refactor(core): make SSO connector domains case insensitive (#8011)

* refactor(core): make SSO connector domains case insencitive

make SSO connector domains case insencitiv

* chore: add changeset

add changeset

* fix(core): fix integration tests

fix integration tests

* fix(core): fix integration tests

fix integration tests

* fix(cloud): fix integration test

fix integration test

Author: simeng-li

.changeset/perfect-needles-repair.md

@@ -0,0 +1,11 @@
+---
+"@logto/core": patch
+---
+
+improve SSO connectors with case-insensitive domain matching
+
+According to the latest standards, email domains should be treated as case-insensitive. To ensure robust and user-friendly authentication, we need to locate SSO connectors correctly regardless of the letter case in the provided email domain.
+
+- Domain normalization on insert: The domains configured for SSO connectors are now normalized to lowercase before being inserted into the database. This ensures consistency and prevents issues arising from varied casing. As part of this change, identical domains with different casing will be treated as duplicates and rejected to maintain data integrity.
+
+- Case-insensitive search for SSO connectors: The get SSO connectors by email endpoint has been updated to perform a case-insensitive search when matching email domains. This guarantees that the correct enabled SSO connector is identified, regardless of the casing used in the user's email address.

packages/core/src/routes/experience/classes/libraries/sign-in-experience-validator.ts

@@ -157,7 +157,10 @@ export class SignInExperienceValidator {
     const { getAvailableSsoConnectors } = this.libraries.ssoConnectors;
     const availableSsoConnectors = await getAvailableSsoConnectors();
 
-    return availableSsoConnectors.filter(({ domains }) => domains.includes(domain));
+    return availableSsoConnectors.filter(({ domains }) => {
+      const normalizedDomains = domains.map((item) => item.toLowerCase());
+      return normalizedDomains.includes(domain.toLowerCase());
+    });
   }
 
   public async getMfaSettings() {

packages/core/src/routes/sso-connector/index.ts

@@ -86,7 +86,7 @@ export default function singleSignOnConnectorsRoutes<T extends ManagementApiRout
     }),
     async (ctx, next) => {
       const { body } = ctx.guard;
-      const { providerName, connectorName, config, domains, ...rest } = body;
+      const { providerName, connectorName, config, domains: rawDomains, ...rest } = body;
 
       // Return 422 if the connector provider is not supported
       if (!isSupportedSsoProvider(providerName)) {
@@ -97,6 +97,9 @@ export default function singleSignOnConnectorsRoutes<T extends ManagementApiRout
         });
       }
 
+      // Normalize domains to lowercase for consistency
+      const domains = rawDomains?.map((domain) => domain.toLowerCase());
+
       // Validate the connector domains if it's provided
       if (domains) {
         validateConnectorDomains(domains);
@@ -268,9 +271,12 @@ export default function singleSignOnConnectorsRoutes<T extends ManagementApiRout
 
       const originalConnector = await getSsoConnectorById(id);
       const { providerName } = originalConnector;
-      const { config, domains, ...rest } = body;
+      const { config, domains: rawDomains, ...rest } = body;
       const { providerType } = ssoConnectorFactories[providerName];
 
+      // Normalize domains to lowercase for consistency
+      const domains = rawDomains?.map((domain) => domain.toLowerCase());
+
       // Validate the connector domains if it's provided
       if (domains) {
         validateConnectorDomains(domains);
@@ -324,7 +330,7 @@ export default function singleSignOnConnectorsRoutes<T extends ManagementApiRout
       }
 
       // Check if there's any valid update
-      const hasValidUpdate = parsedConfig ?? Object.keys(rest).length > 0;
+      const hasValidUpdate = parsedConfig ?? domains ?? Object.keys(rest).length > 0;
 
       // Patch update the connector only if there's any valid update
       const connector = hasValidUpdate

packages/integration-tests/src/tests/api/experience-api/sign-in-interaction/enterprise-sso.test.ts

@@ -26,7 +26,8 @@ import { generateEmail, generatePassword } from '#src/utils.js';
 
 describe('enterprise sso sign-in and sign-up', () => {
   const ssoConnectorApi = new SsoConnectorApi();
-  const domain = 'foo.com';
+  // Use a random domain that contains uppercase letters to test the case-insensitivity of email domain matching.
+  const domain = 'Foo.com';
   const enterpriseSsoIdentityId = generateStandardId();
   const email = generateEmail(domain);
   const userApi = new UserApiTest();
@@ -192,16 +193,16 @@ describe('enterprise sso sign-in and sign-up', () => {
 
   describe('should block email identifier from non-enterprise sso verifications if the SSO is enabled', () => {
     const password = generatePassword();
-    const email = generateEmail(domain);
-    const identifier = Object.freeze({ type: SignInIdentifier.Email, value: email });
 
