0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2024-12-16 20:26:19 -05:00

feat(core): implement SAML IdP response flow

This commit is contained in:
simeng-li 2024-12-04 14:44:30 +08:00 committed by Darcy Ye
parent d2fb597ef3
commit 8cac49bb48
No known key found for this signature in database
GPG key ID: B46F4C07EDEFC610
9 changed files with 581 additions and 25 deletions

View file

@ -0,0 +1,36 @@
export const samlLogInResponseTemplate = `
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" InResponseTo="{InResponseTo}">
<saml:Issuer>{Issuer}</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="{StatusCode}"/>
</samlp:Status>
<saml:Assertion ID="{AssertionID}" Version="2.0" IssueInstant="{IssueInstant}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>{Issuer}</saml:Issuer>
<saml:Subject>
<saml:NameID Format="{NameIDFormat}">{NameID}</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="{SubjectConfirmationDataNotOnOrAfter}" Recipient="{SubjectRecipient}" InResponseTo="{InResponseTo}"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="{ConditionsNotBefore}" NotOnOrAfter="{ConditionsNotOnOrAfter}">
<saml:AudienceRestriction>
<saml:Audience>{Audience}</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
{AttributeStatement}
</saml:Assertion>
</samlp:Response>`;
export const samlAttributeNameFormatBasic = 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic';
const samlValueXmlnsXsiString = 'xs:string';
const samlValueXmlnsXsiInteger = 'xsd:integer';
const samlValueXmlnsXsiBoolean = 'xsd:boolean';
const samlValueXmlnsXsiDatetime = 'xsd:dateTime';
export const samlValueXmlnsXsi = {
string: samlValueXmlnsXsiString,
integer: samlValueXmlnsXsiInteger,
boolean: samlValueXmlnsXsiBoolean,
datetime: samlValueXmlnsXsiDatetime,
};

View file

@ -7,7 +7,7 @@ import {
} from '@logto/schemas'; } from '@logto/schemas';
import { generateStandardId } from '@logto/shared'; import { generateStandardId } from '@logto/shared';
import { removeUndefinedKeys } from '@silverhand/essentials'; import { removeUndefinedKeys } from '@silverhand/essentials';
import * as saml from 'samlify'; import saml from 'samlify';
import { EnvSet, getTenantEndpoint } from '#src/env-set/index.js'; import { EnvSet, getTenantEndpoint } from '#src/env-set/index.js';
import RequestError from '#src/errors/RequestError/index.js'; import RequestError from '#src/errors/RequestError/index.js';

