feat(schemas): add idp-initiated SSO client side callback url columns #6675
+48
−2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
COMPARE TO
|
| Name | Diff |
|---|---|
| packages/core/src/mocks/sso.ts | 📈 +337 Bytes |
| packages/core/src/libraries/sso-connector.test.ts | 📈 +192 Bytes |
| packages/core/src/libraries/sso-connector.ts | 📈 +294 Bytes |
| packages/core/src/queries/sso-connectors.ts | 📈 +309 Bytes |
| packages/core/src/routes/interaction/utils/single-sign-on.test.ts | 📈 +6.31 KB |
| packages/core/src/routes/interaction/utils/single-sign-on.ts | 📈 +1.99 KB |
| packages/core/src/utils/test-utils.ts | 📈 +26 Bytes |
| packages/schemas/alterations/next-1728887713-add-client-idp-initiated-auth-callback-uri-columns.ts | 📈 +1.35 KB |
| packages/schemas/tables/sso_connector_idp_initiated_auth_configs.sql | 📈 +287 Bytes |
simeng-li
changed the title
simeng-li
force-pushed
the
simeng-log-10216-coreschemas-add-the-redirect-without-sign-in-flow
branch
from
61721ea
to
39a2eca
Compare
simeng-li
force-pushed
the
simeng-log-10156-experience-api-retrieve-idp-initiated-saml-sso-assertion-by
branch
from
4eb15aa
to
b027604
Compare
add client idp-initiated auth callback url column
fix ut
simeng-li
force-pushed
the
simeng-log-10216-coreschemas-add-the-redirect-without-sign-in-flow
branch
from
8b37668
to
0a30f8b
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Alternate the
sso_connector_idp_initiated_auth_configsto support directly redirecting the user to the client app to initiate a standard OIDC authorization request.Context
For better security and to support SPA applications, instead of automatically sending the OIDC authorization requests from the server side, we provide a more recommended option, redirect the user to the client side to initiate an OIDC authentication flow.
Since the IdP-initiated SAML SSO authentication request is unsolicited, thus sending an OIDC authorization request directly from the server side can not provide the necessary CRSF attack protection.
E.g. the
stateparameter andPKCEflow for SPA application.As a better recommendation, by default, we redirect the user to a given client callback URL to initiate a standard OIDC auth flow, while keeping a live IdP-initiated SSO assertion session, so the user can be automatically authenticated via the same SSO connector.
Option A (Default):
auto_send_authorization_requestset to false.fieldclient_idp_initiated_auth_callback_uri` in the config.Option B (Previously implemented):
auto_send_authorization_requestset to true.redirect_uriand otherauth_parametersUpdates
auto_send_authorization_request. Default false. When disabled, Logto will redirect the user to the client side to trigger an auth request.client_idp_initiated_auth_callback_uri. Exclusively stores the client side idp-initiated auth callback URL.SPAapplication type.Testing
Checklist
.changeset