Infrastructure/logto
0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2024-12-30 20:33:54 -05:00
Code Issues Activity

feat(core): add saml sso connector class

Browse source
This commit is contained in:
Darcy Ye 2023-10-25 19:21:44 +08:00
parent eaac1a5c60
commit 9f3433edc9
No known key found for this signature in database
GPG key ID: B46F4C07EDEFC610
48 changed files with 947 additions and 149 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
packages/core/package.json
View file

@ -54,6 +54,7 @@
"deepmerge": "^4.2.2",
"dotenv": "^16.0.0",
"etag": "^1.8.1",
"fast-xml-parser": "^4.2.5",
"find-up": "^6.3.0",
"got": "^13.0.0",
"hash-wasm": "^4.9.0",
@ -80,6 +81,7 @@
"redis": "^4.6.5",
"roarr": "^7.11.0",
"semver": "^7.3.8",
"samlify": "2.8.10",
"slonik": "^30.0.0",
"slonik-interceptor-preset": "^1.2.10",
"slonik-sql-tag-raw": "^1.1.4",

25
packages/core/src/__mocks__/sso.ts
View file

@ -1,6 +1,9 @@
import { type SsoConnector } from '@logto/schemas';
import { SsoProviderName } from '#src/sso/types/index.js';
import { type BaseOidcConfig } from '#src/sso/types/oidc.js';
import { MetadataType } from '#src/sso/types/saml.js';
import { type BaseSamlConfig } from '#src/sso/types/saml.js';
export const mockSsoConnector = {
id: 'mock-sso-connector',
@ -31,3 +34,25 @@ export const wellConfiguredSsoConnector = {
ssoOnly: true,
createdAt: Date.now(),
} satisfies SsoConnector;
export const mockBaseSamlConfig = {
metadataType: MetadataType.XML,
metadataXml: 'metadataXml',
attributeMapping: {},
entityId: 'entityId',
nameIdFormat: ['nameIdFormat'],
signInEndpoint: 'signInEndpoint',
signingAlgorithm: 'signingAlgorithm',
x509Certificate: 'x509Certificate',
} satisfies BaseSamlConfig;
export const mockBaseOidcConfig = {
authorizationEndpoint: 'authorizationEndpoint',
tokenEndpoint: 'tokenEndpoint',
userinfoEndpoint: 'userinfoEndpoint',
jwksUri: 'jwksUri',
issuer: 'issuer',
clientId: 'clientId',
clientSecret: 'clientSecret',
scope: 'openid profile',
} satisfies BaseOidcConfig;

58
packages/core/src/routes/authn.ts
View file

@ -6,6 +6,8 @@ import { z } from 'zod';
import RequestError from '#src/errors/RequestError/index.js';
import { verifyBearerTokenFromRequest } from '#src/middleware/koa-auth/index.js';
import koaGuard from '#src/middleware/koa-guard.js';
import { ssoConnectorFactories } from '#src/sso/index.js';
import { SsoProviderName } from '#src/sso/types/index.js';
import assertThat from '#src/utils/assert-that.js';
import {
getConnectorSessionResultFromJti,
@ -19,11 +21,12 @@ import type { AnonymousRouter, RouterInitArgs } from './types.js';
* This router will have a route `/authn` to authenticate tokens with a general manner.
*/
export default function authnRoutes<T extends AnonymousRouter>(
...[router, { envSet, provider, libraries }]: RouterInitArgs<T>
...[router, { id: tenantId, envSet, provider, libraries }]: RouterInitArgs<T>
) {
const {
users: { findUserRoles },
socials: { getConnector },
ssoConnector: { getSsoConnectorById },
} = libraries;
const hasuraResponseGuard = z.object({
@ -144,4 +147,57 @@ export default function authnRoutes<T extends AnonymousRouter>(
return next();
}
);
// TODO: refactor this, this SAML API for SSO is quite similar to the one for normal social sign-in, most of the logics can be reused.
router.post(
'/authn/saml/sso/:ssoConnectorId',
/**
* The API does not care the type of the SAML assertion request body, simply pass this to
* SSO connector's built-in methods.
*/
koaGuard({
body: jsonObjectGuard,
params: z.object({ ssoConnectorId: z.string().min(1) }),
status: 302,
}),
async (ctx, next) => {
const {
params: { ssoConnectorId },
body,
} = ctx.guard;
const ssoConnector = await getSsoConnectorById(ssoConnectorId);
const samlAssertionGuard = z.object({ SAMLResponse: z.string(), RelayState: z.string() });
const samlAssertionParseResult = samlAssertionGuard.safeParse(body);
if (!samlAssertionParseResult.success) {
throw new ConnectorError(
ConnectorErrorCodes.InvalidResponse,
samlAssertionParseResult.error
);
}
/**
* Since `RelayState` will be returned with value unchanged, we use it to pass `jti`
* to find the connector session we used to store essential information.
*/
const { RelayState: jti } = samlAssertionParseResult.data;
const getSession = async () => getConnectorSessionResultFromJti(jti, provider);
const setSession = async (connectorSession: ConnectorSession) =>
assignConnectorSessionResultViaJti(jti, provider, connectorSession);
if (ssoConnector.providerName !== SsoProviderName.SAML) {
throw new RequestError({ code: 'sso_connector.saml_only' });
}
const { constructor } = ssoConnectorFactories[ssoConnector.providerName];
const { validateSamlAssertion } = new constructor(ssoConnector, tenantId);
const redirectTo = await validateSamlAssertion({ body }, getSession, setSession);
ctx.redirect(redirectTo);
return next();
}
);
}

9
packages/core/src/routes/interaction/single-sign-on.ts
View file

@ -22,6 +22,7 @@ export default function singleSignOnRoutes<T extends IRouterParamContext>(
tenant: TenantContext
) {
const {
id: tenantId,
provider,
libraries: { ssoConnector },
} = tenant;
@ -43,7 +44,8 @@ export default function singleSignOnRoutes<T extends IRouterParamContext>(
}),
}),
async (ctx, next) => {
const { interactionDetails, guard, createLog } = ctx;
const { interactionDetails, guard, createLog, req, res } = ctx;
const { jti } = await provider.interactionDetails(req, res);
// Check interaction exists
const { event } = getInteractionStorage(interactionDetails.result);
@ -75,12 +77,13 @@ export default function singleSignOnRoutes<T extends IRouterParamContext>(
try {
// Will throw ConnectorError if the config is invalid
const connectorInstance = new ssoConnectorFactories[connectorData.providerName].constructor(
connectorData
connectorData,
tenantId
);
// Will throw ConnectorError if failed to fetch the provider's config
const redirectTo = await connectorInstance.getAuthorizationUrl(
{ state, redirectUri },
{ state, redirectUri, jti },
async (connectorSession: ConnectorSession) =>
assignConnectorSessionResult(ctx, provider, connectorSession)
);

