mirror of
https://github.com/logto-io/logto.git
synced 2024-12-16 20:26:19 -05:00
refactor: refactor GET /saml-applications/:id/callback API
This commit is contained in:
parent
b5481df6f5
commit
8420573eec
5 changed files with 170 additions and 107 deletions
|
@ -1,17 +1,16 @@
|
|||
import { tryThat } from '@silverhand/essentials';
|
||||
import saml from 'samlify';
|
||||
import { z } from 'zod';
|
||||
|
||||
import RequestError from '#src/errors/RequestError/index.js';
|
||||
import koaGuard from '#src/middleware/koa-guard.js';
|
||||
import type { AnonymousRouter, RouterInitArgs } from '#src/routes/types.js';
|
||||
import { fetchOidcConfig, getUserInfo } from '#src/sso/OidcConnector/utils.js';
|
||||
import { SsoConnectorError } from '#src/sso/types/error.js';
|
||||
import assertThat from '#src/utils/assert-that.js';
|
||||
|
||||
import { samlLogInResponseTemplate, samlAttributeNameFormatBasic,samlValueXmlnsXsi } from '../libraries/consts.js';
|
||||
|
||||
import { exchangeAuthorizationCode, generateAutoSubmitForm, createSamlResponse } from './utils.js';
|
||||
import {
|
||||
generateAutoSubmitForm,
|
||||
createSamlResponse,
|
||||
handleOidcCallbackAndGetUserInfo,
|
||||
setupSamlProviders,
|
||||
} from './utils.js';
|
||||
|
||||
const samlApplicationSignInCallbackQueryParametersGuard = z.union([
|
||||
z.object({
|
||||
|
@ -29,6 +28,7 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
|
|||
const {
|
||||
samlApplications: { getSamlIdPMetadataByApplicationId },
|
||||
} = libraries;
|
||||
const { applications, samlApplicationSecrets, samlApplicationConfigs } = queries;
|
||||
|
||||
router.get(
|
||||
'/saml-applications/:id/metadata',
|
||||
|
@ -63,13 +63,7 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
|
|||
query,
|
||||
} = ctx.guard;
|
||||
|
||||
// Find the SAML application secret by application ID
|
||||
const { applications, samlApplicationSecrets, samlApplicationConfigs } = queries;
|
||||
const {
|
||||
secret,
|
||||
oidcClientMetadata: { redirectUris },
|
||||
} = await applications.findApplicationById(id);
|
||||
|
||||
// Handle error in query parameters
|
||||
if ('error' in query) {
|
||||
throw new RequestError({
|
||||
code: 'oidc.invalid_request',
|
||||
|
@ -77,38 +71,27 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
|
|||
});
|
||||
}
|
||||
|
||||
// TODO: need to validate state for SP initiated SAML flow
|
||||
// Get application configuration
|
||||
const {
|
||||
secret,
|
||||
oidcClientMetadata: { redirectUris },
|
||||
} = await applications.findApplicationById(id);
|
||||
|
||||
assertThat(redirectUris[0], 'oidc.redirect_uri_not_set');
|
||||
|
||||
// TODO: should be able to handle `state` and code verifier etc.
|
||||
const { code } = query;
|
||||
|
||||
const { tokenEndpoint, userinfoEndpoint } = await tryThat(
|
||||
async () => fetchOidcConfig(envSet.oidc.issuer),
|
||||
(error) => {
|
||||
if (error instanceof SsoConnectorError) {
|
||||
throw new RequestError({
|
||||
code: 'oidc.invalid_request',
|
||||
message: error.message,
|
||||
});
|
||||
}
|
||||
|
||||
// Should rarely happen, fetch OIDC configuration should only throw SSO connector error .
