0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2025-01-06 20:40:08 -05:00

feat(core,phrases): add api to receive and handle saml sso assertion

This commit is contained in:
Darcy Ye 2023-11-02 11:22:33 +08:00
parent f8450a50ae
commit 3b63203b49
No known key found for this signature in database
GPG key ID: B46F4C07EDEFC610
31 changed files with 176 additions and 1 deletions

View file

@ -6,6 +6,8 @@ import { z } from 'zod';
import RequestError from '#src/errors/RequestError/index.js'; import RequestError from '#src/errors/RequestError/index.js';
import { verifyBearerTokenFromRequest } from '#src/middleware/koa-auth/index.js'; import { verifyBearerTokenFromRequest } from '#src/middleware/koa-auth/index.js';
import koaGuard from '#src/middleware/koa-guard.js'; import koaGuard from '#src/middleware/koa-guard.js';
import { ssoConnectorFactories } from '#src/sso/index.js';
import { SsoProviderName } from '#src/sso/types/index.js';
import assertThat from '#src/utils/assert-that.js'; import assertThat from '#src/utils/assert-that.js';
import { import {
getConnectorSessionResultFromJti, getConnectorSessionResultFromJti,
@ -19,11 +21,12 @@ import type { AnonymousRouter, RouterInitArgs } from './types.js';
* This router will have a route `/authn` to authenticate tokens with a general manner. * This router will have a route `/authn` to authenticate tokens with a general manner.
*/ */
export default function authnRoutes<T extends AnonymousRouter>( export default function authnRoutes<T extends AnonymousRouter>(
...[router, { envSet, provider, libraries }]: RouterInitArgs<T> ...[router, { id: tenantId, envSet, provider, libraries }]: RouterInitArgs<T>
) { ) {
const { const {
users: { findUserRoles }, users: { findUserRoles },
socials: { getConnector }, socials: { getConnector },
ssoConnector: { getSsoConnectorById },
} = libraries; } = libraries;
const hasuraResponseGuard = z.object({ const hasuraResponseGuard = z.object({
@ -144,4 +147,57 @@ export default function authnRoutes<T extends AnonymousRouter>(
return next(); return next();
} }
); );
// TODO: refactor this, this SAML API for SSO is quite similar to the one for normal social sign-in, most of the logics can be reused.
router.post(
'/authn/saml/sso/:ssoConnectorId',
/**
* The API does not care the type of the SAML assertion request body, simply pass this to
* SSO connector's built-in methods.
*/
koaGuard({
body: jsonObjectGuard,
params: z.object({ ssoConnectorId: z.string().min(1) }),
status: 302,
}),
async (ctx, next) => {
const {
params: { ssoConnectorId },
body,
} = ctx.guard;
const ssoConnector = await getSsoConnectorById(ssoConnectorId);
const samlAssertionGuard = z.object({ SAMLResponse: z.string(), RelayState: z.string() });
const samlAssertionParseResult = samlAssertionGuard.safeParse(body);
if (!samlAssertionParseResult.success) {
throw new ConnectorError(
ConnectorErrorCodes.InvalidResponse,
samlAssertionParseResult.error
);
}
/**
* Since `RelayState` will be returned with value unchanged, we use it to pass `jti`
* to find the connector session we used to store essential information.
*/
const { RelayState: jti } = samlAssertionParseResult.data;
const getSession = async () => getConnectorSessionResultFromJti(jti, provider);
const setSession = async (connectorSession: ConnectorSession) =>
assignConnectorSessionResultViaJti(jti, provider, connectorSession);
if (ssoConnector.providerName !== SsoProviderName.SAML) {
throw new RequestError({ code: 'sso_connector.saml_only' });
}
const { constructor } = ssoConnectorFactories[ssoConnector.providerName];
const { validateSamlAssertion } = new constructor(ssoConnector, tenantId);
const redirectTo = await validateSamlAssertion({ body }, getSession, setSession);
ctx.redirect(redirectTo);
return next();
}
);
} }

View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js'; import scope from './scope.js';
import session from './session.js'; import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js'; import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js'; import storage from './storage.js';
import subscription from './subscription.js'; import subscription from './subscription.js';
import swagger from './swagger.js'; import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription, subscription,
application, application,
organization, organization,
sso_connector,
}; };
export default Object.freeze(errors); export default Object.freeze(errors);

View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js'; import scope from './scope.js';
import session from './session.js'; import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js'; import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js'; import storage from './storage.js';
import subscription from './subscription.js'; import subscription from './subscription.js';
import swagger from './swagger.js'; import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription, subscription,
application, application,
organization, organization,
sso_connector,
}; };
export default Object.freeze(errors); export default Object.freeze(errors);