30
packages/core/src/routes/sso-connector/index.ts
View file

@ -5,19 +5,20 @@ import { z } from 'zod';
import RequestError from '#src/errors/RequestError/index.js';
import koaGuard from '#src/middleware/koa-guard.js';
import { ssoConnectorFactories, standardSsoConnectorProviders } from '#src/sso/index.js';
import { isSupportedSsoProvider, isSupportedSsoConnector } from '#src/sso/utils.js';
import { tableToPathname } from '#src/utils/SchemaRouter.js';
import { type AuthedRouter, type RouterInitArgs } from '../types.js';
import {
connectorFactoriesResponseGuard,
type ConnectorFactoryDetail,
ssoConnectorCreateGuard,
ssoConnectorWithProviderConfigGuard,
ssoConnectorPatchGuard,
} from './type.js';
} from '#src/routes/sso-connector/type.js';
import { ssoConnectorFactories, standardSsoConnectorProviders } from '#src/sso/index.js';
import { isSupportedSsoProvider, isSupportedSsoConnector } from '#src/sso/utils.js';
import { tableToPathname } from '#src/utils/SchemaRouter.js';
import { consoleLog } from '#src/utils/console.js';
import { type AuthedRouter, type RouterInitArgs } from '../types.js';
import {
parseFactoryDetail,
parseConnectorConfig,
@ -28,13 +29,15 @@ export default function singleSignOnRoutes<T extends AuthedRouter>(...args: Rout
const [
router,
{
libraries: { ssoConnector: ssoConnectorLibrary },
id: tenantId,
queries: { ssoConnectors },
libraries: {
ssoConnector: { getSsoConnectorById, getSsoConnectors },
},
},
] = args;
const pathname = `/${tableToPathname(SsoConnectors.table)}`;
const { getSsoConnectorById, getSsoConnectors } = ssoConnectorLibrary;
/*
Get all supported single sign on connector factory details
@ -121,10 +124,11 @@ export default function singleSignOnRoutes<T extends AuthedRouter>(...args: Rout
}),
async (ctx, next) => {
const connectors = await getSsoConnectors();
consoleLog.info('connectors:', connectors);
// Fetch provider details for each connector
const connectorsWithProviderDetails = await Promise.all(
connectors.map(async (connector) => fetchConnectorProviderDetails(connector))
connectors.map(async (connector) => fetchConnectorProviderDetails(connector, tenantId))
);
ctx.body = connectorsWithProviderDetails;
@ -147,7 +151,7 @@ export default function singleSignOnRoutes<T extends AuthedRouter>(...args: Rout
const connector = await getSsoConnectorById(id);
// Fetch provider details for the connector
const connectorWithProviderDetails = await fetchConnectorProviderDetails(connector);
const connectorWithProviderDetails = await fetchConnectorProviderDetails(connector, tenantId);
ctx.body = connectorWithProviderDetails;
@ -208,7 +212,7 @@ export default function singleSignOnRoutes<T extends AuthedRouter>(...args: Rout
new RequestError({ code: 'connector.not_found', status: 404 })
);
const connectorWithProviderDetails = await fetchConnectorProviderDetails(connector);
const connectorWithProviderDetails = await fetchConnectorProviderDetails(connector, tenantId);
ctx.body = connectorWithProviderDetails;
@ -248,7 +252,7 @@ export default function singleSignOnRoutes<T extends AuthedRouter>(...args: Rout
);
// Fetch provider details for the connector
const connectorWithProviderDetails = await fetchConnectorProviderDetails(connector);
const connectorWithProviderDetails = await fetchConnectorProviderDetails(connector, tenantId);
ctx.body = connectorWithProviderDetails;

53
packages/core/src/routes/sso-connector/utils.test.ts
View file

@ -14,6 +14,8 @@ await mockEsmWithActual('#src/sso/OidcConnector/utils.js', () => ({
const { ssoConnectorFactories } = await import('#src/sso/index.js');
const { parseFactoryDetail, fetchConnectorProviderDetails } = await import('./utils.js');
const mockTenantId = 'mock_tenant_id';
describe('parseFactoryDetail', () => {
it.each(Object.values(SsoProviderName))('should return correct detail for %s', (providerName) => {
const { logo, description } = ssoConnectorFactories[providerName];
@ -43,16 +45,15 @@ describe('parseFactoryDetail', () => {
describe('fetchConnectorProviderDetails', () => {
it('providerConfig should be undefined if connector config is invalid', async () => {
const connector = {
...mockSsoConnector,
config: { clientId: 'foo' },
};
const result = await fetchConnectorProviderDetails(connector);
const connector = { ...mockSsoConnector, config: { clientId: 'foo' } };
const result = await fetchConnectorProviderDetails(connector, mockTenantId);
expect(result).toEqual({
...connector,
providerLogo: ssoConnectorFactories[connector.providerName as SsoProviderName].logo,
});
expect(result).toMatchObject(
expect.objectContaining({
...connector,
providerLogo: ssoConnectorFactories[connector.providerName].logo,
})
);
expect(fetchOidcConfig).not.toBeCalled();
});
@ -64,12 +65,14 @@ describe('fetchConnectorProviderDetails', () => {
};
fetchOidcConfig.mockRejectedValueOnce(new Error('mock-error'));
const result = await fetchConnectorProviderDetails(connector);
const result = await fetchConnectorProviderDetails(connector, mockTenantId);
expect(result).toEqual({
...connector,
providerLogo: ssoConnectorFactories[connector.providerName as SsoProviderName].logo,
});
expect(result).toMatchObject(
expect.objectContaining({
...connector,
providerLogo: ssoConnectorFactories[connector.providerName].logo,
})
);
expect(fetchOidcConfig).toBeCalledWith(connector.config.issuer);
});
@ -81,16 +84,18 @@ describe('fetchConnectorProviderDetails', () => {
};
fetchOidcConfig.mockResolvedValueOnce({ tokenEndpoint: 'http://example.com/token' });
const result = await fetchConnectorProviderDetails(connector);
const result = await fetchConnectorProviderDetails(connector, mockTenantId);
expect(result).toEqual({
...connector,
providerLogo: ssoConnectorFactories[connector.providerName as SsoProviderName].logo,
providerConfig: {
...connector.config,
scope: 'openid', // Default scope
tokenEndpoint: 'http://example.com/token',
},
});
expect(result).toMatchObject(
expect.objectContaining({
...connector,
providerLogo: ssoConnectorFactories[connector.providerName].logo,
providerConfig: {
...connector.config,
scope: 'openid', // Default scope
tokenEndpoint: 'http://example.com/token',
},
})
);
});
});

