mirror of
https://github.com/logto-io/logto.git
synced 2024-12-16 20:26:19 -05:00
refactor: refactor code
This commit is contained in:
parent
a3d5f9feb8
commit
755c138f12
3 changed files with 122 additions and 83 deletions
22
packages/core/src/saml-applications/libraries/consts.ts
Normal file
22
packages/core/src/saml-applications/libraries/consts.ts
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
export const samlLogInResponseTemplate = `
|
||||||
|
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" InResponseTo="{InResponseTo}">
|
||||||
|
<saml:Issuer>{Issuer}</saml:Issuer>
|
||||||
|
<samlp:Status>
|
||||||
|
<samlp:StatusCode Value="{StatusCode}"/>
|
||||||
|
</samlp:Status>
|
||||||
|
<saml:Assertion ID="{AssertionID}" Version="2.0" IssueInstant="{IssueInstant}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
|
||||||
|
<saml:Issuer>{Issuer}</saml:Issuer>
|
||||||
|
<saml:Subject>
|
||||||
|
<saml:NameID Format="{NameIDFormat}">{NameID}</saml:NameID>
|
||||||
|
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
|
||||||
|
<saml:SubjectConfirmationData NotOnOrAfter="{SubjectConfirmationDataNotOnOrAfter}" Recipient="{SubjectRecipient}" InResponseTo="{InResponseTo}"/>
|
||||||
|
</saml:SubjectConfirmation>
|
||||||
|
</saml:Subject>
|
||||||
|
<saml:Conditions NotBefore="{ConditionsNotBefore}" NotOnOrAfter="{ConditionsNotOnOrAfter}">
|
||||||
|
<saml:AudienceRestriction>
|
||||||
|
<saml:Audience>{Audience}</saml:Audience>
|
||||||
|
</saml:AudienceRestriction>
|
||||||
|
</saml:Conditions>
|
||||||
|
{AttributeStatement}
|
||||||
|
</saml:Assertion>
|
||||||
|
</samlp:Response>`;
|
|
@ -1,8 +1,5 @@
|
||||||
import { parseJson } from '@logto/connector-kit';
|
|
||||||
import { tryThat } from '@silverhand/essentials';
|
import { tryThat } from '@silverhand/essentials';
|
||||||
import camelcaseKeys from 'camelcase-keys';
|
import * as saml from 'samlify';
|
||||||
import { got } from 'got';
|
|
||||||
import saml from 'samlify';
|
|
||||||
import { z } from 'zod';
|
import { z } from 'zod';
|
||||||
|
|
||||||
import RequestError from '#src/errors/RequestError/index.js';
|
import RequestError from '#src/errors/RequestError/index.js';
|
||||||
|
@ -10,10 +7,11 @@ import koaGuard from '#src/middleware/koa-guard.js';
|
||||||
import type { AnonymousRouter, RouterInitArgs } from '#src/routes/types.js';
|
import type { AnonymousRouter, RouterInitArgs } from '#src/routes/types.js';
|
||||||
import { fetchOidcConfig, getUserInfo } from '#src/sso/OidcConnector/utils.js';
|
import { fetchOidcConfig, getUserInfo } from '#src/sso/OidcConnector/utils.js';
|
||||||
import { SsoConnectorError } from '#src/sso/types/error.js';
|
import { SsoConnectorError } from '#src/sso/types/error.js';
|
||||||
import { oidcTokenResponseGuard } from '#src/sso/types/oidc.js';
|
|
||||||
import assertThat from '#src/utils/assert-that.js';
|
import assertThat from '#src/utils/assert-that.js';
|
||||||
|
|
||||||
import { createSamlTemplateCallback, samlLogInResponseTemplate } from './utils.js';
|
import { samlLogInResponseTemplate } from '../libraries/consts.js';
|
||||||
|
|
||||||
|
import { exchangeAuthorizationCode, generateAutoSubmitForm, createSamlResponse } from './utils.js';
|
||||||
|
|
||||||
const samlApplicationSignInCallbackQueryParametersGuard = z.union([
|
const samlApplicationSignInCallbackQueryParametersGuard = z.union([
|
||||||
z.object({
|
z.object({
|
||||||
|
@ -97,41 +95,20 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
||||||
const headers = {
|
// Exchange authorization code for tokens
|
||||||
// Not sure whether we should use internal secret here instead of getting non-expired secret from table `application_secrets`, but it should be fine since this is an internal use case.