View file

@ -1,14 +1,34 @@
import { z } from 'zod'; import { z } from 'zod';
import RequestError from '#src/errors/RequestError/index.js';
import koaGuard from '#src/middleware/koa-guard.js'; import koaGuard from '#src/middleware/koa-guard.js';
import type { AnonymousRouter, RouterInitArgs } from '#src/routes/types.js'; import type { AnonymousRouter, RouterInitArgs } from '#src/routes/types.js';
import assertThat from '#src/utils/assert-that.js';
import {
generateAutoSubmitForm,
createSamlResponse,
handleOidcCallbackAndGetUserInfo,
setupSamlProviders,
} from './utils.js';
const samlApplicationSignInCallbackQueryParametersGuard = z.union([
z.object({
code: z.string(),
}),
z.object({
error: z.string(),
error_description: z.string().optional(),
}),
]);
export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter>( export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter>(
...[router, { libraries }]: RouterInitArgs<T> ...[router, { libraries, queries, envSet }]: RouterInitArgs<T>
) { ) {
const { const {
samlApplications: { getSamlIdPMetadataByApplicationId }, samlApplications: { getSamlIdPMetadataByApplicationId },
} = libraries; } = libraries;
const { applications, samlApplicationSecrets, samlApplicationConfigs } = queries;
router.get( router.get(
'/saml-applications/:id/metadata', '/saml-applications/:id/metadata',
@ -29,4 +49,65 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
return next(); return next();
} }
); );
router.get(
'/saml-applications/:id/callback',
koaGuard({
params: z.object({ id: z.string() }),
query: samlApplicationSignInCallbackQueryParametersGuard,
status: [200, 400],
}),
async (ctx, next) => {
const {
params: { id },
query,
} = ctx.guard;
// Handle error in query parameters
if ('error' in query) {
throw new RequestError({
code: 'oidc.invalid_request',
message: query.error_description,
});
}
// Get application configuration
const {
secret,
oidcClientMetadata: { redirectUris },
} = await applications.findApplicationById(id);
assertThat(redirectUris[0], 'oidc.redirect_uri_not_set');
// TODO: should be able to handle `state` and code verifier etc.
const { code } = query;
// Handle OIDC callback and get user info
const userInfo = await handleOidcCallbackAndGetUserInfo(
code,
id,
secret,
redirectUris[0],
envSet.oidc.issuer
);
// Get SAML configuration
const { metadata } = await getSamlIdPMetadataByApplicationId(id);
const { privateKey } =
await samlApplicationSecrets.findActiveSamlApplicationSecretByApplicationId(id);
const { entityId, acsUrl } =
await samlApplicationConfigs.findSamlApplicationConfigByApplicationId(id);
assertThat(entityId, 'application.saml.entity_id_required');
assertThat(acsUrl, 'application.saml.acs_url_required');
// Setup SAML providers and create response
const { idp, sp } = setupSamlProviders(metadata, privateKey, entityId, acsUrl);
const { context, entityEndpoint } = await createSamlResponse(idp, sp, userInfo);
// Return auto-submit form
ctx.body = generateAutoSubmitForm(entityEndpoint, context);
return next();
}
);
} }