39
packages/core/src/routes/sso-connector/utils.ts
View file

@ -2,15 +2,36 @@ import { type I18nPhrases } from '@logto/connector-kit';
import { type JsonObject } from '@logto/schemas';
import { conditional, trySafe } from '@silverhand/essentials';
import { mockBaseSamlConfig, mockBaseOidcConfig } from '#src/__mocks__/sso.js';
import RequestError from '#src/errors/RequestError/index.js';
import { type SingleSignOnFactory, ssoConnectorFactories } from '#src/sso/index.js';
import { type SsoProviderName, type SupportedSsoConnector } from '#src/sso/types/index.js';
import { type SupportedSsoConnector } from '#src/sso/types/index.js';
import { SsoProviderName } from '#src/sso/types/index.js';
import { basicSamlConnectorConfigPartialGuard } from '#src/sso/types/saml.js';
import { type SsoConnectorWithProviderConfig } from './type.js';
const {
EnvSet: {
values: { isIntegrationTest },
},
} = await import('#src/env-set/index.js');
const isKeyOfI18nPhrases = (key: string, phrases: I18nPhrases): key is keyof I18nPhrases =>
key in phrases;
const getPartialConfigGuard = (providerName: SsoProviderName, allowPartial?: boolean) => {
if (!allowPartial) {
return ssoConnectorFactories[providerName].configGuard;
}
if (providerName === SsoProviderName.SAML) {
return basicSamlConnectorConfigPartialGuard;
}
return ssoConnectorFactories[providerName].configGuard.partial();
};
export const parseFactoryDetail = (
factory: SingleSignOnFactory<SsoProviderName>,
locale: string
@ -35,11 +56,8 @@ export const parseConnectorConfig = (
config: JsonObject,
allowPartial?: boolean
) => {
const factory = ssoConnectorFactories[providerName];
const result = allowPartial
? factory.configGuard.partial().safeParse(config)
: factory.configGuard.safeParse(config);
const configGuard = getPartialConfigGuard(providerName, allowPartial);
const result = configGuard.safeParse(config);
if (!result.success) {
throw new RequestError({
@ -57,14 +75,19 @@ export const parseConnectorConfig = (
Return undefined if failed to fetch or parse the config.
*/
export const fetchConnectorProviderDetails = async (
connector: SupportedSsoConnector
connector: SupportedSsoConnector,
tenantId: string
): Promise<SsoConnectorWithProviderConfig> => {
const { providerName } = connector;
const { logo, constructor } = ssoConnectorFactories[providerName];
const providerConfig = await trySafe(async () => {
const instance = new constructor(connector);
const instance = new constructor(connector, tenantId);
// To avoid `getConfig()` being called in integration tests and throwing time out error.
if (isIntegrationTest) {
return providerName === SsoProviderName.OIDC ? mockBaseOidcConfig : mockBaseSamlConfig;
}
return instance.getConfig();
});

174
packages/core/src/sso/SamlConnector/index.ts Normal file
View file

@ -0,0 +1,174 @@
import {
ConnectorError,
ConnectorErrorCodes,
type GetSession,
type SetSession,
} from '@logto/connector-kit';
import { assert, appendPath } from '@silverhand/essentials';
import * as saml from 'samlify';
import { z } from 'zod';
import { EnvSet, getTenantEndpoint } from '#src/env-set/index.js';
import {
type BaseSamlConfig,
type BaseSamlConnectorConfig,
attributeMappingPostProcessor,
} from '../types/saml.js';
import {
fetchSamlConfig,
getRawSamlConfig,
getUserInfoFromRawUserProfile,
samlAssertionHandler,
} from './utils.js';
class SamlConnector {
private readonly _acsUrl: string;
constructor(
private readonly config: BaseSamlConnectorConfig,
tenantId: string,
ssoConnectorId: string
) {
this._acsUrl = appendPath(
getTenantEndpoint(tenantId, EnvSet.values),
`api/authn/saml/sso/${ssoConnectorId}`
).toString();
}
get acsUrl() {
return this._acsUrl;
}
/* Fetch SAML config from the metadata XML file or metadata URL. Throws error if config is invalid. */
getSamlConfig = async (): Promise<BaseSamlConfig> => {
const samlConfig = await fetchSamlConfig(this.config);
return {
...samlConfig,
...this.config,
};
};
getIdpMetadata = async () => {
return getRawSamlConfig(this.config);
};
getAuthorizationUrl = async (
{
state,
redirectUri,
jti,
}: {
state: string;
redirectUri: string;
jti: string;
},
setSession: SetSession
) => {
const {
entityId: entityID,
x509Certificate,
nameIdFormat,
signingAlgorithm,
} = await this.getSamlConfig();
assert(
setSession,
new ConnectorError(ConnectorErrorCodes.NotImplemented, {
message: 'Function `setSession()` is not implemented.',
})
);
const storage = { state, redirectUri, jti };
await setSession(storage);
try {
const idpMetadataXml = await getRawSamlConfig(this.config);
// eslint-disable-next-line new-cap
const identityProvider = saml.IdentityProvider({
wantAuthnRequestsSigned: true, // Sign auth request by default
metadata: idpMetadataXml,
});
// eslint-disable-next-line new-cap
const serviceProvider = saml.ServiceProvider({
entityID,
relayState: jti,
nameIDFormat: nameIdFormat,
signingCert: x509Certificate,
authnRequestsSigned: true, // Sign auth request by default
requestSignatureAlgorithm: signingAlgorithm,
assertionConsumerService: [
{
Location: this._acsUrl,
Binding: saml.Constants.BindingNamespace.Post,
},
],
});
const loginRequest = serviceProvider.createLoginRequest(identityProvider, 'redirect');
return loginRequest.context;
} catch (error: unknown) {
throw new ConnectorError(ConnectorErrorCodes.General, error);
}
};
getUserInfo = async (_data: unknown, getSession: GetSession) => {
const parsedConfig = await this.getSamlConfig();
const { attributeMapping } = parsedConfig;
const profileMap = attributeMappingPostProcessor(attributeMapping);
assert(
getSession,
new ConnectorError(ConnectorErrorCodes.NotImplemented, {
message: 'Function `getSession()` is not implemented.',
})
);
const { extractedRawProfile } = await getSession();
const extractedRawProfileGuard = z.record(z.string().or(z.array(z.string())));
const rawProfileParseResult = extractedRawProfileGuard.safeParse(extractedRawProfile);
if (!rawProfileParseResult.success) {
throw new ConnectorError(ConnectorErrorCodes.InvalidResponse, rawProfileParseResult.error);
}
const rawUserProfile = rawProfileParseResult.data;
return getUserInfoFromRawUserProfile(rawUserProfile, profileMap);
};
validateSamlAssertion = async (
assertion: Record<string, unknown>,
getSession: GetSession,
setSession: SetSession
): Promise<string> => {
const parsedConfig = await this.getSamlConfig();
const idpMetadataXml = await this.getIdpMetadata();
const connectorSession = await getSession();
const { redirectUri, state } = connectorSession;
await samlAssertionHandler(assertion, { ...parsedConfig, idpMetadataXml }, setSession);
assert(
state,
new ConnectorError(ConnectorErrorCodes.General, {
message: 'Can not find `state` from connector session.',
})
);
assert(
redirectUri,
new ConnectorError(ConnectorErrorCodes.General, {
message: 'Can not find `redirectUri` from connector session.',
})
);
const queryParameters = new URLSearchParams({ state });
return `${redirectUri}?${queryParameters.toString()}`;
};
}
export default SamlConnector;

