0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2024-12-16 20:26:19 -05:00

feat(core): add idp-initiated sso client sign-in redirect (#6681)

* feat(core): consume IdP initiated session on SSO verification flow

Auto consume the IdP initiated SAML SSO session on the SSO sign-in verification flow

* test(core): add unit test cases

add unit test cases

* feat(core): consume IdP initiated session on SSO verification flow

Auto consume the IdP initiated SAML SSO session on the SSO sign-in verification flow

* test(core): add unit test cases

add unit test cases

* feat(core): add idp-initiated sso client sign-in redirect

add idp-initiated sso client sign-in redirect
This commit is contained in:
simeng-li 2024-10-16 17:38:49 +08:00 committed by GitHub
parent 85fb4ce4dc
commit cfc1b5eb0f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 30 additions and 3 deletions

View file

@ -1,6 +1,6 @@
import type { ConnectorSession } from '@logto/connector-kit';
import { ConnectorError, ConnectorErrorCodes, ConnectorType } from '@logto/connector-kit';
import { jsonObjectGuard } from '@logto/schemas';
import { jsonObjectGuard, SsoAuthenticationQueryKey } from '@logto/schemas';
import { z } from 'zod';
import RequestError from '#src/errors/RequestError/index.js';
@ -211,7 +211,7 @@ export default function authnRoutes<T extends AnonymousRouter>(
const idpInitiatedAuthConfig =
await queries.ssoConnectors.getIdpInitiatedAuthConfigByConnectorId(connectorId);
// No IdP initiated auth config found
// IdP initiated SSO flow is not enabled for the current connector.
assertThat(
idpInitiatedAuthConfig,
new RequestError({
@ -235,7 +235,28 @@ export default function authnRoutes<T extends AnonymousRouter>(
overwrite: true,
});
// TODO: redirect to SSO direct sign-in flow
const { autoSendAuthorizationRequest, clientIdpInitiatedAuthCallbackUri } =
idpInitiatedAuthConfig;
// Redirect to the client side callback URI if the autoSendAuthorizationRequest is disabled.
// Client side will generate and verify the state to prevent CSRF attack.
if (!autoSendAuthorizationRequest) {
assertThat(
clientIdpInitiatedAuthCallbackUri,
new RequestError(
'single_sign_on.idp_initiated_authentication_client_callback_uri_not_found'
)
);
const url = new URL(clientIdpInitiatedAuthCallbackUri);
url.searchParams.append(SsoAuthenticationQueryKey.SsoConnectorId, connectorId);
ctx.redirect(url.toString());
return;
}
// Generate the OIDC authorization request URL for the IdP initiated SSO flow.
const signInUrl = await ssoConnectorsLibrary.getIdpInitiatedSamlSsoSignInUrl(
envSet.oidc.issuer,
idpInitiatedAuthConfig

View file

@ -9,6 +9,8 @@ const single_sign_on = {
'Invalid application type. Only {{type}} applications are allowed.',
idp_initiated_authentication_redirect_uri_not_registered:
'The redirect_uri is not registered. Please check the application settings.',
idp_initiated_authentication_client_callback_uri_not_found:
'The client IdP-initiated authentication callback URI is not found. Please check the connector settings.',
};
export default Object.freeze(single_sign_on);

View file

@ -88,3 +88,7 @@ export const ssoConnectorWithProviderConfigGuard = SsoConnectors.guard
);
export type SsoConnectorWithProviderConfig = z.infer<typeof ssoConnectorWithProviderConfigGuard>;
export enum SsoAuthenticationQueryKey {
SsoConnectorId = 'ssoConnectorId',
}