0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2024-12-16 20:26:19 -05:00

refactor: refactor GET /saml-applications/:id/callback API

This commit is contained in:
Darcy Ye 2024-12-09 13:08:02 +08:00
parent b5481df6f5
commit 8420573eec
No known key found for this signature in database
GPG key ID: B46F4C07EDEFC610
5 changed files with 170 additions and 107 deletions

View file

@ -1,17 +1,16 @@
import { tryThat } from '@silverhand/essentials';
import saml from 'samlify';
import { z } from 'zod';
import RequestError from '#src/errors/RequestError/index.js';
import koaGuard from '#src/middleware/koa-guard.js';
import type { AnonymousRouter, RouterInitArgs } from '#src/routes/types.js';
import { fetchOidcConfig, getUserInfo } from '#src/sso/OidcConnector/utils.js';
import { SsoConnectorError } from '#src/sso/types/error.js';
import assertThat from '#src/utils/assert-that.js';
import { samlLogInResponseTemplate, samlAttributeNameFormatBasic,samlValueXmlnsXsi } from '../libraries/consts.js';
import { exchangeAuthorizationCode, generateAutoSubmitForm, createSamlResponse } from './utils.js';
import {
generateAutoSubmitForm,
createSamlResponse,
handleOidcCallbackAndGetUserInfo,
setupSamlProviders,
} from './utils.js';
const samlApplicationSignInCallbackQueryParametersGuard = z.union([
z.object({
@ -29,6 +28,7 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
const {
samlApplications: { getSamlIdPMetadataByApplicationId },
} = libraries;
const { applications, samlApplicationSecrets, samlApplicationConfigs } = queries;
router.get(
'/saml-applications/:id/metadata',
@ -63,13 +63,7 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
query,
} = ctx.guard;
// Find the SAML application secret by application ID
const { applications, samlApplicationSecrets, samlApplicationConfigs } = queries;
const {
secret,
oidcClientMetadata: { redirectUris },
} = await applications.findApplicationById(id);
// Handle error in query parameters
if ('error' in query) {
throw new RequestError({
code: 'oidc.invalid_request',
@ -77,38 +71,27 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
});
}
// TODO: need to validate state for SP initiated SAML flow
// Get application configuration
const {
secret,
oidcClientMetadata: { redirectUris },
} = await applications.findApplicationById(id);
assertThat(redirectUris[0], 'oidc.redirect_uri_not_set');
// TODO: should be able to handle `state` and code verifier etc.
const { code } = query;
const { tokenEndpoint, userinfoEndpoint } = await tryThat(
async () => fetchOidcConfig(envSet.oidc.issuer),
(error) => {
if (error instanceof SsoConnectorError) {
throw new RequestError({
code: 'oidc.invalid_request',
message: error.message,
});
}
// Should rarely happen, fetch OIDC configuration should only throw SSO connector error .
throw error;
}
// Handle OIDC callback and get user info
const userInfo = await handleOidcCallbackAndGetUserInfo(
code,
id,
secret,
redirectUris[0],
envSet.oidc.issuer
);
// Exchange authorization code for tokens
const { accessToken } = await exchangeAuthorizationCode(tokenEndpoint, {
code,
clientId: id,
clientSecret: secret,
redirectUri: redirectUris[0],
});
assertThat(accessToken, new RequestError('oidc.access_denied'));
// Get user info using access token
const userInfo = await getUserInfo(accessToken, userinfoEndpoint);
// Get SAML configuration and create SAML response
// Get SAML configuration
const { metadata } = await getSamlIdPMetadataByApplicationId(id);
const { privateKey } =
await samlApplicationSecrets.findActiveSamlApplicationSecretByApplicationId(id);
@ -118,41 +101,8 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
assertThat(entityId, 'application.saml.entity_id_required');
assertThat(acsUrl, 'application.saml.acs_url_required');
// eslint-disable-next-line new-cap
const idp = saml.IdentityProvider({
metadata,
privateKey,
isAssertionEncrypted: false,
loginResponseTemplate: {
context: samlLogInResponseTemplate,
attributes: [
{
name: 'email',
valueTag: 'email',
nameFormat: samlAttributeNameFormatBasic,
valueXsiType: samlValueXmlnsXsi['string'],
},
{
name: 'name',
valueTag: 'name',
nameFormat: samlAttributeNameFormatBasic,
valueXsiType: samlValueXmlnsXsi['string'],
},
],
},
});
// eslint-disable-next-line new-cap
const sp = saml.ServiceProvider({
entityID: entityId,
assertionConsumerService: [
{
Binding: acsUrl.binding,
Location: acsUrl.url,
},
],
});
// Setup SAML providers and create response
const { idp, sp } = setupSamlProviders(metadata, privateKey, entityId, acsUrl);
const { context, entityEndpoint } = await createSamlResponse(idp, sp, userInfo);
// Return auto-submit form