168
packages/core/src/sso/SamlConnector/utils.ts Normal file
View file

@ -0,0 +1,168 @@
import {
ConnectorError,
ConnectorErrorCodes,
socialUserInfoGuard,
type SetSession,
} from '@logto/connector-kit';
import { XMLValidator } from 'fast-xml-parser';
import { got } from 'got';
import * as saml from 'samlify';
import { z } from 'zod';
import {
samlMetadataGuard,
type SamlMetadata,
type BaseSamlConnectorConfig,
type ProfileMap,
MetadataType,
type BaseSamlConfig,
} from '../types/saml.js';
type ESamlHttpRequest = Parameters<saml.ServiceProviderInstance['parseLoginResponse']>[2];
const xmlValidator = (xml: string) => {
try {
XMLValidator.validate(xml, {
allowBooleanAttributes: true,
});
} catch (error: unknown) {
throw new ConnectorError(ConnectorErrorCodes.InvalidConfig, error);
}
};
const parseXmlMetadata = (xml: string): SamlMetadata => {
xmlValidator(xml);
// eslint-disable-next-line new-cap
const idP = saml.IdentityProvider({ metadata: xml });
const rawSingleSignOnService = idP.entityMeta.getSingleSignOnService(
saml.Constants.namespace.binding.redirect
);
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
const singleSignOnService =
typeof rawSingleSignOnService === 'string'
? rawSingleSignOnService
: Object.entries(rawSingleSignOnService).find(
([key, value]) => key === saml.Constants.namespace.binding.redirect
)?.[1];
const rawSamlMetadata = {
entityId: idP.entityMeta.getEntityID(),
/**
* See implementation in `samlify` {@link https://github.com/tngan/samlify/blob/55f845da60b18d40668885c7f7e71ed0967ef67f/src/entity.ts#L88}.
*/
nameIdFormat: idP.entitySetting.nameIDFormat,
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
signInEndpoint: singleSignOnService,
signingAlgorithm: idP.entitySetting.requestSignatureAlgorithm,
// The type inference of the return type of `getX509Certificate` is any, will be guarded by later zod parser if it is not string-typed.
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
x509Certificate: idP.entityMeta.getX509Certificate(saml.Constants.wording.certUse.signing),
};
// The return type of `samlify`
const result = samlMetadataGuard.safeParse(rawSamlMetadata);
if (!result.success) {
throw new ConnectorError(ConnectorErrorCodes.InvalidConfig, result.error);
}
return result.data;
};
export const getRawSamlConfig = async (config: BaseSamlConnectorConfig): Promise<string> => {
if (config.metadataType === MetadataType.URL) {
const { body } = await got.get(config.metadataUrl);
const result = z.string().safeParse(body);
if (!result.success) {
throw new ConnectorError(ConnectorErrorCodes.InvalidConfig, result.error);
}
return result.data;
}
return config.metadataXml;
};
export const fetchSamlConfig = async (config: BaseSamlConnectorConfig) => {
const rawMetadata = await getRawSamlConfig(config);
return parseXmlMetadata(rawMetadata);
};
export const getUserInfoFromRawUserProfile = (
rawUserProfile: Record<string, unknown>,
keyMapping: ProfileMap
) => {
const keyMap = new Map(
Object.entries(keyMapping).map(([destination, source]) => [source, destination])
);
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
const mappedUserProfile = Object.fromEntries(
Object.entries(rawUserProfile)
.filter(([key, value]) => keyMap.get(key) && value)
.map(([key, value]) => [keyMap.get(key), value])
);
const result = socialUserInfoGuard.safeParse(mappedUserProfile);
if (!result.success) {
throw new ConnectorError(ConnectorErrorCodes.InvalidResponse, result.error);
}
return result.data;
};
export const samlAssertionHandler = async (
request: ESamlHttpRequest,
options: BaseSamlConfig & { idpMetadataXml: string },
setSession: SetSession
): Promise<void | Record<string, unknown>> => {
const { entityId: entityID, x509Certificate, idpMetadataXml } = options;
// eslint-disable-next-line new-cap
const identityProvider = saml.IdentityProvider({
metadata: idpMetadataXml,
});
// eslint-disable-next-line new-cap
const serviceProvider = saml.ServiceProvider({
entityID,
signingCert: x509Certificate,
});
// Used to check whether xml content is valid in format.
saml.setSchemaValidator({
validate: async (xmlContent: string) => {
try {
XMLValidator.validate(xmlContent, {
allowBooleanAttributes: true,
});
return true;
} catch {
return false;
}
},
});
try {
const assertionResult = await serviceProvider.parseLoginResponse(
identityProvider,
'post',
request
);
await setSession({
extractedRawProfile: {
...(Boolean(assertionResult.extract.nameID) && {
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
id: assertionResult.extract.nameID,
}),
...assertionResult.extract.attributes,
},
});
} catch (error: unknown) {
throw new ConnectorError(ConnectorErrorCodes.General, String(error));
}
};

