feat(schemas): add SAML SSO IdP initated auth config table (#6659)

feat(schemas): add idp initiated sso auth configs table add idp initiated sso auth configs table
2024-12-16 20:26:19 -05:00 · 2024-10-14 10:18:29 +08:00 · 2024-10-14 10:18:29 +08:00 · 22566e375c
commit 22566e375c
parent 4dc1f82195
3 changed files with 69 additions and 0 deletions
--- a/packages/schemas/alterations/next-1728357690-add-sso-connector-idp-initated-auth-configs-table.ts
+++ b/packages/schemas/alterations/next-1728357690-add-sso-connector-idp-initated-auth-configs-table.ts
@ -0,0 +1,40 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table sso_connector_idp_initiated_auth_configs (
+        tenant_id varchar(21) not null 
+          references tenants (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the SSO connector. */
+        connector_id varchar(128) not null
+          references sso_connectors (id) on update cascade on delete cascade,
+        /** The default Logto application id. */
+        default_application_id varchar(21) not null
+          references applications (id) on update cascade on delete cascade,
+        /** OIDC sign-in redirect URI. */
+        redirect_uri text,
+        /** Additional OIDC auth parameters. */
+        auth_parameters jsonb /* @use IdpInitiatedAuthParams */ not null default '{}'::jsonb,
+        created_at timestamptz not null default(now()),
+        primary key (tenant_id, connector_id),
+        /** Insure the application type is Traditional. */
+        constraint application_type
+          check (check_application_type(default_application_id, 'Traditional'))
+      );
+    `);
+    await applyTableRls(pool, 'sso_connector_idp_initiated_auth_configs');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'sso_connector_idp_initiated_auth_configs');
+    await pool.query(sql`
+      drop table sso_connector_idp_initiated_auth_configs;
+    `);
+  },
+};
+
+export default alteration;
--- a/packages/schemas/src/foundations/jsonb-types/sso-connector.ts
+++ b/packages/schemas/src/foundations/jsonb-types/sso-connector.ts
@ -10,4 +10,13 @@ export const ssoBrandingGuard = z.object({
  darkLogo: z.string().optional(),
 });

+export const idpInitiatedAuthParamsGuard = z
+  .object({
+    resources: z.array(z.string()).optional(),
+    scopes: z.array(z.string()).optional(),
+  })
+  .catchall(z.string());
+
+export type IdpInitiatedAuthParams = z.infer<typeof idpInitiatedAuthParamsGuard>;
+
 export type SsoBranding = z.infer<typeof ssoBrandingGuard>;
--- a/packages/schemas/tables/sso_connector_idp_initiated_auth_configs.sql
+++ b/packages/schemas/tables/sso_connector_idp_initiated_auth_configs.sql
@ -0,0 +1,20 @@
+/** init_order = 2 */
+create table sso_connector_idp_initiated_auth_configs (
+  tenant_id varchar(21) not null 
+    references tenants (id) on update cascade on delete cascade,
+  /** The globally unique identifier of the SSO connector. */
+  connector_id varchar(128) not null
+    references sso_connectors (id) on update cascade on delete cascade,
+  /** The default Logto application id. */
+  default_application_id varchar(21) not null
+    references applications (id) on update cascade on delete cascade,
+  /** OIDC sign-in redirect URI. */
+  redirect_uri text,
+  /** Additional OIDC auth parameters. */
+  auth_parameters jsonb /* @use IdpInitiatedAuthParams */ not null default '{}'::jsonb,
+  created_at timestamptz not null default(now()),
+  primary key (tenant_id, connector_id),
+  /** Insure the application type is Traditional. */
+  constraint application_type
+    check (check_application_type(default_application_id, 'Traditional'))
+);