View file

@ -0,0 +1,178 @@
import nock from 'nock';
import type { IdentityProviderInstance, ServiceProviderInstance } from 'samlify';
import {
createSamlTemplateCallback,
exchangeAuthorizationCode,
getUserInfo,
setupSamlProviders,
} from './utils.js';
const { jest } = import.meta;
describe('createSamlTemplateCallback', () => {
const mockIdp = {
entityMeta: {
getEntityID: () => 'idp-entity-id',
},
entitySetting: {
nameIDFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
},
createLoginResponse: jest.fn(),
parseLoginRequest: jest.fn(),
entityType: 'idp',
getEntitySetting: jest.fn(),
};
const mockSp = {
entityMeta: {
getAssertionConsumerService: () => 'https://sp.example.com/acs',
getEntityID: () => 'sp-entity-id',
},
createLoginRequest: jest.fn(),
parseLoginResponse: jest.fn(),
entitySetting: {},
entityType: 'sp',
};
const mockUser = {
sub: 'user123',
email: 'user@example.com',
name: 'Test User',
};
it('should create SAML template callback with correct values', () => {
const callback = createSamlTemplateCallback(
mockIdp as unknown as IdentityProviderInstance,
mockSp as unknown as ServiceProviderInstance,
mockUser
);
const result = callback('ID:NameID:attrEmail:attrName');
const generatedId = result.id.replace('ID_', '');
expect(result.id).toBe('ID_' + generatedId);
expect(typeof result.context).toBe('string');
});
});
describe('exchangeAuthorizationCode', () => {
const mockTokenEndpoint = 'https://auth.example.com/token';
const mockCode = 'auth-code';
const mockClientId = 'client-id';
const mockClientSecret = 'client-secret';
const mockRedirectUri = 'https://app.example.com/callback';
afterEach(() => {
nock.cleanAll();
});
it('should exchange authorization code successfully', async () => {
const mockResponse = {
access_token: 'access-token',
token_type: 'Bearer',
expires_in: 3600,
scope: 'openid profile email',
id_token: 'mock.id.token',
};
const expectedAuthHeader = `Basic ${Buffer.from(
`${mockClientId}:${mockClientSecret}`,
'utf8'
).toString('base64')}`;
nock('https://auth.example.com')
.post('/token', {
grant_type: 'authorization_code',
code: mockCode,
client_id: mockClientId,
redirect_uri: mockRedirectUri,
})
.matchHeader('Authorization', expectedAuthHeader)
.matchHeader('Content-Type', 'application/x-www-form-urlencoded')
.reply(200, JSON.stringify(mockResponse));
const result = await exchangeAuthorizationCode(mockTokenEndpoint, {
code: mockCode,
clientId: mockClientId,
clientSecret: mockClientSecret,
redirectUri: mockRedirectUri,
});
expect(result).toMatchObject({
accessToken: mockResponse.access_token,
tokenType: mockResponse.token_type,
expiresIn: mockResponse.expires_in,
scope: mockResponse.scope,
idToken: mockResponse.id_token,
});
});
it('should throw error when token response is invalid', async () => {
nock('https://auth.example.com').post('/token').reply(200, { invalid: 'response' });
await expect(
exchangeAuthorizationCode(mockTokenEndpoint, {
code: mockCode,
clientId: mockClientId,
clientSecret: mockClientSecret,
})
).rejects.toMatchObject({
code: 'oidc.invalid_token',
});
});
});
describe('getUserInfo', () => {
const mockAccessToken = 'access-token';
const mockUserinfoEndpoint = 'https://auth.example.com/userinfo';
afterEach(() => {
nock.cleanAll();
});
it('should get user info successfully', async () => {
const mockUserInfo = {
sub: 'user123',
email: 'user@example.com',
name: 'Test User',
};
nock('https://auth.example.com')
.get('/userinfo')
.matchHeader('Authorization', `Bearer ${mockAccessToken}`)
.reply(200, mockUserInfo);
const result = await getUserInfo(mockAccessToken, mockUserinfoEndpoint);
expect(result).toMatchObject(mockUserInfo);
});
it('should throw error when user info response is invalid', async () => {
nock('https://auth.example.com')
.get('/userinfo')
.matchHeader('Authorization', `Bearer ${mockAccessToken}`)
.reply(200, { invalid: 'response' });
await expect(getUserInfo(mockAccessToken, mockUserinfoEndpoint)).rejects.toMatchObject({
code: 'oidc.invalid_request',
});
});
});
describe('setupSamlProviders', () => {
it('should setup SAML providers with correct configuration', () => {
const mockMetadata = '<EntityDescriptor>...</EntityDescriptor>';
const mockPrivateKey = '-----BEGIN PRIVATE KEY-----...';
const mockEntityId = 'https://sp.example.com';
const mockAcsUrl = {
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
url: 'https://sp.example.com/acs',
};
const { idp, sp } = setupSamlProviders(mockMetadata, mockPrivateKey, mockEntityId, mockAcsUrl);
expect(idp).toBeDefined();
expect(sp).toBeDefined();
expect(sp.entityMeta.getEntityID()).toBe(mockEntityId);
});
});