32
packages/core/src/sso/SamlSsoConnector/index.test.ts Normal file
View file

@ -0,0 +1,32 @@
import { ConnectorError, ConnectorErrorCodes } from '@logto/connector-kit';
import { mockSsoConnector as _mockSsoConnector } from '#src/__mocks__/sso.js';
import { SsoProviderName } from '../types/index.js';
import { samlSsoConnectorFactory } from './index.js';
const mockSsoConnector = { ..._mockSsoConnector, providerName: SsoProviderName.SAML };
describe('SamlSsoConnector', () => {
it('SamlSsoConnector should contains static properties', () => {
expect(samlSsoConnectorFactory.providerName).toEqual(SsoProviderName.SAML);
expect(samlSsoConnectorFactory.configGuard).toBeDefined();
});
it('constructor should throw error if config is invalid', () => {
const result = samlSsoConnectorFactory.configGuard.safeParse(mockSsoConnector.config);
if (result.success) {
throw new Error('Invalid config');
}
const createSamlSsoConnector = () => {
return new samlSsoConnectorFactory.constructor(mockSsoConnector, 'http://localhost:3001/api');
};
expect(createSamlSsoConnector).toThrow(
new ConnectorError(ConnectorErrorCodes.InvalidConfig, result.error)
);
});
});

38
packages/core/src/sso/SamlSsoConnector/index.ts Normal file
View file

@ -0,0 +1,38 @@
import { ConnectorError, ConnectorErrorCodes } from '@logto/connector-kit';
import { type SsoConnector } from '@logto/schemas';
import SamlConnector from '../SamlConnector/index.js';
import { type SingleSignOnFactory } from '../index.js';
import { type SingleSignOn, SsoProviderName } from '../types/index.js';
import { baseSamlConnectorConfigGuard } from '../types/saml.js';
export class SamlSsoConnector extends SamlConnector implements SingleSignOn {
constructor(
private readonly _data: SsoConnector,
tenantId: string
) {
const parseConfigResult = baseSamlConnectorConfigGuard.safeParse(_data.config);
if (!parseConfigResult.success) {
throw new ConnectorError(ConnectorErrorCodes.InvalidConfig, parseConfigResult.error);
}
super(parseConfigResult.data, tenantId, _data.id);
}
get data() {
return this._data;
}
getConfig = async () => this.getSamlConfig();
}
export const samlSsoConnectorFactory: SingleSignOnFactory<SsoProviderName.SAML> = {
providerName: SsoProviderName.SAML,
logo: 'saml.svg',
description: {
en: ' This connector is used to connect to SAML single sign-on identity provider.',
},
configGuard: baseSamlConnectorConfigGuard,
constructor: SamlSsoConnector,
};

12
packages/core/src/sso/index.ts
View file

@ -1,15 +1,21 @@
import { type I18nPhrases } from '@logto/connector-kit';
import { oidcSsoConnectorFactory, type OidcSsoConnector } from './OidcSsoConnector/index.js';
import { type SamlSsoConnector, samlSsoConnectorFactory } from './SamlSsoConnector/index.js';
import { SsoProviderName } from './types/index.js';
import { type basicOidcConnectorConfigGuard } from './types/oidc.js';
import { type baseSamlConnectorConfigGuard } from './types/saml.js';
type SingleSignOnConstructor<T extends SsoProviderName> = T extends SsoProviderName.OIDC
? typeof OidcSsoConnector
: T extends SsoProviderName.SAML
? typeof SamlSsoConnector
: never;
type SingleSignOnConnectorConfig<T extends SsoProviderName> = T extends SsoProviderName.OIDC
? typeof basicOidcConnectorConfigGuard
: T extends SsoProviderName.SAML
? typeof baseSamlConnectorConfigGuard
: never;
export type SingleSignOnFactory<T extends SsoProviderName> = {
@ -24,6 +30,10 @@ export const ssoConnectorFactories: {
[key in SsoProviderName]: SingleSignOnFactory<key>;
} = {
[SsoProviderName.OIDC]: oidcSsoConnectorFactory,
[SsoProviderName.SAML]: samlSsoConnectorFactory,
};
export const standardSsoConnectorProviders = Object.freeze([SsoProviderName.OIDC]);
export const standardSsoConnectorProviders = Object.freeze([
SsoProviderName.OIDC,
SsoProviderName.SAML,
]);

1
packages/core/src/sso/types/index.ts
View file

@ -14,6 +14,7 @@ export abstract class SingleSignOn {
export enum SsoProviderName {
OIDC = 'OIDC',
SAML = 'SAML',
}
export type SupportedSsoConnector = Omit<SsoConnector, 'providerName'> & {

24
packages/core/src/sso/types/saml.test.ts Normal file
View file

@ -0,0 +1,24 @@
import { attributeMappingPostProcessor } from './saml.js';
const expectedDefaultAttributeMapping = {
id: 'id',
email: 'email',
phone: 'phone',
name: 'name',
avatar: 'avatar',
};
describe('attributeMappingPostProcessor', () => {
it('should fallback to `expectedDefaultAttributeMapping` if no other attribute mapping is specified', () => {
expect(attributeMappingPostProcessor()).toEqual(expectedDefaultAttributeMapping);
expect(attributeMappingPostProcessor({})).toEqual(expectedDefaultAttributeMapping);
});
it('should overwrite specified attributes of `expectedDefaultAttributeMapping`', () => {
expect(attributeMappingPostProcessor({ id: 'sub', avatar: 'picture' })).toEqual({
...expectedDefaultAttributeMapping,
id: 'sub',
avatar: 'picture',
});
});
});

