Merge branch 'idp-token-support' into invio-release-5.1401

Paul Wheeler · Paul Wheeler · commit 2b9eba191aed · 2021-12-20T18:45:43.000-10:00
diff --git a/src/models/IDPDiscovery.js b/src/models/IDPDiscovery.js
@@ -13,7 +13,7 @@
 import PrimaryAuthModel from 'models/PrimaryAuth';
 import CookieUtil from 'util/CookieUtil';
 import Enums from 'util/Enums';
-import Util from 'util/Util';
+
 export default PrimaryAuthModel.extend({
   props: function() {
     const cookieUsername = CookieUtil.getCookieUsername();
@@ -57,13 +57,15 @@ export default PrimaryAuthModel.extend({
           if (res.links[0].properties['okta:idp:type'] === 'OKTA') {
             this.trigger('goToPrimaryAuth');
           } else if (res.links[0].href) {
-            const redirectFn = res.links[0].href.includes('OKTA_INVALID_SESSION_REPOST%3Dtrue')
-              ? Util.redirectWithFormGet.bind(Util)
-              : this.settings.get('redirectUtilFn');
-            //override redirectFn to only use Util.redirectWithFormGet if OKTA_INVALID_SESSION_REPOST is included
-            //it will be encoded since it will be included in the encoded fromURI
+            // Redirecting straight to the IDP URL is good for nothing because
+            // it doesn't transmit tokens back the the client.
 
-            redirectFn(res.links[0].href);
+            return authClient.token.getWithRedirect({
+              ...this.settings.options,
+              // Unpack authParams
+              ...this.settings.options.authParams,
+              loginHint: username
+            });
           }
         }
       })
diff --git a/test/unit/spec/IDPDiscovery_spec.js b/test/unit/spec/IDPDiscovery_spec.js
@@ -9,7 +9,6 @@ import Util from 'helpers/mocks/Util';
 import Expect from 'helpers/util/Expect';
 import resError from 'helpers/xhr/ERROR_webfinger';
 import resSuccess from 'helpers/xhr/SUCCESS';
-import resSuccessRepostIWA from 'helpers/xhr/IDPDiscoverySuccessRepost_IWA';
 import resSuccessIWA from 'helpers/xhr/IDPDiscoverySuccess_IWA';
 import resSuccessOktaIDP from 'helpers/xhr/IDPDiscoverySuccess_OktaIDP';
 import resSuccessSAML from 'helpers/xhr/IDPDiscoverySuccess_SAML';
@@ -960,6 +959,7 @@ Expect.describe('IDPDiscovery', function() {
           })
           .then(function(test) {
             spyOn(test.securityBeacon, 'toggleClass').and.callThrough();
+            spyOn(test.ac.token, 'getWithRedirect');
             test.setNextWebfingerResponse(resSuccessSAML);
             test.form.submit();
             return Expect.waitForSpyCall(test.securityBeacon.toggleClass, test);
@@ -970,7 +970,9 @@ Expect.describe('IDPDiscovery', function() {
             return waitForWebfingerCall(test);
           })
           .then(function(test) {
-            expect(test.securityBeacon.toggleClass).toHaveBeenCalledWith(BEACON_LOADING_CLS, false);
+            expect(test.ac.token.getWithRedirect).toHaveBeenCalledWith(jasmine.objectContaining({
+              loginHint: test.form.usernameField().val()
+            }));
           });
       });
       itp('does not show beacon-loading animation when authClient webfinger fails', function() {
@@ -1503,72 +1505,32 @@ Expect.describe('IDPDiscovery', function() {
       spyOn(SharedUtil, 'redirect');
       return setup()
         .then(function(test) {
+          spyOn(test.ac.token, 'getWithRedirect');
           test.setNextWebfingerResponse(resSuccessSAML);
           test.form.setUsername(' testuser@clouditude.net ');
           test.form.submit();
-          return Expect.waitForSpyCall(SharedUtil.redirect);
+          return Expect.waitForSpyCall(test.ac.token.getWithRedirect, test);
         })
-        .then(function() {
-          expect(SharedUtil.redirect).toHaveBeenCalledWith('http://demo.okta1.com:1802/sso/saml2/0oa2hhcwIc78OGP1W0g4');
-        });
-    });
-    itp('redirects using form Get to idp for SAML idps when features.redirectByFormSubmit is on', function() {
-      spyOn(WidgetUtil, 'redirectWithFormGet');
-      return setup({ 'features.redirectByFormSubmit': true })
         .then(function(test) {
-          test.setNextWebfingerResponse(resSuccessSAML);
-          test.form.setUsername(' testuser@clouditude.net ');
-          test.form.submit();
-          return Expect.waitForSpyCall(WidgetUtil.redirectWithFormGet);
-        })
-        .then(function() {
-          expect(WidgetUtil.redirectWithFormGet).toHaveBeenCalledWith(
-            'http://demo.okta1.com:1802/sso/saml2/0oa2hhcwIc78OGP1W0g4'
-          );
+          expect(test.ac.token.getWithRedirect).toHaveBeenCalledWith(jasmine.objectContaining({
+            loginHint: test.form.usernameField().val().trim()
+          }));
         });
     });
     itp('redirects to idp for idps other than okta/saml', function() {
       spyOn(SharedUtil, 'redirect');
       return setup()
         .then(function(test) {
+          spyOn(test.ac.token, 'getWithRedirect');
           test.setNextWebfingerResponse(resSuccessIWA);
           test.form.setUsername('testuser@clouditude.net');
           test.form.submit();
-          return Expect.waitForSpyCall(SharedUtil.redirect);
+          return Expect.waitForSpyCall(test.ac.token.getWithRedirect, test);
         })
-        .then(function() {
-          expect(SharedUtil.redirect).toHaveBeenCalledWith('http://demo.okta1.com:1802/login/sso_iwa');
-        });
-    });
-    itp(
-      'redirects using form GET to idp for idps other than okta/saml when features.redirectByFormSubmit is on',
-      function() {
-        spyOn(WidgetUtil, 'redirectWithFormGet');
-        return setup({ 'features.redirectByFormSubmit': true })
-          .then(function(test) {
-            test.setNextWebfingerResponse(resSuccessIWA);
-            test.form.setUsername('testuser@clouditude.net');
-            test.form.submit();
-            return Expect.waitForSpyCall(WidgetUtil.redirectWithFormGet);
-          })
-          .then(function() {
-            expect(WidgetUtil.redirectWithFormGet).toHaveBeenCalledWith('http://demo.okta1.com:1802/login/sso_iwa');
-          });
-      }
-    );
-    itp('redirects using form GET to idp when OKTA_INVALID_SESSION_REPOST=true', function() {
-      spyOn(WidgetUtil, 'redirectWithFormGet');
-      return setup()
         .then(function(test) {
-          test.setNextWebfingerResponse(resSuccessRepostIWA);
-          test.form.setUsername('testuser@clouditude.net');
-          test.form.submit();
-          return Expect.waitForSpyCall(WidgetUtil.redirectWithFormGet);
-        })
-        .then(function() {
-          expect(WidgetUtil.redirectWithFormGet).toHaveBeenCalledWith(
-            'http://demo.okta1.com:1802/login/sso_iwa?fromURI=%2Fapp%2Finstance%2Fkey%3FSAMLRequest%3Dencoded%26RelayState%3DrelayState%26OKTA_INVALID_SESSION_REPOST%3Dtrue'
-          );
+          expect(test.ac.token.getWithRedirect).toHaveBeenCalledWith(jasmine.objectContaining({
+            loginHint: test.form.usernameField().val()
+          }));
         });
     });
   });