     beforeAll(async () => {
       await Promise.all([setEmailConnector(), setSmsConnector()]);
       await enableAllVerificationCodeSignInMethods();
-      await userApi.create({ primaryEmail: email, password });
     });
 
     it('should reject when trying to sign-in with email verification code', async () => {
+      // Test with lowercase domain to ensure the domain matching is case-insensitive
+      const email = generateEmail(domain.toLocaleLowerCase());
+      const identifier = Object.freeze({ type: SignInIdentifier.Email, value: email });
       const client = await initExperienceClient();
 
       const { verificationId, code } = await successfullySendVerificationCode(client, {
@@ -228,6 +229,10 @@ describe('enterprise sso sign-in and sign-up', () => {
 
     it('should reject when trying to sign-in with email password', async () => {
       const client = await initExperienceClient();
+      // Test with uppercase domain to ensure the domain matching is case-insensitive
+      const email = generateEmail(domain.toUpperCase());
+      const identifier = Object.freeze({ type: SignInIdentifier.Email, value: email });
+      const user = await userApi.create({ primaryEmail: email, password });
 
       const { verificationId } = await client.verifyPassword({
         identifier,
@@ -243,6 +248,8 @@ describe('enterprise sso sign-in and sign-up', () => {
           status: 422,
         }
       );
+
+      await deleteUser(user.id);
     });
   });
 });

packages/integration-tests/src/tests/api/experience-api/verifications/enterprise-sso-verification.test.ts

@@ -202,10 +202,11 @@ describe('enterprise sso verification', () => {
 
   describe('getSsoConnectorsByEmail', () => {
     const ssoConnectorApi = new SsoConnectorApi();
-    const domain = `foo${randomString()}.com`;
+    const domain = `foo-${randomString()}.com`;
+    const uppercaseDomain = `BAR-${randomString().toUpperCase()}.COM`;
 
     beforeAll(async () => {
-      await ssoConnectorApi.createMockOidcConnector([domain]);
+      await ssoConnectorApi.createMockOidcConnector([domain, uppercaseDomain]);
 
       await updateSignInExperience({
         singleSignOnEnabled: true,
@@ -216,15 +217,26 @@ describe('enterprise sso verification', () => {
       await ssoConnectorApi.cleanUp();
     });
 
-    it('should get sso connectors with given email properly', async () => {
-      const client = new ExperienceClient();
-      await client.initSession();
-
-      const response = await client.getAvailableSsoConnectors('bar@' + domain);
-
-      expect(response.connectorIds.length).toBeGreaterThan(0);
-      expect(response.connectorIds[0]).toBe(ssoConnectorApi.firstConnectorId);
-    });
+    const testEmailDomains = [
+      domain,
+      domain.toUpperCase(),
+      domain.toLocaleLowerCase(),
+      uppercaseDomain,
+      uppercaseDomain.toLowerCase(),
+    ];
+
+    it.each(testEmailDomains)(
+      'should match sso connectors for email domain: %s',
+      async (emailDomain) => {
+        const client = new ExperienceClient();
+        await client.initSession();
+
+        const response = await client.getAvailableSsoConnectors('bar@' + emailDomain);
+
+        expect(response.connectorIds.length).toBeGreaterThan(0);
+        expect(response.connectorIds[0]).toBe(ssoConnectorApi.firstConnectorId);
+      }
+    );
 
     it('should return empty array if no sso connectors found', async () => {
       const client = new ExperienceClient();

packages/integration-tests/src/tests/api/sso-connectors/sso-connectors.test.ts

@@ -109,6 +109,20 @@ describe('post sso-connectors', () => {
       })
     ).rejects.toThrow(HTTPError);
   });
+
+  it('should store domains in lowercase', async () => {
+    const domains = ['Test.COM', 'Example.com', 'foo.org', 'BAR.net'];
+
+    const connector = await createSsoConnector({
+      providerName: SsoProviderName.OIDC,
+      connectorName: 'domains-test-OIDC-connector',
+      domains,
+    });
+
+    expect(connector.domains).toEqual(domains.map((domain) => domain.toLowerCase()));
+
+    await deleteSsoConnectorById(connector.id);
+  });
 });
 
 describe('get sso-connectors', () => {
@@ -310,4 +324,21 @@ describe('patch sso-connector by id', () => {
       await deleteSsoConnectorById(id);
     }
   );
+
+  it('should store domains in lowercase when patching', async () => {
+    const { id } = await createSsoConnector({
+      providerName: SsoProviderName.OIDC,
+      connectorName: 'domains-test-OIDC-connector',
+    });
+
+    const domains = ['Test.COM', 'Example.com', 'foo.org', 'BAR.net'];
+
+    const connector = await patchSsoConnectorById(id, {
+      domains,
+    });
+
+    expect(connector.domains).toEqual(domains.map((domain) => domain.toLowerCase()));
+
+    await deleteSsoConnectorById(connector.id);
+  });
 });