View file

@ -0,0 +1,254 @@
import { parseJson } from '@logto/connector-kit';
import { generateStandardId } from '@logto/shared';
import { tryThat } from '@silverhand/essentials';
import camelcaseKeys from 'camelcase-keys';
import { got } from 'got';
import saml from 'samlify';
import { ZodError, z } from 'zod';
import RequestError from '#src/errors/RequestError/index.js';
import { fetchOidcConfigRaw, getRawUserInfoResponse } from '#src/sso/OidcConnector/utils.js';
import { idTokenProfileStandardClaimsGuard } from '#src/sso/types/oidc.js';
import { oidcTokenResponseGuard, type IdTokenProfileStandardClaims } from '#src/sso/types/oidc.js';
import assertThat from '#src/utils/assert-that.js';
import {
samlLogInResponseTemplate,
samlAttributeNameFormatBasic,
samlValueXmlnsXsi,
} from '../libraries/consts.js';
export const createSamlTemplateCallback =
(
idp: saml.IdentityProviderInstance,
sp: saml.ServiceProviderInstance,
user: IdTokenProfileStandardClaims
) =>
(template: string) => {
const assertionConsumerServiceUrl = sp.entityMeta.getAssertionConsumerService(
saml.Constants.wording.binding.post
);
const { nameIDFormat } = idp.entitySetting;
const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
const id = `ID_${generateStandardId()}`;
const now = new Date();
const expireAt = new Date(now.getTime() + 10 * 60 * 1000); // 10 minutes later
const tagValues = {
ID: id,
AssertionID: `ID_${generateStandardId()}`,
Destination: assertionConsumerServiceUrl,
Audience: sp.entityMeta.getEntityID(),
EntityID: sp.entityMeta.getEntityID(),
SubjectRecipient: assertionConsumerServiceUrl,
Issuer: idp.entityMeta.getEntityID(),
IssueInstant: now.toISOString(),
AssertionConsumerServiceURL: assertionConsumerServiceUrl,
StatusCode: saml.Constants.StatusCode.Success,
ConditionsNotBefore: now.toISOString(),
ConditionsNotOnOrAfter: expireAt.toISOString(),
SubjectConfirmationDataNotOnOrAfter: expireAt.toISOString(),
NameIDFormat: selectedNameIDFormat,
NameID: user.sub,
InResponseTo: 'null',
/**
* User attributes for SAML response
*
* @todo Support custom attribute mapping
* @see {@link https://github.com/tngan/samlify/blob/master/src/libsaml.ts#L275-L300|samlify implementation}
*
* @remarks
* By examining the code provided in the link above, we can define all the attributes supported by the attribute mapping here. Only the attributes defined in the `loginResponseTemplate.attributes` added when creating the IdP instance will appear in the SAML response.
*/
attrEmail: user.email,
attrName: user.name,
};
const context = saml.SamlLib.replaceTagsByValue(template, tagValues);
return {
id,
context,
};
};
export const exchangeAuthorizationCode = async (
tokenEndpoint: string,
{
code,
clientId,
clientSecret,
redirectUri,
}: {
code: string;
clientId: string;
clientSecret: string;
redirectUri?: string;
}
) => {
const headers = {
Authorization: `Basic ${Buffer.from(`${clientId}:${clientSecret}`, 'utf8').toString('base64')}`,
'Content-Type': 'application/x-www-form-urlencoded',
};
const tokenRequestParameters = new URLSearchParams({
grant_type: 'authorization_code',
code,
client_id: clientId,
...(redirectUri ? { redirect_uri: redirectUri } : {}),
});
const httpResponse = await got.post(tokenEndpoint, {
body: tokenRequestParameters.toString(),
headers,
});