View file

@ -0,0 +1,5 @@
const sso_connector = {
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js'; import scope from './scope.js';
import session from './session.js'; import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js'; import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js'; import storage from './storage.js';
import subscription from './subscription.js'; import subscription from './subscription.js';
import swagger from './swagger.js'; import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription, subscription,
application, application,
organization, organization,
sso_connector,
}; };
export default Object.freeze(errors); export default Object.freeze(errors);

View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js'; import scope from './scope.js';
import session from './session.js'; import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js'; import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js'; import storage from './storage.js';
import subscription from './subscription.js'; import subscription from './subscription.js';
import swagger from './swagger.js'; import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription, subscription,
application, application,
organization, organization,
sso_connector,
}; };
export default Object.freeze(errors); export default Object.freeze(errors);

View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js'; import scope from './scope.js';
import session from './session.js'; import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js'; import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js'; import storage from './storage.js';
import subscription from './subscription.js'; import subscription from './subscription.js';
import swagger from './swagger.js'; import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription, subscription,
application, application,
organization, organization,
sso_connector,
}; };
export default Object.freeze(errors); export default Object.freeze(errors);

View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js'; import scope from './scope.js';
import session from './session.js'; import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js'; import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js'; import storage from './storage.js';
import subscription from './subscription.js'; import subscription from './subscription.js';
import swagger from './swagger.js'; import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription, subscription,
application, application,
organization, organization,
sso_connector,
}; };
export default Object.freeze(errors); export default Object.freeze(errors);

View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js'; import scope from './scope.js';
import session from './session.js'; import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js'; import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js'; import storage from './storage.js';
import subscription from './subscription.js'; import subscription from './subscription.js';
import swagger from './swagger.js'; import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription, subscription,
application, application,
organization, organization,
sso_connector,
}; };
export default Object.freeze(errors); export default Object.freeze(errors);

View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js'; import scope from './scope.js';
import session from './session.js'; import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js'; import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js'; import storage from './storage.js';
import subscription from './subscription.js'; import subscription from './subscription.js';
import swagger from './swagger.js'; import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription, subscription,
application, application,
organization, organization,
sso_connector,
}; };
export default Object.freeze(errors); export default Object.freeze(errors);

View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js'; import scope from './scope.js';
import session from './session.js'; import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js'; import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js'; import storage from './storage.js';
import subscription from './subscription.js'; import subscription from './subscription.js';
import swagger from './swagger.js'; import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription, subscription,
application, application,
organization, organization,
sso_connector,
}; };
export default Object.freeze(errors); export default Object.freeze(errors);

View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js'; import scope from './scope.js';
import session from './session.js'; import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js'; import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js'; import storage from './storage.js';
import subscription from './subscription.js'; import subscription from './subscription.js';
import swagger from './swagger.js'; import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription, subscription,
application, application,
organization, organization,
sso_connector,
}; };
export default Object.freeze(errors); export default Object.freeze(errors);

View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js'; import scope from './scope.js';
import session from './session.js'; import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js'; import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js'; import storage from './storage.js';
import subscription from './subscription.js'; import subscription from './subscription.js';
import swagger from './swagger.js'; import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription, subscription,
application, application,
organization, organization,
sso_connector,
}; };
export default Object.freeze(errors); export default Object.freeze(errors);

View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js'; import scope from './scope.js';
import session from './session.js'; import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js'; import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js'; import storage from './storage.js';
import subscription from './subscription.js'; import subscription from './subscription.js';
import swagger from './swagger.js'; import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription, subscription,
application, application,
organization, organization,
sso_connector,
}; };
export default Object.freeze(errors); export default Object.freeze(errors);

View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js'; import scope from './scope.js';
import session from './session.js'; import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js'; import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js'; import storage from './storage.js';
import subscription from './subscription.js'; import subscription from './subscription.js';
import swagger from './swagger.js'; import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription, subscription,
application, application,
organization, organization,
sso_connector,
}; };
export default Object.freeze(errors); export default Object.freeze(errors);

View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js'; import scope from './scope.js';
import session from './session.js'; import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js'; import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js'; import storage from './storage.js';
import subscription from './subscription.js'; import subscription from './subscription.js';
import swagger from './swagger.js'; import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription, subscription,
application, application,
organization, organization,
sso_connector,
}; };
export default Object.freeze(errors); export default Object.freeze(errors);

View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js'; import scope from './scope.js';
import session from './session.js'; import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js'; import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js'; import storage from './storage.js';
import subscription from './subscription.js'; import subscription from './subscription.js';
import swagger from './swagger.js'; import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription, subscription,
application, application,
organization, organization,
sso_connector,
}; };
export default Object.freeze(errors); export default Object.freeze(errors);

View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);