View file

@ -1,17 +1,28 @@
import { parseJson } from '@logto/connector-kit';
import { generateStandardId } from '@logto/shared';
import { tryThat } from '@silverhand/essentials';
import camelcaseKeys from 'camelcase-keys';
import { got } from 'got';
import saml from 'samlify';
import { ZodError, z } from 'zod';
import RequestError from '#src/errors/RequestError/index.js';
import { oidcTokenResponseGuard, type idTokenProfileStandardClaims } from '#src/sso/types/oidc.js';
import { fetchOidcConfigRaw, getRawUserInfoResponse } from '#src/sso/OidcConnector/utils.js';
import { idTokenProfileStandardClaimsGuard } from '#src/sso/types/oidc.js';
import { oidcTokenResponseGuard, type IdTokenProfileStandardClaims } from '#src/sso/types/oidc.js';
import assertThat from '#src/utils/assert-that.js';
import {
samlLogInResponseTemplate,
samlAttributeNameFormatBasic,
samlValueXmlnsXsi,
} from '../libraries/consts.js';
const createSamlTemplateCallback =
(
idp: saml.IdentityProviderInstance,
sp: saml.ServiceProviderInstance,
user: idTokenProfileStandardClaims
user: IdTokenProfileStandardClaims
) =>
(template: string) => {
const assertionConsumerServiceUrl = sp.entityMeta.getAssertionConsumerService(
@ -63,7 +74,7 @@ const createSamlTemplateCallback =
};
};
export const exchangeAuthorizationCode = async (
const exchangeAuthorizationCode = async (
tokenEndpoint: string,
{
code,
@ -109,7 +120,7 @@ export const exchangeAuthorizationCode = async (
export const createSamlResponse = async (
idp: saml.IdentityProviderInstance,
sp: saml.ServiceProviderInstance,
userInfo: idTokenProfileStandardClaims
userInfo: IdTokenProfileStandardClaims
): Promise<{ context: string; entityEndpoint: string }> => {
// TODO: fix binding method
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
@ -141,3 +152,103 @@ export const generateAutoSubmitForm = (actionUrl: string, samlResponse: string):
</html>
`;
};
const getUserInfo = async (
accessToken: string,
userinfoEndpoint: string
): Promise<IdTokenProfileStandardClaims & Record<string, unknown>> => {
const body = await getRawUserInfoResponse(accessToken, userinfoEndpoint);
const result = idTokenProfileStandardClaimsGuard.catchall(z.unknown()).safeParse(body);
if (!result.success) {
throw new RequestError({
code: 'oidc.invalid_request',
message: 'Invalid user info response',
details: result.error.flatten(),
});
}
return result.data;
};
// Helper functions for SAML callback
export const handleOidcCallbackAndGetUserInfo = async (
code: string,
applicationId: string,
secret: string,
redirectUri: string,
issuer: string
) => {
// Get OIDC configuration
const { tokenEndpoint, userinfoEndpoint } = await tryThat(
async () => fetchOidcConfigRaw(issuer),
(error) => {
if (error instanceof ZodError) {
throw new RequestError({
code: 'oidc.invalid_request',
message: error.message,
error: error.flatten(),
});
}
throw error;
}
);
// Exchange authorization code for tokens
const { accessToken } = await exchangeAuthorizationCode(tokenEndpoint, {
code,
clientId: applicationId,
clientSecret: secret,
redirectUri,
});
assertThat(accessToken, new RequestError('oidc.access_denied'));
// Get user info using access token
return getUserInfo(accessToken, userinfoEndpoint);
};
export const setupSamlProviders = (
metadata: string,
privateKey: string,
entityId: string,
acsUrl: { binding: string; url: string }
) => {
// eslint-disable-next-line new-cap
const idp = saml.IdentityProvider({
metadata,
privateKey,
isAssertionEncrypted: false,
loginResponseTemplate: {
context: samlLogInResponseTemplate,
attributes: [
{
name: 'email',
valueTag: 'email',
nameFormat: samlAttributeNameFormatBasic,
valueXsiType: samlValueXmlnsXsi.string,
},
{
name: 'name',
valueTag: 'name',
nameFormat: samlAttributeNameFormatBasic,
valueXsiType: samlValueXmlnsXsi.string,
},
],
},
});
// eslint-disable-next-line new-cap
const sp = saml.ServiceProvider({
entityID: entityId,
assertionConsumerService: [
{
Binding: acsUrl.binding,
Location: acsUrl.url,
},
],
});
return { idp, sp };
};