83
packages/core/src/sso/types/saml.ts Normal file
View file

@ -0,0 +1,83 @@
import { socialUserInfoGuard, socialUserInfoKeys } from '@logto/connector-kit';
import { conditional } from '@silverhand/essentials';
import cleanDeep from 'clean-deep';
import { z } from 'zod';
export enum MetadataType {
XML = 'XML',
URL = 'URL',
}
export type ProfileMap = Required<z.infer<typeof socialUserInfoGuard>>;
const attributeMapGuard = socialUserInfoGuard.partial();
type AttributeMap = z.infer<typeof attributeMapGuard>;
/**
* Get the full attribute mapping using specified attribute mappings with default fallback values.
*
* @param attributeMapping Specified attribute mapping stored in database
* @returns Full attribute mapping with default fallback values
*/
export const attributeMappingPostProcessor = (attributeMapping?: AttributeMap): ProfileMap => {
return {
// eslint-disable-next-line no-restricted-syntax
...(Object.fromEntries(socialUserInfoKeys.map((key) => [key, key])) as ProfileMap),
...conditional(attributeMapping && cleanDeep(attributeMapping)),
};
};
const basicSamlCommonFields = {
attributeMapping: attributeMapGuard.optional(),
signInEndpoint: z.string().optional(),
entityId: z.string().optional(),
x509Certificate: z.string().optional(),
};
export const baseSamlConnectorConfigGuard = z.discriminatedUnion('metadataType', [
z.object({
metadataType: z.literal(MetadataType.URL),
metadataUrl: z.string().url(),
...basicSamlCommonFields,
}),
z.object({
metadataType: z.literal(MetadataType.XML),
metadataXml: z.string(),
...basicSamlCommonFields,
}),
]);
export type BaseSamlConnectorConfig = z.infer<typeof baseSamlConnectorConfigGuard>;
/**
* Zod discriminate union does not support its partial util method, we need to manually implement this.
* This is for guarding the config on creating.
*/
export const basicSamlConnectorConfigPartialGuard = z.discriminatedUnion('metadataType', [
z
.object({
metadataUrl: z.string().url(),
...basicSamlCommonFields,
})
.partial()
.merge(z.object({ metadataType: z.literal(MetadataType.URL) })),
z
.object({
metadataXml: z.string(),
...basicSamlCommonFields,
})
.partial()
.merge(z.object({ metadataType: z.literal(MetadataType.XML) })),
]);
export const samlMetadataGuard = z.object({
entityId: z.string(),
nameIdFormat: z.string().array().optional(),
signInEndpoint: z.string(),
signingAlgorithm: z.string(),
x509Certificate: z.string(),
});
export type SamlMetadata = z.infer<typeof samlMetadataGuard>;
export type BaseSamlConfig = BaseSamlConnectorConfig & SamlMetadata;

215
packages/integration-tests/src/tests/api/sso-connectors.test.ts
View file

@ -1,3 +1,4 @@
import { type JsonObject } from '@logto/schemas';
import { HTTPError } from 'got';
import {
@ -9,9 +10,31 @@ import {
patchSsoConnectorById,
patchSsoConnectorConfigById,
} from '#src/api/sso-connector.js';
import { logtoUrl } from '#src/constants.js';
const logtoIssuer = `${logtoUrl}/oidc`;
const providerNames = ['OIDC', 'SAML'];
const partialConfigAndProviderNames: Array<{
providerName: string;
config: JsonObject;
}> = [
{
providerName: 'OIDC',
config: {
clientId: 'foo',
clientSecret: 'foo',
issuer: 'https://test.com',
scope: 'openid',
},
},
{
providerName: 'SAML',
config: {
metadataType: 'URL',
metadataUrl: 'http://test.com',
attributeMapping: {},
entityId: 'foo',
},
},
];
describe('sso-connector library', () => {
it('should return sso-connector-factories', async () => {
@ -20,7 +43,13 @@ describe('sso-connector library', () => {
expect(response).toHaveProperty('standardConnectors');
expect(response).toHaveProperty('providerConnectors');
expect(response.standardConnectors.length).toBeGreaterThan(0);
expect(response.standardConnectors.length).toBe(2);
expect(
response.standardConnectors.find(({ providerName }) => providerName === 'OIDC')
).toBeDefined();
expect(
response.standardConnectors.find(({ providerName }) => providerName === 'SAML')
).toBeDefined();
});
});
@ -50,14 +79,14 @@ describe('post sso-connectors', () => {
).rejects.toThrow(HTTPError);
});
it('should create a new sso connector', async () => {
it.each(providerNames)('should create a new sso connector', async (providerName) => {
const response = await createSsoConnector({
providerName: 'OIDC',
providerName,
connectorName: 'test',
});
expect(response).toHaveProperty('id');
expect(response).toHaveProperty('providerName', 'OIDC');
expect(response).toHaveProperty('providerName', providerName);
expect(response).toHaveProperty('connectorName', 'test');
expect(response).toHaveProperty('config', {});
expect(response).toHaveProperty('domains', []);
@ -67,48 +96,49 @@ describe('post sso-connectors', () => {
await deleteSsoConnectorById(response.id);
});
it('should throw if invalid config is provided', async () => {
it.each(providerNames)('should throw if invalid config is provided', async (providerName) => {
await expect(
createSsoConnector({
providerName: 'OIDC',
providerName,
connectorName: 'test',
config: {
issuer: 23,
entityId: 123,
},
})
).rejects.toThrow(HTTPError);
});
it('should create a new sso connector with partial configs', async () => {
const data = {
providerName: 'OIDC',
connectorName: 'test',
config: {
clientId: 'foo',
issuer: 'https://test.com',
},
domains: ['test.com'],
ssoOnly: true,
};
it.each(partialConfigAndProviderNames)(
'should create a new sso connector with partial configs',
async ({ providerName, config }) => {
const data = {
providerName,
connectorName: 'test',
config,
domains: ['test.com'],
ssoOnly: true,
};
const response = await createSsoConnector(data);
const response = await createSsoConnector(data);
expect(response).toHaveProperty('id');
expect(response).toHaveProperty('providerName', 'OIDC');
expect(response).toHaveProperty('connectorName', 'test');
expect(response).toHaveProperty('config', data.config);
expect(response).toHaveProperty('domains', data.domains);
expect(response).toHaveProperty('ssoOnly', data.ssoOnly);
expect(response).toHaveProperty('syncProfile', false);
expect(response).toHaveProperty('id');
expect(response).toHaveProperty('providerName', providerName);
expect(response).toHaveProperty('connectorName', 'test');
expect(response).toHaveProperty('config', data.config);
expect(response).toHaveProperty('domains', data.domains);
expect(response).toHaveProperty('ssoOnly', data.ssoOnly);
expect(response).toHaveProperty('syncProfile', false);
await deleteSsoConnectorById(response.id);
});
await deleteSsoConnectorById(response.id);
}
);
});
describe('get sso-connectors', () => {
it('should return sso connectors', async () => {
it.each(providerNames)('should return sso connectors', async (providerName) => {
const { id } = await createSsoConnector({
providerName: 'OIDC',
providerName,
connectorName: 'test',
});
@ -132,16 +162,16 @@ describe('get sso-connector by id', () => {
await expect(getSsoConnectorById('invalid-id')).rejects.toThrow(HTTPError);
});
it('should return sso connector', async () => {
it.each(providerNames)('should return sso connector', async (providerName) => {
const { id } = await createSsoConnector({
providerName: 'OIDC',
providerName,
connectorName: 'integration_test connector',
});
const connector = await getSsoConnectorById(id);
expect(connector).toHaveProperty('id', id);
expect(connector).toHaveProperty('providerName', 'OIDC');
expect(connector).toHaveProperty('providerName', providerName);
expect(connector).toHaveProperty('connectorName', 'integration_test connector');
expect(connector).toHaveProperty('config', {});
expect(connector).toHaveProperty('domains', []);
@ -157,9 +187,9 @@ describe('delete sso-connector by id', () => {
await expect(getSsoConnectorById('invalid-id')).rejects.toThrow(HTTPError);
});
it('should delete sso connector', async () => {
it.each(providerNames)('should delete sso connector', async (providerName) => {
const { id } = await createSsoConnector({
providerName: 'OIDC',
providerName,
connectorName: 'integration_test connector',
});
@ -178,9 +208,9 @@ describe('patch sso-connector by id', () => {
);
});
it('should patch sso connector without config', async () => {
it.each(providerNames)('should patch sso connector without config', async (providerName) => {
const { id } = await createSsoConnector({
providerName: 'OIDC',
providerName,
connectorName: 'integration_test connector',
});
@ -191,7 +221,7 @@ describe('patch sso-connector by id', () => {
});
expect(connector).toHaveProperty('id', id);
expect(connector).toHaveProperty('providerName', 'OIDC');
expect(connector).toHaveProperty('providerName', providerName);
expect(connector).toHaveProperty('connectorName', 'integration_test connector updated');
expect(connector).toHaveProperty('config', {});
expect(connector).toHaveProperty('domains', ['test.com']);
@ -201,9 +231,9 @@ describe('patch sso-connector by id', () => {
await deleteSsoConnectorById(id);
});
it('should directly return if no changes are made', async () => {
it.each(providerNames)('should directly return if no changes are made', async (providerName) => {
const { id } = await createSsoConnector({
providerName: 'OIDC',
providerName,
connectorName: 'integration_test connector',
});
@ -212,7 +242,7 @@ describe('patch sso-connector by id', () => {
});
expect(connector).toHaveProperty('id', id);
expect(connector).toHaveProperty('providerName', 'OIDC');
expect(connector).toHaveProperty('providerName', providerName);
expect(connector).toHaveProperty('connectorName', 'integration_test connector');
expect(connector).toHaveProperty('config', {});
expect(connector).toHaveProperty('domains', []);
@ -222,17 +252,17 @@ describe('patch sso-connector by id', () => {
await deleteSsoConnectorById(id);
});
it('should throw if invalid config is provided', async () => {
it.each(providerNames)('should throw if invalid config is provided', async (providerName) => {
const { id } = await createSsoConnector({
providerName: 'OIDC',
providerName,
connectorName: 'integration_test connector',
});
await expect(
patchSsoConnectorById(id, {
config: {
clientId: 'foo',
issuer: logtoIssuer,
issuer: 23,
entityId: 123,
},
})
).rejects.toThrow(HTTPError);
@ -240,36 +270,29 @@ describe('patch sso-connector by id', () => {
await deleteSsoConnectorById(id);
});
it('should patch sso connector with config', async () => {
const { id } = await createSsoConnector({
providerName: 'OIDC',
connectorName: 'integration_test connector',
});
it.each(partialConfigAndProviderNames)(
'should patch sso connector with config',
async ({ providerName, config }) => {
const { id } = await createSsoConnector({
providerName,
connectorName: 'integration_test connector',
});
const connector = await patchSsoConnectorById(id, {
connectorName: 'integration_test connector updated',
config: {
clientId: 'foo',
clientSecret: 'bar',
issuer: logtoIssuer,
scope: 'profile email',
},
syncProfile: true,
});
const connector = await patchSsoConnectorById(id, {
connectorName: 'integration_test connector updated',
config,
syncProfile: true,
});
expect(connector).toHaveProperty('id', id);
expect(connector).toHaveProperty('providerName', 'OIDC');
expect(connector).toHaveProperty('connectorName', 'integration_test connector updated');
expect(connector).toHaveProperty('config', {
clientId: 'foo',
clientSecret: 'bar',
issuer: logtoIssuer,
scope: 'profile email openid', // Should merged with default scope openid
});
expect(connector).toHaveProperty('syncProfile', true);
expect(connector).toHaveProperty('id', id);
expect(connector).toHaveProperty('providerName', providerName);
expect(connector).toHaveProperty('connectorName', 'integration_test connector updated');
expect(connector).toHaveProperty('config', config);
expect(connector).toHaveProperty('syncProfile', true);
await deleteSsoConnectorById(id);
});
await deleteSsoConnectorById(id);
}
);
});
describe('patch sso-connector config by id', () => {
@ -277,48 +300,42 @@ describe('patch sso-connector config by id', () => {
await expect(patchSsoConnectorConfigById('invalid-id', {})).rejects.toThrow(HTTPError);
});
it('should throw if invalid config is provided', async () => {
it.each(providerNames)('should throw if invalid config is provided', async (providerName) => {
const { id } = await createSsoConnector({
providerName: 'OIDC',
providerName,
connectorName: 'integration_test connector',
config: {
clientSecret: 'bar',
metadataType: 'URL',
},
});
await expect(
patchSsoConnectorConfigById(id, {
clientId: 'foo',
issuer: 23,
entityId: 123,
})
).rejects.toThrow(HTTPError);
await deleteSsoConnectorById(id);
});
it('should patch sso connector config', async () => {
const { id } = await createSsoConnector({
providerName: 'OIDC',
connectorName: 'integration_test connector',
config: {
clientId: 'foo',
},
});
it.each(partialConfigAndProviderNames)(
'should patch sso connector config',
async ({ providerName, config }) => {
const { id } = await createSsoConnector({
providerName,
connectorName: 'integration_test connector',
});
const connector = await patchSsoConnectorConfigById(id, {
clientSecret: 'bar',
issuer: logtoIssuer,
});
const connector = await patchSsoConnectorConfigById(id, config);
expect(connector).toHaveProperty('id', id);
expect(connector).toHaveProperty('providerName', 'OIDC');
expect(connector).toHaveProperty('connectorName', 'integration_test connector');
expect(connector).toHaveProperty('config', {
clientId: 'foo',
clientSecret: 'bar',
issuer: logtoIssuer,
scope: 'openid',
});
expect(connector).toHaveProperty('id', id);
expect(connector).toHaveProperty('providerName', providerName);
expect(connector).toHaveProperty('connectorName', 'integration_test connector');
expect(connector).toHaveProperty('config', config);
await deleteSsoConnectorById(id);
});
await deleteSsoConnectorById(id);
}
);
});