|
||||
throw error;
|
||||
}
|
||||
// Handle OIDC callback and get user info
|
||||
const userInfo = await handleOidcCallbackAndGetUserInfo(
|
||||
code,
|
||||
id,
|
||||
secret,
|
||||
redirectUris[0],
|
||||
envSet.oidc.issuer
|
||||
);
|
||||
|
||||
// Exchange authorization code for tokens
|
||||
const { accessToken } = await exchangeAuthorizationCode(tokenEndpoint, {
|
||||
code,
|
||||
clientId: id,
|
||||
clientSecret: secret,
|
||||
redirectUri: redirectUris[0],
|
||||
});
|
||||
|
||||
assertThat(accessToken, new RequestError('oidc.access_denied'));
|
||||
|
||||
// Get user info using access token
|
||||
const userInfo = await getUserInfo(accessToken, userinfoEndpoint);
|
||||
|
||||
// Get SAML configuration and create SAML response
|
||||
// Get SAML configuration
|
||||
const { metadata } = await getSamlIdPMetadataByApplicationId(id);
|
||||
const { privateKey } =
|
||||
await samlApplicationSecrets.findActiveSamlApplicationSecretByApplicationId(id);
|
||||
|
@ -118,41 +101,8 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
|
|||
assertThat(entityId, 'application.saml.entity_id_required');
|
||||
assertThat(acsUrl, 'application.saml.acs_url_required');
|
||||
|
||||
// eslint-disable-next-line new-cap
|
||||
const idp = saml.IdentityProvider({
|
||||
metadata,
|
||||
privateKey,
|
||||
isAssertionEncrypted: false,
|
||||
loginResponseTemplate: {
|
||||
context: samlLogInResponseTemplate,
|
||||
attributes: [
|
||||
{
|
||||
name: 'email',
|
||||
valueTag: 'email',
|
||||
nameFormat: samlAttributeNameFormatBasic,
|
||||
valueXsiType: samlValueXmlnsXsi['string'],
|
||||
},
|
||||
{
|
||||
name: 'name',
|
||||
valueTag: 'name',
|
||||
nameFormat: samlAttributeNameFormatBasic,
|
||||
valueXsiType: samlValueXmlnsXsi['string'],
|
||||
},
|
||||
],
|
||||
},
|
||||
});
|
||||
|
||||
// eslint-disable-next-line new-cap
|
||||
const sp = saml.ServiceProvider({
|
||||
entityID: entityId,
|
||||
assertionConsumerService: [
|
||||
{
|
||||
Binding: acsUrl.binding,
|
||||
Location: acsUrl.url,
|
||||
},
|
||||
],
|
||||
});
|
||||
|
||||
// Setup SAML providers and create response
|
||||
const { idp, sp } = setupSamlProviders(metadata, privateKey, entityId, acsUrl);
|
||||
const { context, entityEndpoint } = await createSamlResponse(idp, sp, userInfo);
|
||||
|
||||
// Return auto-submit form
|
||||
|
|
|
@ -1,17 +1,28 @@
|
|||
import { parseJson } from '@logto/connector-kit';
|
||||
import { generateStandardId } from '@logto/shared';
|
||||
import { tryThat } from '@silverhand/essentials';
|
||||
import camelcaseKeys from 'camelcase-keys';
|
||||
import { got } from 'got';
|
||||
import saml from 'samlify';
|
||||
import { ZodError, z } from 'zod';
|
||||
|
||||
import RequestError from '#src/errors/RequestError/index.js';
|
||||
import { oidcTokenResponseGuard, type idTokenProfileStandardClaims } from '#src/sso/types/oidc.js';
|
||||
import { fetchOidcConfigRaw, getRawUserInfoResponse } from '#src/sso/OidcConnector/utils.js';
|
||||
import { idTokenProfileStandardClaimsGuard } from '#src/sso/types/oidc.js';
|
||||
import { oidcTokenResponseGuard, type IdTokenProfileStandardClaims } from '#src/sso/types/oidc.js';
|
||||
import assertThat from '#src/utils/assert-that.js';
|
||||
|
||||
import {
|
||||
samlLogInResponseTemplate,
|
||||
samlAttributeNameFormatBasic,
|
||||
samlValueXmlnsXsi,
|
||||
} from '../libraries/consts.js';
|
||||
|
||||
const createSamlTemplateCallback =
|
||||
(
|
||||
idp: saml.IdentityProviderInstance,
|
||||
sp: saml.ServiceProviderInstance,
|
||||
user: idTokenProfileStandardClaims
|
||||
user: IdTokenProfileStandardClaims
|
||||
) =>
|
||||
(template: string) => {
|
||||
const assertionConsumerServiceUrl = sp.entityMeta.getAssertionConsumerService(
|
||||
|
@ -63,7 +74,7 @@ const createSamlTemplateCallback =
|
|||
};
|
||||
};
|
||||
|