const result = oidcTokenResponseGuard.safeParse(parseJson(httpResponse.body));
if (!result.success) {
throw new RequestError({
code: 'oidc.invalid_token',
message: 'Invalid token response',
});
}
return camelcaseKeys(result.data);
};
export const createSamlResponse = async (
idp: saml.IdentityProviderInstance,
sp: saml.ServiceProviderInstance,
userInfo: IdTokenProfileStandardClaims
): Promise<{ context: string; entityEndpoint: string }> => {
// TODO: fix binding method
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
const { context, entityEndpoint } = await idp.createLoginResponse(
sp,
// @ts-expect-error --fix request object later
null,
'post',
userInfo,
createSamlTemplateCallback(idp, sp, userInfo)
);
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
return { context, entityEndpoint };
};
export const generateAutoSubmitForm = (actionUrl: string, samlResponse: string): string => {
return `
<html>
<body>
<form id="redirectForm" action="${actionUrl}" method="POST">
<input type="hidden" name="SAMLResponse" value="${samlResponse}" />
<input type="submit" value="Submit" />
</form>
<script>
document.getElementById('redirectForm').submit();
</script>
</body>
</html>
`;
};
export const getUserInfo = async (
accessToken: string,
userinfoEndpoint: string
): Promise<IdTokenProfileStandardClaims & Record<string, unknown>> => {
const body = await getRawUserInfoResponse(accessToken, userinfoEndpoint);
const result = idTokenProfileStandardClaimsGuard.catchall(z.unknown()).safeParse(parseJson(body));
if (!result.success) {
throw new RequestError({
code: 'oidc.invalid_request',
message: 'Invalid user info response',
details: result.error.flatten(),
});
}
return result.data;
};
// Helper functions for SAML callback
export const handleOidcCallbackAndGetUserInfo = async (
code: string,
applicationId: string,
secret: string,
redirectUri: string,
issuer: string
) => {
// Get OIDC configuration
const { tokenEndpoint, userinfoEndpoint } = await tryThat(
async () => fetchOidcConfigRaw(issuer),
(error) => {
if (error instanceof ZodError) {
throw new RequestError({
code: 'oidc.invalid_request',
message: error.message,
error: error.flatten(),
});
}
throw error;
}
);
// Exchange authorization code for tokens
const { accessToken } = await exchangeAuthorizationCode(tokenEndpoint, {
code,
clientId: applicationId,
clientSecret: secret,
redirectUri,
});
assertThat(accessToken, new RequestError('oidc.access_denied'));
// Get user info using access token
return getUserInfo(accessToken, userinfoEndpoint);
};
export const setupSamlProviders = (
metadata: string,
privateKey: string,
entityId: string,
acsUrl: { binding: string; url: string }
) => {
// eslint-disable-next-line new-cap
const idp = saml.IdentityProvider({
metadata,
privateKey,
isAssertionEncrypted: false,
loginResponseTemplate: {
context: samlLogInResponseTemplate,
attributes: [
{
name: 'email',
valueTag: 'email',
nameFormat: samlAttributeNameFormatBasic,
valueXsiType: samlValueXmlnsXsi.string,
},
{
name: 'name',
valueTag: 'name',
nameFormat: samlAttributeNameFormatBasic,
valueXsiType: samlValueXmlnsXsi.string,
},
],
},
});
// eslint-disable-next-line new-cap
const sp = saml.ServiceProvider({
entityID: entityId,
assertionConsumerService: [
{
Binding: acsUrl.binding,
Location: acsUrl.url,
},
],
});
return { idp, sp };
};

