Skip to content

Commit

Permalink
feat(core): add default redirect URI for SAML apps on creation
Browse files Browse the repository at this point in the history
  • Loading branch information
darcyYe committed Jan 10, 2025
1 parent 3efca11 commit d5da65e
Show file tree
Hide file tree
Showing 4 changed files with 53 additions and 15 deletions.
24 changes: 13 additions & 11 deletions packages/core/src/saml-applications/SamlApplication/index.ts
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
/* eslint-disable max-lines */
// TODO: refactor this file to reduce LOC

Check warning on line 2 in packages/core/src/saml-applications/SamlApplication/index.ts

View workflow job for this annotation

GitHub Actions / ESLint Report Analysis

packages/core/src/saml-applications/SamlApplication/index.ts#L2

[no-warning-comments] Unexpected 'todo' comment: 'TODO: refactor this file to reduce LOC'.
import { parseJson } from '@logto/connector-kit';
import { userClaims, type UserClaim, UserScope } from '@logto/core-kit';
import { Prompt, QueryKey, ReservedScope } from '@logto/js';
import { userClaims, type UserClaim, UserScope, ReservedScope } from '@logto/core-kit';
import { Prompt, QueryKey } from '@logto/js';
import {
type SamlAcsUrl,
BindingType,
Expand All @@ -11,7 +11,7 @@ import {
type SamlAttributeMapping,
} from '@logto/schemas';
import { generateStandardId } from '@logto/shared';
import { tryThat, appendPath, deduplicate, type Nullable, cond } from '@silverhand/essentials';
import { tryThat, type Nullable, cond } from '@silverhand/essentials';
import camelcaseKeys, { type CamelCaseKeys } from 'camelcase-keys';
import { XMLValidator } from 'fast-xml-parser';
import saml from 'samlify';
Expand Down Expand Up @@ -39,7 +39,7 @@ import {
import { buildSingleSignOnUrl, buildSamlIdentityProviderEntityId } from '../libraries/utils.js';
import { type SamlApplicationDetails } from '../queries/index.js';

import { buildSamlAssertionNameId } from './utils.js';
import { buildSamlAssertionNameId, getSamlAppCallbackUrl } from './utils.js';

type ValidSamlApplicationDetails = {
secret: string;
Expand Down Expand Up @@ -237,10 +237,7 @@ export class SamlApplication {
}

public get samlAppCallbackUrl() {
return appendPath(
this.tenantEndpoint,
`api/saml-applications/${this.samlApplicationId}/callback`
).toString();
return getSamlAppCallbackUrl(this.tenantEndpoint, this.samlApplicationId).toString();
}

public async parseLoginRequest(
Expand Down Expand Up @@ -295,7 +292,7 @@ export class SamlApplication {
queryParameters.append(
QueryKey.Scope,
// For security reasons, DO NOT include the offline_access scope by default.
deduplicate([ReservedScope.OpenId, ...this.getScopesFromAttributeMapping()]).join(' ')
this.getScopesFromAttributeMapping().join(' ')
);

if (state) {
Expand Down Expand Up @@ -372,8 +369,13 @@ export class SamlApplication {
};

// Get required scopes based on attribute mapping configuration
protected getScopesFromAttributeMapping = (): UserScope[] => {
const requiredScopes = new Set<UserScope>();
protected getScopesFromAttributeMapping = (): Array<UserScope | ReservedScope> => {
const requiredScopes = new Set<UserScope | ReservedScope>();