|
const { accessToken } = await exchangeAuthorizationCode(tokenEndpoint, {
|
||||||
Authorization: `Basic ${Buffer.from(`${id}:${secret}`, 'utf8').toString('base64')}`,
|
|
||||||
'Content-Type': 'application/x-www-form-urlencoded',
|
|
||||||
};
|
|
||||||
|
|
||||||
const tokenRequestParameters = new URLSearchParams({
|
|
||||||
grant_type: 'authorization_code',
|
|
||||||
code,
|
code,
|
||||||
client_id: id,
|
clientId: id,
|
||||||
...(redirectUris[0] ? { redirect_uri: redirectUris[0] } : {}),
|
clientSecret: secret,
|
||||||
|
redirectUri: redirectUris[0],
|
||||||
});
|
});
|
||||||
|
|
||||||
// TODO: error handling
|
|
||||||
// Exchange the authorization code for an access token
|
|
||||||
const httpResponse = await got.post(tokenEndpoint, {
|
|
||||||
body: tokenRequestParameters.toString(),
|
|
||||||
headers,
|
|
||||||
});
|
|
||||||
|
|
||||||
const result = oidcTokenResponseGuard.safeParse(parseJson(httpResponse.body));
|
|
||||||
|
|
||||||
if (!result.success) {
|
|
||||||
throw new RequestError({
|
|
||||||
code: 'oidc.invalid_token',
|
|
||||||
message: 'Invalid token response',
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
const { accessToken } = camelcaseKeys(result.data);
|
|
||||||
|
|
||||||
assertThat(accessToken, new RequestError('oidc.access_denied'));
|
assertThat(accessToken, new RequestError('oidc.access_denied'));
|
||||||
|
|
||||||
|
// Get user info using access token
|
||||||
const userInfo = await getUserInfo(accessToken, userinfoEndpoint);
|
const userInfo = await getUserInfo(accessToken, userinfoEndpoint);
|
||||||
|
|
||||||
|
// Get SAML configuration and create SAML response
|
||||||
const { metadata } = await getSamlIdPMetadataByApplicationId(id);
|
const { metadata } = await getSamlIdPMetadataByApplicationId(id);
|
||||||
const { privateKey } =
|
const { privateKey } =
|
||||||
await samlApplicationSecrets.findActiveSamlApplicationSecretByApplicationId(id);
|
await samlApplicationSecrets.findActiveSamlApplicationSecretByApplicationId(id);
|
||||||
|
@ -176,30 +153,10 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
|
||||||
],
|
],
|
||||||
});
|
});
|
||||||
|
|
||||||
// TODO: fix binding method
|
const { context, entityEndpoint } = await createSamlResponse(idp, sp, userInfo);
|
||||||
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
|
|
||||||
const { context, entityEndpoint } = await idp.createLoginResponse(
|
|
||||||
sp,
|
|
||||||
// @ts-expect-error --fix request object later
|
|
||||||
null,
|
|
||||||
'post',
|
|
||||||
userInfo,
|
|
||||||
createSamlTemplateCallback(idp, sp, userInfo)
|
|
||||||
);
|
|
||||||
|
|
||||||
ctx.body = `
|
// Return auto-submit form
|
||||||
<html>
|
ctx.body = generateAutoSubmitForm(entityEndpoint, context);
|
||||||
<body>
|
|
||||||
<form id="redirectForm" action="${entityEndpoint}" method="POST">
|
|
||||||
<input type="hidden" name="SAMLResponse" value="${context}" />
|
|
||||||
<input type="submit" value="Submit" />
|
|
||||||
</form>
|
|
||||||
<script>
|
|
||||||
document.getElementById('redirectForm').submit();
|
|
||||||
</script>
|
|
||||||
</body>
|
|
||||||
</html>
|
|
||||||
`;
|
|
||||||
return next();
|
return next();
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
|
@ -1,32 +1,13 @@
|
||||||
|
import { parseJson } from '@logto/connector-kit';
|
||||||
import { generateStandardId } from '@logto/shared';
|
import { generateStandardId } from '@logto/shared';
|
||||||
import saml from 'samlify';
|
import camelcaseKeys from 'camelcase-keys';
|
||||||
|
import { got } from 'got';
|
||||||
|
import * as saml from 'samlify';
|
||||||
|
|
||||||
import { type idTokenProfileStandardClaims } from '#src/sso/types/oidc.js';
|
import RequestError from '#src/errors/RequestError/index.js';
|
||||||
|
import { oidcTokenResponseGuard, type idTokenProfileStandardClaims } from '#src/sso/types/oidc.js';
|
||||||
|
|
||||||
export const samlLogInResponseTemplate = `
|
const createSamlTemplateCallback =
|
||||||
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" InResponseTo="{InResponseTo}">
|
|
||||||
<saml:Issuer>{Issuer}</saml:Issuer>
|
|
||||||
<samlp:Status>
|