View file

@ -3,7 +3,7 @@ import { assert } from '@silverhand/essentials';
import camelcaseKeys, { type CamelCaseKeys } from 'camelcase-keys'; import camelcaseKeys, { type CamelCaseKeys } from 'camelcase-keys';
import { got, HTTPError } from 'got'; import { got, HTTPError } from 'got';
import { createRemoteJWKSet, jwtVerify, type JWTVerifyOptions } from 'jose'; import { createRemoteJWKSet, jwtVerify, type JWTVerifyOptions } from 'jose';
import { z } from 'zod'; import { z, ZodError } from 'zod';
import { import {
SsoConnectorConfigErrorCodes, SsoConnectorConfigErrorCodes,
@ -20,30 +20,28 @@ import {
type OidcTokenResponse, type OidcTokenResponse,
} from '../types/oidc.js'; } from '../types/oidc.js';
export const fetchOidcConfig = async ( export const fetchOidcConfigRaw = async (issuer: string) => {
issuer: string
): Promise<CamelCaseKeys<OidcConfigResponse>> => {
try {
const { body } = await got.get(`${issuer}/.well-known/openid-configuration`, { const { body } = await got.get(`${issuer}/.well-known/openid-configuration`, {
responseType: 'json', responseType: 'json',
}); });
const result = oidcConfigResponseGuard.safeParse(body); return camelcaseKeys(oidcConfigResponseGuard.parse(body));
};
if (!result.success) { export const fetchOidcConfig = async (
issuer: string
): Promise<CamelCaseKeys<OidcConfigResponse>> => {
try {
return await fetchOidcConfigRaw(issuer);
} catch (error: unknown) {
if (error instanceof ZodError) {
throw new SsoConnectorError(SsoConnectorErrorCodes.InvalidConfig, { throw new SsoConnectorError(SsoConnectorErrorCodes.InvalidConfig, {
config: { issuer }, config: { issuer },
message: SsoConnectorConfigErrorCodes.InvalidConfigResponse, message: SsoConnectorConfigErrorCodes.InvalidConfigResponse,
error: result.error.flatten(), error: error.flatten(),
}); });
} }
return camelcaseKeys(result.data);
} catch (error: unknown) {
if (error instanceof SsoConnectorError) {
throw error;
}
throw new SsoConnectorError(SsoConnectorErrorCodes.InvalidConfig, { throw new SsoConnectorError(SsoConnectorErrorCodes.InvalidConfig, {
config: { issuer }, config: { issuer },
message: SsoConnectorConfigErrorCodes.FailToFetchConfig, message: SsoConnectorConfigErrorCodes.FailToFetchConfig,
@ -159,26 +157,31 @@ export const getIdTokenClaims = async (
} }
}; };
export const getRawUserInfoResponse = async (accessToken: string, userinfoEndpoint: string) => {
const httpResponse = await got.get(userinfoEndpoint, {
headers: {
Authorization: `Bearer ${accessToken}`,
},
});
return httpResponse.body;
};
/** /**
* Get the user info from the userinfo endpoint incase id token does not contain sufficient user claims. * Get the user info from the userinfo endpoint incase id token does not contain sufficient user claims.
*/ */
export const getUserInfo = async (accessToken: string, userinfoEndpoint: string) => { export const getUserInfo = async (accessToken: string, userinfoEndpoint: string) => {
try { try {
const httpResponse = await got.get(userinfoEndpoint, { const body = await getRawUserInfoResponse(accessToken, userinfoEndpoint);
headers: {
Authorization: `Bearer ${accessToken}`,
},
responseType: 'json',
});
const result = idTokenProfileStandardClaimsGuard const result = idTokenProfileStandardClaimsGuard
.catchall(z.unknown()) .catchall(z.unknown())
.safeParse(httpResponse.body); .safeParse(parseJson(body));
if (!result.success) { if (!result.success) {
throw new SsoConnectorError(SsoConnectorErrorCodes.AuthorizationFailed, { throw new SsoConnectorError(SsoConnectorErrorCodes.AuthorizationFailed, {
message: 'Invalid user info response', message: 'Invalid user info response',
response: httpResponse.body, response: body,
error: result.error.flatten(), error: result.error.flatten(),
}); });
} }

View file

@ -77,3 +77,5 @@ export const idTokenProfileStandardClaimsGuard = z.object({
profile: z.string().nullish(), profile: z.string().nullish(),
nonce: z.string().nullish(), nonce: z.string().nullish(),
}); });
export type IdTokenProfileStandardClaims = z.infer<typeof idTokenProfileStandardClaimsGuard>;

View file

@ -28,6 +28,7 @@ const application = {
can_not_delete_active_secret: 'Can not delete the active secret.', can_not_delete_active_secret: 'Can not delete the active secret.',
no_active_secret: 'No active secret found.', no_active_secret: 'No active secret found.',
entity_id_required: 'Entity ID is required to generate metadata.', entity_id_required: 'Entity ID is required to generate metadata.',
acs_url_required: 'Assertion consumer service URL is required to generate metadata.',
invalid_certificate_pem_format: 'Invalid PEM certificate format', invalid_certificate_pem_format: 'Invalid PEM certificate format',
}, },
}; };

View file

@ -8,6 +8,7 @@ const oidc = {
invalid_grant: 'Grant request is invalid.', invalid_grant: 'Grant request is invalid.',
invalid_redirect_uri: invalid_redirect_uri:
"`redirect_uri` did not match any of the client's registered `redirect_uris`.", "`redirect_uri` did not match any of the client's registered `redirect_uris`.",
redirect_uri_not_set: '`redirect_uri` is not set.',
access_denied: 'Access denied.', access_denied: 'Access denied.',
invalid_target: 'Invalid resource indicator.', invalid_target: 'Invalid resource indicator.',
unsupported_grant_type: 'Unsupported `grant_type` requested.', unsupported_grant_type: 'Unsupported `grant_type` requested.',