||||
export const exchangeAuthorizationCode = async (
|
||||
const exchangeAuthorizationCode = async (
|
||||
tokenEndpoint: string,
|
||||
{
|
||||
code,
|
||||
|
@ -109,7 +120,7 @@ export const exchangeAuthorizationCode = async (
|
|||
export const createSamlResponse = async (
|
||||
idp: saml.IdentityProviderInstance,
|
||||
sp: saml.ServiceProviderInstance,
|
||||
userInfo: idTokenProfileStandardClaims
|
||||
userInfo: IdTokenProfileStandardClaims
|
||||
): Promise<{ context: string; entityEndpoint: string }> => {
|
||||
// TODO: fix binding method
|
||||
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
|
||||
|
@ -141,3 +152,103 @@ export const generateAutoSubmitForm = (actionUrl: string, samlResponse: string):
|
|||
</html>
|
||||
`;
|
||||
};
|
||||
|
||||
const getUserInfo = async (
|
||||
accessToken: string,
|
||||
userinfoEndpoint: string
|
||||
): Promise<IdTokenProfileStandardClaims & Record<string, unknown>> => {
|
||||
const body = await getRawUserInfoResponse(accessToken, userinfoEndpoint);
|
||||
const result = idTokenProfileStandardClaimsGuard.catchall(z.unknown()).safeParse(body);
|
||||
|
||||
if (!result.success) {
|
||||
throw new RequestError({
|
||||
code: 'oidc.invalid_request',
|
||||
message: 'Invalid user info response',
|
||||
details: result.error.flatten(),
|
||||
});
|
||||
}
|
||||
|
||||
return result.data;
|
||||
};
|
||||
|
||||
// Helper functions for SAML callback
|
||||
export const handleOidcCallbackAndGetUserInfo = async (
|
||||
code: string,
|
||||
applicationId: string,
|
||||
secret: string,
|
||||
redirectUri: string,
|
||||
issuer: string
|
||||
) => {
|
||||
// Get OIDC configuration
|
||||
const { tokenEndpoint, userinfoEndpoint } = await tryThat(
|
||||
async () => fetchOidcConfigRaw(issuer),
|
||||
(error) => {
|
||||
if (error instanceof ZodError) {
|
||||
throw new RequestError({
|
||||
code: 'oidc.invalid_request',
|
||||
message: error.message,
|
||||
error: error.flatten(),
|
||||
});
|
||||
}
|
||||
|
||||
throw error;
|
||||
}
|
||||
);
|
||||
|
||||
// Exchange authorization code for tokens
|
||||
const { accessToken } = await exchangeAuthorizationCode(tokenEndpoint, {
|
||||
code,
|
||||
clientId: applicationId,
|
||||
clientSecret: secret,
|
||||
redirectUri,
|
||||
});
|
||||
|
||||
assertThat(accessToken, new RequestError('oidc.access_denied'));
|
||||
|
||||
// Get user info using access token
|
||||
return getUserInfo(accessToken, userinfoEndpoint);
|
||||
};
|
||||
|
||||
export const setupSamlProviders = (
|
||||
metadata: string,
|
||||
privateKey: string,
|
||||
entityId: string,
|
||||
acsUrl: { binding: string; url: string }
|
||||
) => {
|
||||
// eslint-disable-next-line new-cap
|
||||
const idp = saml.IdentityProvider({
|
||||
metadata,
|
||||
privateKey,
|
||||
isAssertionEncrypted: false,
|
||||
loginResponseTemplate: {
|
||||
context: samlLogInResponseTemplate,
|
||||
attributes: [
|
||||
{
|
||||
name: 'email',
|
||||
valueTag: 'email',
|
||||
nameFormat: samlAttributeNameFormatBasic,
|
||||
valueXsiType: samlValueXmlnsXsi.string,
|
||||
},
|
||||
{
|
||||
name: 'name',
|
||||
valueTag: 'name',
|
||||
nameFormat: samlAttributeNameFormatBasic,
|
||||
valueXsiType: samlValueXmlnsXsi.string,
|
||||
},
|
||||
],
|
||||
},
|
||||
});
|
||||
|
||||
// eslint-disable-next-line new-cap
|
||||
const sp = saml.ServiceProvider({
|
||||
entityID: entityId,
|
||||
assertionConsumerService: [
|
||||
{
|
||||
Binding: acsUrl.binding,
|
||||
Location: acsUrl.url,
|
||||
},
|
||||
],
|
||||
});
|
||||
|
||||
return { idp, sp };
|
||||
};
|
||||
|
|
|
@ -3,7 +3,7 @@ import { assert } from '@silverhand/essentials';
|
|||
import camelcaseKeys, { type CamelCaseKeys } from 'camelcase-keys';
|
||||
import { got, HTTPError } from 'got';
|
||||
import { createRemoteJWKSet, jwtVerify, type JWTVerifyOptions } from 'jose';
