issuer },
|
||||
message: SsoConnectorConfigErrorCodes.InvalidConfigResponse,
|
||||
error: result.error.flatten(),
|
||||
error: error.flatten(),
|
||||
});
|
||||
}
|
||||
|
||||
return camelcaseKeys(result.data);
|
||||
} catch (error: unknown) {
|
||||
if (error instanceof SsoConnectorError) {
|
||||
throw error;
|
||||
}
|
||||
|
||||
throw new SsoConnectorError(SsoConnectorErrorCodes.InvalidConfig, {
|
||||
config: { issuer },
|
||||
message: SsoConnectorConfigErrorCodes.FailToFetchConfig,
|
||||
|
@ -52,6 +56,46 @@ export const fetchOidcConfig = async (
|
|||
}
|
||||
};
|
||||
|
||||
export const handleTokenExchange = async (
|
||||
tokenEndpoint: string,
|
||||
{
|
||||
code,
|
||||
clientId,
|
||||
clientSecret,
|
||||
redirectUri,
|
||||
}: {
|
||||
code: string;
|
||||
clientId: string;
|
||||
clientSecret: string;
|
||||
redirectUri?: string;
|
||||
}
|
||||
) => {
|
||||
const tokenRequestParameters = new URLSearchParams({
|
||||
grant_type: 'authorization_code',
|
||||
code,
|
||||
client_id: clientId,
|
||||
...(redirectUri ? { redirect_uri: redirectUri } : {}),
|
||||
});
|
||||
|
||||
const headers = {
|
||||
Authorization: `Basic ${Buffer.from(`${clientId}:${clientSecret}`, 'utf8').toString('base64')}`,
|
||||
'Content-Type': 'application/x-www-form-urlencoded',
|
||||
};
|
||||
|
||||
const httpResponse = await got.post(tokenEndpoint, {
|
||||
body: tokenRequestParameters.toString(),
|
||||
headers,
|
||||
});
|
||||
|
||||
const result = oidcTokenResponseGuard.safeParse(parseJson(httpResponse.body));
|
||||
|
||||
if (!result.success) {
|
||||
return { success: false as const, error: result.error, response: httpResponse };
|
||||
}
|
||||
|
||||
return { success: true as const, data: result.data };
|
||||
};
|
||||
|
||||
export const fetchToken = async (
|
||||
{ tokenEndpoint, clientId, clientSecret }: BaseOidcConfig,
|
||||
data: unknown,
|
||||
|
@ -70,28 +114,22 @@ export const fetchToken = async (
|
|||
const { code } = result.data;
|
||||
|
||||
try {
|
||||
const httpResponse = await got.post({
|
||||
url: tokenEndpoint,
|
||||
form: {
|
||||
grant_type: 'authorization_code',
|
||||
code,
|
||||
redirect_uri: redirectUri,
|
||||
client_id: clientId,
|
||||
client_secret: clientSecret,
|
||||
},
|
||||
const exchangeResult = await handleTokenExchange(tokenEndpoint, {
|
||||
code,
|
||||
clientId,
|
||||
clientSecret,
|
||||
redirectUri,
|
||||
});
|
||||
|
||||
const result = oidcTokenResponseGuard.safeParse(parseJson(httpResponse.body));
|
||||
|
||||
if (!result.success) {
|
||||
if (!exchangeResult.success) {
|
||||
throw new SsoConnectorError(SsoConnectorErrorCodes.AuthorizationFailed, {
|
||||
message: 'Invalid token response',
|
||||
response: httpResponse.body,
|
||||
error: result.error.flatten(),
|
||||
response: exchangeResult.response.body,
|
||||
error: exchangeResult.error.flatten(),
|
||||
});
|
||||
}
|
||||
|
||||
return camelcaseKeys(result.data);
|
||||
return camelcaseKeys(exchangeResult.data);
|
||||
} catch (error: unknown) {
|
||||
if (error instanceof SsoConnectorError) {
|
||||
throw error;
|
||||
|
@ -159,26 +197,31 @@ export const getIdTokenClaims = async (
|
|||
}
|
||||
};
|
||||
|
||||
export const getRawUserInfoResponse = async (accessToken: string, userinfoEndpoint: string) => {
|
||||
const httpResponse = await got.get(userinfoEndpoint, {
|
||||
headers: {
|
||||
Authorization: `Bearer ${accessToken}`,
|
||||
},
|
||||
});
|
||||
|
||||
return httpResponse.body;
|
||||
};
|
||||
|
||||
/**
|
||||
* Get the user info from the userinfo endpoint incase id token does not contain sufficient user claims.
|
||||
*/
|
||||
export const getUserInfo = async (accessToken: string, userinfoEndpoint: string) => {
|
||||
try {
|
||||
const httpResponse = await got.get(userinfoEndpoint, {
|
||||
headers: {
|
||||
Authorization: `Bearer ${accessToken}`,
|
||||
},
|
||||
responseType: 'json',
|
||||
});
|
||||
const body = await getRawUserInfoResponse(accessToken, userinfoEndpoint);
|
||||
|
||||
const result = idTokenProfileStandardClaimsGuard
|
||||
.catchall(z.unknown())
|
||||
.safeParse(httpResponse.body);
|
||||
.safeParse(parseJson(body));
|
||||
|
||||
if (!result.success) {
|
||||
throw new SsoConnectorError(SsoConnectorErrorCodes.AuthorizationFailed, {
|
||||
message: 'Invalid user info response',
|
||||
response: httpResponse.body,
|
||||
response: body,
|
||||
error: result.error.flatten(),
|
||||
});
|
||||
}
|
||||
|
|
|
@ -77,3 +77,5 @@ export const idTokenProfileStandardClaimsGuard = z.object({
|
|||
profile: z.string().nullish(),
|
||||
nonce: z.string().nullish(),
|
||||
});
|
||||
|
||||
export type IdTokenProfileStandardClaims = z.infer<typeof idTokenProfileStandardClaimsGuard>;
|
||||
|
|
|
@ -28,6 +28,7 @@ const application = {
|
|||
can_not_delete_active_secret: 'Can not delete the active secret.',
|
||||
no_active_secret: 'No active secret found.',
|
||||
entity_id_required: 'Entity ID is required to generate metadata.',
|
||||
acs_url_required: 'Assertion consumer service URL is required to generate metadata.',
|
||||
invalid_certificate_pem_format: 'Invalid PEM certificate format',
|
||||
},
|
||||
};
|
||||
|
|
Loading…
Add table
Reference in a new issue