|
||||||
<samlp:StatusCode Value="{StatusCode}"/>
|
|
||||||
</samlp:Status>
|
|
||||||
<saml:Assertion ID="{AssertionID}" Version="2.0" IssueInstant="{IssueInstant}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
|
|
||||||
<saml:Issuer>{Issuer}</saml:Issuer>
|
|
||||||
<saml:Subject>
|
|
||||||
<saml:NameID Format="{NameIDFormat}">{NameID}</saml:NameID>
|
|
||||||
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
|
|
||||||
<saml:SubjectConfirmationData NotOnOrAfter="{SubjectConfirmationDataNotOnOrAfter}" Recipient="{SubjectRecipient}" InResponseTo="{InResponseTo}"/>
|
|
||||||
</saml:SubjectConfirmation>
|
|
||||||
</saml:Subject>
|
|
||||||
<saml:Conditions NotBefore="{ConditionsNotBefore}" NotOnOrAfter="{ConditionsNotOnOrAfter}">
|
|
||||||
<saml:AudienceRestriction>
|
|
||||||
<saml:Audience>{Audience}</saml:Audience>
|
|
||||||
</saml:AudienceRestriction>
|
|
||||||
</saml:Conditions>
|
|
||||||
{AttributeStatement}
|
|
||||||
</saml:Assertion>
|
|
||||||
</samlp:Response>`;
|
|
||||||
|
|
||||||
export const createSamlTemplateCallback =
|
|
||||||
(
|
(
|
||||||
idp: saml.IdentityProviderInstance,
|
idp: saml.IdentityProviderInstance,
|
||||||
sp: saml.ServiceProviderInstance,
|
sp: saml.ServiceProviderInstance,
|
||||||
|
@ -72,3 +53,82 @@ export const createSamlTemplateCallback =
|
||||||
context,
|
context,
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
export const exchangeAuthorizationCode = async (
|
||||||
|
tokenEndpoint: string,
|
||||||
|
{
|
||||||
|
code,
|
||||||
|
clientId,
|
||||||
|
clientSecret,
|
||||||
|
redirectUri,
|
||||||
|
}: {
|
||||||
|
code: string;
|
||||||
|
clientId: string;
|
||||||
|
clientSecret: string;
|
||||||
|
redirectUri?: string;
|
||||||
|
}
|
||||||
|
) => {
|
||||||
|
const headers = {
|
||||||
|
Authorization: `Basic ${Buffer.from(`${clientId}:${clientSecret}`, 'utf8').toString('base64')}`,
|
||||||
|
'Content-Type': 'application/x-www-form-urlencoded',
|
||||||
|
};
|
||||||
|
|
||||||
|
const tokenRequestParameters = new URLSearchParams({
|
||||||
|
grant_type: 'authorization_code',
|
||||||
|
code,
|
||||||
|
client_id: clientId,
|
||||||
|
...(redirectUri ? { redirect_uri: redirectUri } : {}),
|
||||||
|
});
|
||||||
|
|
||||||
|
const httpResponse = await got.post(tokenEndpoint, {
|
||||||
|
body: tokenRequestParameters.toString(),
|
||||||
|
headers,
|
||||||
|
});
|
||||||
|
|
||||||
|
const result = oidcTokenResponseGuard.safeParse(parseJson(httpResponse.body));
|
||||||
|
|
||||||
|
if (!result.success) {
|
||||||
|
throw new RequestError({
|
||||||
|
code: 'oidc.invalid_token',
|
||||||
|
message: 'Invalid token response',
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
return camelcaseKeys(result.data);
|
||||||
|
};
|
||||||
|
|
||||||
|
export const createSamlResponse = async (
|
||||||
|
idp: saml.IdentityProviderInstance,
|
||||||
|
sp: saml.ServiceProviderInstance,
|
||||||
|
userInfo: idTokenProfileStandardClaims
|
||||||
|
): Promise<{ context: string; entityEndpoint: string }> => {
|
||||||
|
// TODO: fix binding method
|
||||||
|
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
|
||||||
|
const { context, entityEndpoint } = await idp.createLoginResponse(
|
||||||
|
sp,
|
||||||
|
// @ts-expect-error --fix request object later
|
||||||
|
null,
|
||||||
|
'post',
|
||||||
|
userInfo,
|
||||||
|
createSamlTemplateCallback(idp, sp, userInfo)
|
||||||
|
);
|
||||||
|
|
||||||
|
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
|
||||||
|
return { context, entityEndpoint };
|
||||||
|
};
|
||||||
|
|
||||||
|
export const generateAutoSubmitForm = (actionUrl: string, samlResponse: string) => {
|
||||||
|
return `
|
||||||
|
<html>
|
||||||
|
<body>
|
||||||
|
<form id="redirectForm" action="${actionUrl}" method="POST">
|
||||||
|
<input type="hidden" name="SAMLResponse" value="${samlResponse}" />
|
||||||
|
<input type="submit" value="Submit" />
|
||||||
|
</form>
|
||||||
|
<script>
|
||||||
|
document.getElementById('redirectForm').submit();
|
||||||
|
</script>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
`;
|
||||||
|
};
|
||||||
|
|
Loading…
Reference in a new issue