// Add default scopes.
requiredScopes.add(ReservedScope.OpenId);
requiredScopes.add(UserScope.Profile);

if (this.details.nameIdFormat === NameIdFormat.EmailAddress) {
requiredScopes.add(UserScope.Email);
}
Expand Down
4 changes: 4 additions & 0 deletions packages/core/src/saml-applications/SamlApplication/utils.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import { NameIdFormat } from '@logto/schemas';
import { generateStandardId } from '@logto/shared';
import { appendPath } from '@silverhand/essentials';

import RequestError from '#src/errors/RequestError/index.js';
import { type IdTokenProfileStandardClaims } from '#src/sso/types/oidc.js';
Expand Down Expand Up @@ -68,3 +69,6 @@ export const generateAutoSubmitForm = (actionUrl: string, samlResponse: string):
</html>
`;
};

export const getSamlAppCallbackUrl = (baseUrl: URL, samlAppId: string) =>
appendPath(baseUrl, `api/saml-applications/${samlAppId}/callback`);
19 changes: 16 additions & 3 deletions packages/core/src/saml-applications/routes/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -10,21 +10,24 @@ import { generateStandardId } from '@logto/shared';
import { removeUndefinedKeys } from '@silverhand/essentials';
import { z } from 'zod';

import { EnvSet } from '#src/env-set/index.js';
import RequestError from '#src/errors/RequestError/index.js';
import koaGuard from '#src/middleware/koa-guard.js';
import { buildOidcClientMetadata } from '#src/oidc/utils.js';
import { generateInternalSecret } from '#src/routes/applications/application-secret.js';
import type { ManagementApiRouter, RouterInitArgs } from '#src/routes/types.js';
import assertThat from '#src/utils/assert-that.js';

import { getTenantEndpoint } from '../../env-set/utils.js';
import { getSamlAppCallbackUrl } from '../SamlApplication/utils.js';
import {
calculateCertificateFingerprints,
ensembleSamlApplication,
validateAcsUrl,
} from '../libraries/utils.js';

export default function samlApplicationRoutes<T extends ManagementApiRouter>(
...[router, { queries, libraries }]: RouterInitArgs<T>
...[router, { id: tenantId, queries, libraries }]: RouterInitArgs<T>
) {
const {
applications: { insertApplication, findApplicationById, deleteApplicationById },
Expand Down Expand Up @@ -58,14 +61,24 @@ export default function samlApplicationRoutes<T extends ManagementApiRouter>(
validateAcsUrl(config.acsUrl);
}

const id = generateStandardId();
// Set the default redirect URI for SAML apps when creating a new SAML app.
const redirectUri = getSamlAppCallbackUrl(
getTenantEndpoint(tenantId, EnvSet.values),
id
).toString();

const application = await insertApplication(
removeUndefinedKeys({
id: generateStandardId(),
id,
secret: generateInternalSecret(),
name,
description,
customData,
oidcClientMetadata: buildOidcClientMetadata(),
oidcClientMetadata: {
...buildOidcClientMetadata(),
redirectUris: [redirectUri],
},
type: ApplicationType.SAML,
})
);
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,12 @@
import { ApplicationType, BindingType, NameIdFormat } from '@logto/schemas';
import { conditional } from '@silverhand/essentials';

import { createApplication, deleteApplication, updateApplication } from '#src/api/application.js';
import {
createApplication,
deleteApplication,
getApplications,
updateApplication,
} from '#src/api/application.js';
import {
createSamlApplication,
deleteSamlApplication,
Expand All @@ -27,6 +32,20 @@ describe('SAML application', () => {

expect(createdSamlApplication.nameIdFormat).toBe(NameIdFormat.Persistent);

// Check if the SAML application's OIDC metadata redirect URI is properly set.
// We need to do this since we do not return OIDC related info when using SAML app APIs.
const samlApplications = await getApplications([ApplicationType.SAML]);
const pickedSamlApplication = samlApplications.find(
({ id }) => id === createdSamlApplication.id
);
expect(pickedSamlApplication).toBeDefined();
expect(pickedSamlApplication!.oidcClientMetadata.redirectUris.length).toBe(1);
expect(
pickedSamlApplication!.oidcClientMetadata.redirectUris[0]!.endsWith(
`api/saml-applications/${createdSamlApplication.id}/callback`
)
).toBe(true);

await deleteSamlApplication(createdSamlApplication.id);
});

Expand Down

0 comments on commit d5da65e

Please sign in to comment.