2
packages/phrases/src/locales/de/errors/index.ts
View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js';
import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js';
import subscription from './subscription.js';
import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription,
application,
organization,
sso_connector,
};
export default Object.freeze(errors);

6
packages/phrases/src/locales/de/errors/sso-connector.ts Normal file
View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

2
packages/phrases/src/locales/en/errors/index.ts
View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js';
import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js';
import subscription from './subscription.js';
import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription,
application,
organization,
sso_connector,
};
export default Object.freeze(errors);

5
packages/phrases/src/locales/en/errors/sso-connector.ts Normal file
View file

@ -0,0 +1,5 @@
const sso_connector = {
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

2
packages/phrases/src/locales/es/errors/index.ts
View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js';
import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js';
import subscription from './subscription.js';
import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription,
application,
organization,
sso_connector,
};
export default Object.freeze(errors);

6
packages/phrases/src/locales/es/errors/sso-connector.ts Normal file
View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

2
packages/phrases/src/locales/fr/errors/index.ts
View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js';
import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js';
import subscription from './subscription.js';
import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription,
application,
organization,
sso_connector,
};
export default Object.freeze(errors);

6
packages/phrases/src/locales/fr/errors/sso-connector.ts Normal file
View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

2
packages/phrases/src/locales/it/errors/index.ts
View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js';
import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js';
import subscription from './subscription.js';
import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription,
application,
organization,
sso_connector,
};
export default Object.freeze(errors);

6
packages/phrases/src/locales/it/errors/sso-connector.ts Normal file
View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

2
packages/phrases/src/locales/ja/errors/index.ts
View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js';
import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js';
import subscription from './subscription.js';
import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription,
application,
organization,
sso_connector,
};
export default Object.freeze(errors);

6
packages/phrases/src/locales/ja/errors/sso-connector.ts Normal file
View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

2
packages/phrases/src/locales/ko/errors/index.ts
View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js';
import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js';
import subscription from './subscription.js';
import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription,
application,
organization,
sso_connector,
};
export default Object.freeze(errors);

6
packages/phrases/src/locales/ko/errors/sso-connector.ts Normal file
View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

2
packages/phrases/src/locales/pl-pl/errors/index.ts
View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js';
import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js';
import subscription from './subscription.js';
import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription,
application,
organization,
sso_connector,
};
export default Object.freeze(errors);

6
packages/phrases/src/locales/pl-pl/errors/sso-connector.ts Normal file
View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

2
packages/phrases/src/locales/pt-br/errors/index.ts
View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js';
import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js';
import subscription from './subscription.js';
import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription,
application,
organization,
sso_connector,
};
export default Object.freeze(errors);

6
packages/phrases/src/locales/pt-br/errors/sso-connector.ts Normal file
View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

2
packages/phrases/src/locales/pt-pt/errors/index.ts
View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js';
import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js';
import subscription from './subscription.js';
import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription,
application,
organization,
sso_connector,
};
export default Object.freeze(errors);

6
packages/phrases/src/locales/pt-pt/errors/sso-connector.ts Normal file
View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

2
packages/phrases/src/locales/ru/errors/index.ts
View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js';
import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js';
import subscription from './subscription.js';
import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription,
application,
organization,
sso_connector,
};
export default Object.freeze(errors);

6
packages/phrases/src/locales/ru/errors/sso-connector.ts Normal file
View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

2
packages/phrases/src/locales/tr-tr/errors/index.ts
View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js';
import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js';
import subscription from './subscription.js';
import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription,
application,
organization,
sso_connector,
};
export default Object.freeze(errors);

6
packages/phrases/src/locales/tr-tr/errors/sso-connector.ts Normal file
View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

2
packages/phrases/src/locales/zh-cn/errors/index.ts
View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js';
import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js';
import subscription from './subscription.js';
import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription,
application,
organization,
sso_connector,
};
export default Object.freeze(errors);

6
packages/phrases/src/locales/zh-cn/errors/sso-connector.ts Normal file
View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

2
packages/phrases/src/locales/zh-hk/errors/index.ts
View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js';
import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js';
import subscription from './subscription.js';
import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription,
application,
organization,
sso_connector,
};
export default Object.freeze(errors);

6
packages/phrases/src/locales/zh-hk/errors/sso-connector.ts Normal file
View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

2
packages/phrases/src/locales/zh-tw/errors/index.ts
View file

@ -16,6 +16,7 @@ import role from './role.js';
import scope from './scope.js';
import session from './session.js';
import sign_in_experiences from './sign-in-experiences.js';
import sso_connector from './sso-connector.js';
import storage from './storage.js';
import subscription from './subscription.js';
import swagger from './swagger.js';
@ -46,6 +47,7 @@ const errors = {
subscription,
application,
organization,
sso_connector,
};
export default Object.freeze(errors);

6
packages/phrases/src/locales/zh-tw/errors/sso-connector.ts Normal file
View file

@ -0,0 +1,6 @@
const sso_connector = {
/** UNTRANSLATED */
saml_only: 'The endpoint only applies to SAML SSO connectors.',
};
export default Object.freeze(sso_connector);

8
packages/toolkit/connector-kit/src/types/social.ts
View file

@ -32,6 +32,14 @@ export const socialUserInfoGuard = z.object({
export type SocialUserInfo = z.infer<typeof socialUserInfoGuard>;
export const socialUserInfoKeys = Object.freeze([
'id',
'email',
'phone',
'name',
'avatar',
] satisfies Array<keyof SocialUserInfo>);
export type GetUserInfo = (
data: unknown,
getSession: GetSession

6
pnpm-lock.yaml
View file

@ -3208,6 +3208,9 @@ importers:
etag:
specifier: ^1.8.1
version: 1.8.1
fast-xml-parser:
specifier: ^4.2.5
version: 4.2.5
find-up:
specifier: ^6.3.0
version: 6.3.0
@ -3283,6 +3286,9 @@ importers:
roarr:
specifier: ^7.11.0
version: 7.11.0
samlify:
specifier: 2.8.10
version: 2.8.10
semver:
specifier: ^7.3.8
version: 7.3.8