From 338c7ab1a9f75c55d638796c4db61e960c4b46a2 Mon Sep 17 00:00:00 2001 From: simeng-li Date: Tue, 5 Dec 2023 22:01:52 +0800 Subject: [PATCH] feat: add sso changeset (#5061) * feat: add sso changeset add sso changeset * chore: update changeset update changeset * chore: fix the md syntax fix the md syntax --- .changeset/friendly-adults-swim.md | 58 ++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 .changeset/friendly-adults-swim.md diff --git a/.changeset/friendly-adults-swim.md b/.changeset/friendly-adults-swim.md new file mode 100644 index 000000000..3146785b4 --- /dev/null +++ b/.changeset/friendly-adults-swim.md @@ -0,0 +1,58 @@ +--- +"@logto/console": minor +"@logto/core": minor +"@logto/experience": minor +"@logto/phrases": minor +"@logto/schemas": minor +--- + +Introduce new enterpeise single sign-on (SSO) feature to Logto. + +## @logto/console + +- Implement new enterprise SSO management pages. Allow create and manage SSO connectors through Logto console. +- Add enabled/disable SSO toggle switch on the sign-in-experience settings page. + +## @logto/core + +- Implement new SSO connector management APIs. + + - `GET /api/sso-connector-providers` - List all the supported SSO connector providers. + - `POST /api/sso-connectors` - Create new SSO connector. + - `GET /api/sso-connectors` - List all the SSO connectors. + - `GET /api/sso-connectors/:id` - Get SSO connector by id. + - `PATCH /api/sso-connectors/:id` - Update SSO connector by id. + - `DELETE /api/sso-connectors/:id` - Delete SSO connector by id. + +- Implement new SSO interaction APIs to enable the SSO connector sign-in methods + + - `POST /api/interaction/single-sign-on/:connectorId/authorization-url` - Init a new SSO connector sign-in interaction flow by retrieving the IdP's authorization URL. + - `POST /api/interaction/single-sign-on/:connectorId/authentication` - Handle the SSO connector sign-in interaction flow by retrieving the IdP's authentication data. + - `POST /api/interaction/single-sign-on/:connectorId/registration` - Create new user account by using the SSO IdP's authentication result. + - `GET /api/interaction/single-sign-on/connectors` - List all the enabled SSO connectors by a given email address. + +- Implement new SSO connector factory to support different SSO connector providers. + - `OIDC` - Standard OIDC connector that can be used to connect with any OIDC compatible IdP. + - `SAML` - Standard SAML 2.0 connector that can be used to connect with any SAML 2.0 compatible IdP. + - `AzureAD` - Azure Active Directory connector that can be used to connect with Azure AD. + - `Okta` - Okta connector that can be used to connect with Okta. + - `Google Workspace` - Google Workspace connector that can be used to connect with Google Workspace. + +## @logto/experience + +Implement the new SSO sign-in flow + +- `/single-sign-on/email` - The SSO email form page for user to enter their email address. +- `/single-sign-on/connectors` - The SSO connectors page for user to select the enabled SSO connector they want to use. +- Implement the email identifier guard on all the sign-in and registration identifier forms. If the email address is enabled with SSO, redirect user to the SSO flow. + +## @logto/phrases + +Add new phrases for the new SSO feature. + +## @logto/schemas + +- Add new sso_connectors table, which is used to store the SSO connector data. +- Add new user_sso_identities table, which is used to store the user's SSO identity data received from IdP through a SSO interaction. +- Add new single_sign_on_enabled column to the sign_in_experiences table, which is used to indicate if the SSO feature is enabled for the sign-in experience. +- Define new SSO feature related types