|
||||
import { z } from 'zod';
|
||||
import { z, ZodError } from 'zod';
|
||||
|
||||
import {
|
||||
SsoConnectorConfigErrorCodes,
|
||||
|
@ -20,30 +20,28 @@ import {
|
|||
type OidcTokenResponse,
|
||||
} from '../types/oidc.js';
|
||||
|
||||
export const fetchOidcConfig = async (
|
||||
issuer: string
|
||||
): Promise<CamelCaseKeys<OidcConfigResponse>> => {
|
||||
try {
|
||||
export const fetchOidcConfigRaw = async (issuer: string) => {
|
||||
const { body } = await got.get(`${issuer}/.well-known/openid-configuration`, {
|
||||
responseType: 'json',
|
||||
});
|
||||
|
||||
const result = oidcConfigResponseGuard.safeParse(body);
|
||||
return camelcaseKeys(oidcConfigResponseGuard.parse(body));
|
||||
};
|
||||
|
||||
if (!result.success) {
|
||||
export const fetchOidcConfig = async (
|
||||
issuer: string
|
||||
): Promise<CamelCaseKeys<OidcConfigResponse>> => {
|
||||
try {
|
||||
return await fetchOidcConfigRaw(issuer);
|
||||
} catch (error: unknown) {
|
||||
if (error instanceof ZodError) {
|
||||
throw new SsoConnectorError(SsoConnectorErrorCodes.InvalidConfig, {
|
||||
config: { issuer },
|
||||
message: SsoConnectorConfigErrorCodes.InvalidConfigResponse,
|
||||
error: result.error.flatten(),
|
||||
error: error.flatten(),
|
||||
});
|
||||
}
|
||||
|
||||
return camelcaseKeys(result.data);
|
||||
} catch (error: unknown) {
|
||||
if (error instanceof SsoConnectorError) {
|
||||
throw error;
|
||||
}
|
||||
|
||||
throw new SsoConnectorError(SsoConnectorErrorCodes.InvalidConfig, {
|
||||
config: { issuer },
|
||||
message: SsoConnectorConfigErrorCodes.FailToFetchConfig,
|
||||
|
@ -159,26 +157,29 @@ export const getIdTokenClaims = async (
|
|||
}
|
||||
};
|
||||
|
||||
export const getRawUserInfoResponse = async (accessToken: string, userinfoEndpoint: string) => {
|
||||
const httpResponse = await got.get(userinfoEndpoint, {
|
||||
headers: {
|
||||
Authorization: `Bearer ${accessToken}`,
|
||||
},
|
||||
});
|
||||
|
||||
return httpResponse.body;
|
||||
};
|
||||
|
||||
/**
|
||||
* Get the user info from the userinfo endpoint incase id token does not contain sufficient user claims.
|
||||
*/
|
||||
export const getUserInfo = async (accessToken: string, userinfoEndpoint: string) => {
|
||||
try {
|
||||
const httpResponse = await got.get(userinfoEndpoint, {
|
||||
headers: {
|
||||
Authorization: `Bearer ${accessToken}`,
|
||||
},
|
||||
responseType: 'json',
|
||||
});
|
||||
const body = await getRawUserInfoResponse(accessToken, userinfoEndpoint);
|
||||
|
||||
const result = idTokenProfileStandardClaimsGuard
|
||||
.catchall(z.unknown())
|
||||
.safeParse(httpResponse.body);
|
||||
const result = idTokenProfileStandardClaimsGuard.catchall(z.unknown()).safeParse(body);
|
||||
|
||||
if (!result.success) {
|
||||
throw new SsoConnectorError(SsoConnectorErrorCodes.AuthorizationFailed, {
|
||||
message: 'Invalid user info response',
|
||||
response: httpResponse.body,
|
||||
response: body,
|
||||
error: result.error.flatten(),
|
||||
});
|
||||
}
|
||||
|
|
|
@ -78,4 +78,4 @@ export const idTokenProfileStandardClaimsGuard = z.object({
|
|||
nonce: z.string().nullish(),
|
||||
});
|
||||
|
||||
export type idTokenProfileStandardClaims = z.infer<typeof idTokenProfileStandardClaimsGuard>;
|
||||
export type IdTokenProfileStandardClaims = z.infer<typeof idTokenProfileStandardClaimsGuard>;
|
||||
|
|
|
@ -8,6 +8,7 @@ const oidc = {
|
|||
invalid_grant: 'Grant request is invalid.',
|
||||
invalid_redirect_uri:
|
||||
"`redirect_uri` did not match any of the client's registered `redirect_uris`.",
|
||||
redirect_uri_not_set: '`redirect_uri` is not set.',
|
||||
access_denied: 'Access denied.',
|
||||
invalid_target: 'Invalid resource indicator.',
|
||||
unsupported_grant_type: 'Unsupported `grant_type` requested.',
|
||||
|
|
Loading…
Reference in a new issue