View file

@ -3,7 +3,7 @@ import { assert } from '@silverhand/essentials';
import camelcaseKeys, { type CamelCaseKeys } from 'camelcase-keys';
import { got, HTTPError } from 'got';
import { createRemoteJWKSet, jwtVerify, type JWTVerifyOptions } from 'jose';
import { z } from 'zod';
import { z, ZodError } from 'zod';
import {
SsoConnectorConfigErrorCodes,
@ -20,30 +20,28 @@ import {
type OidcTokenResponse,
} from '../types/oidc.js';
export const fetchOidcConfig = async (
issuer: string
): Promise<CamelCaseKeys<OidcConfigResponse>> => {
try {
export const fetchOidcConfigRaw = async (issuer: string) => {
const { body } = await got.get(`${issuer}/.well-known/openid-configuration`, {
responseType: 'json',
});
const result = oidcConfigResponseGuard.safeParse(body);
return camelcaseKeys(oidcConfigResponseGuard.parse(body));
};
if (!result.success) {
export const fetchOidcConfig = async (
issuer: string
): Promise<CamelCaseKeys<OidcConfigResponse>> => {
try {
return await fetchOidcConfigRaw(issuer);
} catch (error: unknown) {
if (error instanceof ZodError) {
throw new SsoConnectorError(SsoConnectorErrorCodes.InvalidConfig, {
config: { issuer },
message: SsoConnectorConfigErrorCodes.InvalidConfigResponse,
error: result.error.flatten(),
error: error.flatten(),
});
}
return camelcaseKeys(result.data);
} catch (error: unknown) {
if (error instanceof SsoConnectorError) {
throw error;
}
throw new SsoConnectorError(SsoConnectorErrorCodes.InvalidConfig, {
config: { issuer },
message: SsoConnectorConfigErrorCodes.FailToFetchConfig,
@ -159,26 +157,29 @@ export const getIdTokenClaims = async (
}
};
export const getRawUserInfoResponse = async (accessToken: string, userinfoEndpoint: string) => {
const httpResponse = await got.get(userinfoEndpoint, {
headers: {
Authorization: `Bearer ${accessToken}`,
},
});
return httpResponse.body;
};
/**
* Get the user info from the userinfo endpoint incase id token does not contain sufficient user claims.
*/
export const getUserInfo = async (accessToken: string, userinfoEndpoint: string) => {
try {
const httpResponse = await got.get(userinfoEndpoint, {
headers: {
Authorization: `Bearer ${accessToken}`,
},
responseType: 'json',
});
const body = await getRawUserInfoResponse(accessToken, userinfoEndpoint);
const result = idTokenProfileStandardClaimsGuard
.catchall(z.unknown())
.safeParse(httpResponse.body);
const result = idTokenProfileStandardClaimsGuard.catchall(z.unknown()).safeParse(body);
if (!result.success) {
throw new SsoConnectorError(SsoConnectorErrorCodes.AuthorizationFailed, {
message: 'Invalid user info response',
response: httpResponse.body,
response: body,
error: result.error.flatten(),
});
}

View file

@ -78,4 +78,4 @@ export const idTokenProfileStandardClaimsGuard = z.object({
nonce: z.string().nullish(),
});
export type idTokenProfileStandardClaims = z.infer<typeof idTokenProfileStandardClaimsGuard>;
export type IdTokenProfileStandardClaims = z.infer<typeof idTokenProfileStandardClaimsGuard>;

View file

@ -8,6 +8,7 @@ const oidc = {
invalid_grant: 'Grant request is invalid.',
invalid_redirect_uri:
"`redirect_uri` did not match any of the client's registered `redirect_uris`.",
redirect_uri_not_set: '`redirect_uri` is not set.',
access_denied: 'Access denied.',
invalid_target: 'Invalid resource indicator.',
unsupported_grant_type: 'Unsupported `grant_type` requested.',