mirror of
https://github.com/logto-io/logto.git
synced 2025-01-06 20:40:08 -05:00
feat(core): add idp-initiated sso client sign-in redirect (#6681)
* feat(core): consume IdP initiated session on SSO verification flow Auto consume the IdP initiated SAML SSO session on the SSO sign-in verification flow * test(core): add unit test cases add unit test cases * feat(core): consume IdP initiated session on SSO verification flow Auto consume the IdP initiated SAML SSO session on the SSO sign-in verification flow * test(core): add unit test cases add unit test cases * feat(core): add idp-initiated sso client sign-in redirect add idp-initiated sso client sign-in redirect
This commit is contained in:
parent
85fb4ce4dc
commit
cfc1b5eb0f
3 changed files with 30 additions and 3 deletions
|
@ -1,6 +1,6 @@
|
|||
import type { ConnectorSession } from '@logto/connector-kit';
|
||||
import { ConnectorError, ConnectorErrorCodes, ConnectorType } from '@logto/connector-kit';
|
||||
import { jsonObjectGuard } from '@logto/schemas';
|
||||
import { jsonObjectGuard, SsoAuthenticationQueryKey } from '@logto/schemas';
|
||||
import { z } from 'zod';
|
||||
|
||||
import RequestError from '#src/errors/RequestError/index.js';
|
||||
|
@ -211,7 +211,7 @@ export default function authnRoutes<T extends AnonymousRouter>(
|
|||
const idpInitiatedAuthConfig =
|
||||
await queries.ssoConnectors.getIdpInitiatedAuthConfigByConnectorId(connectorId);
|
||||
|
||||
// No IdP initiated auth config found
|
||||
// IdP initiated SSO flow is not enabled for the current connector.
|
||||
assertThat(
|
||||
idpInitiatedAuthConfig,
|
||||
new RequestError({
|
||||
|
@ -235,7 +235,28 @@ export default function authnRoutes<T extends AnonymousRouter>(
|
|||
overwrite: true,
|
||||
});
|
||||
|
||||
// TODO: redirect to SSO direct sign-in flow
|
||||
const { autoSendAuthorizationRequest, clientIdpInitiatedAuthCallbackUri } =
|
||||
idpInitiatedAuthConfig;
|
||||
|
||||
// Redirect to the client side callback URI if the autoSendAuthorizationRequest is disabled.
|
||||
// Client side will generate and verify the state to prevent CSRF attack.
|
||||
if (!autoSendAuthorizationRequest) {
|
||||
assertThat(
|
||||
clientIdpInitiatedAuthCallbackUri,
|
||||
new RequestError(
|
||||
'single_sign_on.idp_initiated_authentication_client_callback_uri_not_found'
|
||||
)
|
||||
);
|
||||
|
||||
const url = new URL(clientIdpInitiatedAuthCallbackUri);
|
||||
url.searchParams.append(SsoAuthenticationQueryKey.SsoConnectorId, connectorId);
|
||||
|
||||
ctx.redirect(url.toString());
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
// Generate the OIDC authorization request URL for the IdP initiated SSO flow.
|
||||
const signInUrl = await ssoConnectorsLibrary.getIdpInitiatedSamlSsoSignInUrl(
|
||||
envSet.oidc.issuer,
|
||||
idpInitiatedAuthConfig
|
||||
|
|
|
@ -9,6 +9,8 @@ const single_sign_on = {
|
|||
'Invalid application type. Only {{type}} applications are allowed.',
|
||||
idp_initiated_authentication_redirect_uri_not_registered:
|
||||
'The redirect_uri is not registered. Please check the application settings.',
|
||||
idp_initiated_authentication_client_callback_uri_not_found:
|
||||
'The client IdP-initiated authentication callback URI is not found. Please check the connector settings.',
|
||||
};
|
||||
|
||||
export default Object.freeze(single_sign_on);
|
||||
|
|
|
@ -88,3 +88,7 @@ export const ssoConnectorWithProviderConfigGuard = SsoConnectors.guard
|
|||
);
|
||||
|
||||
export type SsoConnectorWithProviderConfig = z.infer<typeof ssoConnectorWithProviderConfigGuard>;
|
||||
|
||||
export enum SsoAuthenticationQueryKey {
|
||||
SsoConnectorId = 'ssoConnectorId',
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue