diff --git a/packages/core/src/saml-applications/routes/anonymous.ts b/packages/core/src/saml-applications/routes/anonymous.ts index 131af9dfc..b3b7ab646 100644 --- a/packages/core/src/saml-applications/routes/anonymous.ts +++ b/packages/core/src/saml-applications/routes/anonymous.ts @@ -1,5 +1,5 @@ import { parseJson } from '@logto/connector-kit'; -import { BindingType } from '@logto/schemas'; +import { tryThat } from '@silverhand/essentials'; import camelcaseKeys from 'camelcase-keys'; import { got } from 'got'; import saml from 'samlify'; @@ -9,16 +9,15 @@ import RequestError from '#src/errors/RequestError/index.js'; import koaGuard from '#src/middleware/koa-guard.js'; import type { AnonymousRouter, RouterInitArgs } from '#src/routes/types.js'; import { fetchOidcConfig, getUserInfo } from '#src/sso/OidcConnector/utils.js'; +import { SsoConnectorError } from '#src/sso/types/error.js'; import { oidcTokenResponseGuard } from '#src/sso/types/oidc.js'; - -import assertThat from '../../utils/assert-that.js'; +import assertThat from '#src/utils/assert-that.js'; import { createSamlTemplateCallback, samlLogInResponseTemplate } from './utils.js'; const samlApplicationSignInCallbackQueryParametersGuard = z.union([ z.object({ code: z.string(), - iss: z.string(), }), z.object({ error: z.string(), @@ -27,7 +26,7 @@ const samlApplicationSignInCallbackQueryParametersGuard = z.union([ ]); export default function samlApplicationAnonymousRoutes( - ...[router, { libraries, queries }]: RouterInitArgs + ...[router, { libraries, queries, envSet }]: RouterInitArgs ) { const { samlApplications: { getSamlIdPMetadataByApplicationId }, @@ -57,11 +56,14 @@ export default function samlApplicationAnonymousRoutes { - const { id } = ctx.guard.params; - const queryParameters = ctx.request.query; + const { + params: { id }, + query, + } = ctx.guard; // Find the SAML application secret by application ID const { applications, samlApplicationSecrets, samlApplicationConfigs } = queries; @@ -70,27 +72,33 @@ export default function samlApplicationAnonymousRoutes fetchOidcConfig(envSet.oidc.issuer), + (error) => { + if (error instanceof SsoConnectorError) { + throw new RequestError({ + code: 'oidc.invalid_request', + message: error.message, + }); + } + + // Should rarely happen, fetch OIDC configuration should only throw SSO connector error . + throw error; + } + ); const headers = { + // Not sure whether we should use internal secret here instead of getting non-expired secret from table `application_secrets`, but it should be fine since this is an internal use case. Authorization: `Basic ${Buffer.from(`${id}:${secret}`, 'utf8').toString('base64')}`, 'Content-Type': 'application/x-www-form-urlencoded', }; @@ -99,7 +107,7 @@ export default function samlApplicationAnonymousRoutes `; - return next(); } ); diff --git a/packages/phrases/src/locales/en/errors/application.ts b/packages/phrases/src/locales/en/errors/application.ts index 21a1e7a2b..9fa9e4d49 100644 --- a/packages/phrases/src/locales/en/errors/application.ts +++ b/packages/phrases/src/locales/en/errors/application.ts @@ -28,6 +28,7 @@ const application = { can_not_delete_active_secret: 'Can not delete the active secret.', no_active_secret: 'No active secret found.', entity_id_required: 'Entity ID is required to generate metadata.', + acs_url_required: 'Assertion consumer service URL is required to generate metadata.', invalid_certificate_pem_format: 'Invalid PEM certificate format', }, };