fix(provider): change order for constructor arguments in saml (#178)

Surbhi-sharma1 · web-flow · commit 6ce241f796ee · 2023-08-24T09:02:21.000+05:30
* fix(provider): changed order for constructor arguments in saml changed order for constructor arguments in saml GH-177 * fix(provider): update readme file update readme file GH-177
diff --git a/README.md b/README.md
@@ -20,7 +20,6 @@
 </a>
 </p>
 
-
 ## Overview
 
 This is a loopback-next extension for adding authentication layer to a REST application in loopback 4.
@@ -2784,15 +2783,19 @@ After this, you can use decorator to apply auth to controller functions wherever
   @authenticate(
     STRATEGY.SAML,
     {
-      accessType: 'offline',
-      scope: ['profile', 'email'],
-      authorizationURL: process.env.SAML_URL,
-      callbackURL: process.env.SAML_CALLBACK_URL,
-      clientID: process.env.SAML_CLIENT_ID,
-      clientSecret: process.env.SAML_CLIENT_SECRET,
-      tokenURL: process.env.SAML_TOKEN_URL,
-    },
-    queryGen('body'),
+    accessType: 'offline',
+    scope: ['profile', 'email'],
+    callbackURL: process.env.SAML_CALLBACK_URL,
+    issuer: process.env.SAML_ISSUER,
+    cert: process.env.SAML_CERT,
+    entryPoint: process.env.SAML_ENTRY_POINT,
+    audience: process.env.SAML_AUDIENCE,
+    logoutUrl: process.env.SAML_LOGOUT_URL,
+    passReqToCallback: !!+(process.env.SAML_AUTH_PASS_REQ_CALLBACK ?? 0),
+    validateInResponseTo: !!+(process.env.VALIDATE_RESPONSE ?? 1),
+    idpIssuer: process.env.IDP_ISSUER,
+    logoutCallbackUrl: process.env.SAML_LOGOUT_CALLBACK_URL,
+    }
   )
   @authorize({permissions: ['*']})
   @post('/auth/saml', {
@@ -2823,21 +2826,25 @@ After this, you can use decorator to apply auth to controller functions wherever
   @authenticate(
     STRATEGY.SAML,
     {
-      accessType: 'offline',
-      scope: ['profile', 'email'],
-      authorizationURL: process.env.SAML_URL,
-      callbackURL: process.env.SAML_CALLBACK_URL,
-      clientID: process.env.SAML_CLIENT_ID,
-      clientSecret: process.env.SAML_CLIENT_SECRET,
-      tokenURL: process.env.SAML_TOKEN_URL,
-    },
-    queryGen('query'),
+    accessType: 'offline',
+    scope: ['profile', 'email'],
+    callbackURL: process.env.SAML_CALLBACK_URL,
+    issuer: process.env.SAML_ISSUER,
+    cert: process.env.SAML_CERT,
+    entryPoint: process.env.SAML_ENTRY_POINT,
+    audience: process.env.SAML_AUDIENCE,
+    logoutUrl: process.env.SAML_LOGOUT_URL,
+    passReqToCallback: !!+(process.env.SAML_AUTH_PASS_REQ_CALLBACK ?? 0),
+    validateInResponseTo: !!+(process.env.VALIDATE_RESPONSE ?? 1),
+    idpIssuer: process.env.IDP_ISSUER,
+    logoutCallbackUrl: process.env.SAML_LOGOUT_CALLBACK_URL,
+    }
   )
   @authorize({permissions: ['*']})
-  @get('/auth/saml-redirect', {
+  @post(`/auth/saml-redirect`, {
     responses: {
       [STATUS_CODE.OK]: {
-        description: 'Saml Redirect Token Response',
+        description: 'Okta SAML callback',
         content: {
           [CONTENT_TYPE.JSON]: {
             schema: {[X_TS_TYPE]: TokenResponse},
@@ -2846,15 +2853,19 @@ After this, you can use decorator to apply auth to controller functions wherever
       },
     },
   })
-  async samlCallback(
-    @param.query.string('code') code: string, //NOSONAR
-    @param.query.string('state') state: string,
-    @param.query.string('session_state') sessionState: string, //NOSONAR
-    @inject(RestBindings.Http.RESPONSE) response: Response,
+  async oktaSamlCallback(
     @inject(AuthenticationBindings.CURRENT_USER)
     user: AuthUser | undefined,
+    @inject(RestBindings.Http.REQUEST) request: Request,
+    @param.query.string('client') clientId: string,
+    @inject(RestBindings.Http.RESPONSE) response: Response,
+    @requestBody({
+      content: {
+        [CONTENT_TYPE.FORM_URLENCODED]: {},
+      },
+    })
+    oktaData: AnyObject,
   ): Promise<void> {
-    const clientId = new URLSearchParams(state).get('client_id');
     if (!clientId || !user) {
       throw new HttpErrors.Unauthorized(AuthErrorKeys.ClientInvalid);
     }
@@ -2878,6 +2889,13 @@ After this, you can use decorator to apply auth to controller functions wherever
 
 Please note above that we are creating two new APIs for SAML. The first one is for UI clients to hit. We are authenticating client as well, then passing the details to the SAML. Then, the actual authentication is done by SAML authorization url, which redirects to the second API we created after success. The first API method body is empty as we do not need to handle its response. The SAML provider in this package will do the redirection for you automatically.
 
+Note: For `auth/saml-redirect` one needs to configure the SSO path by incorporating the client ID as a query parameter in existing application set up within your Okta environment for which you intend to enable SSO as follows:
+
+```
+http://localhost:3000/auth/saml-redirect?client=YOUR_CLIENT_ID
+
+```
+
 For accessing the authenticated AuthUser model reference, you can inject the CURRENT_USER provider, provided by the extension, which is populated by the auth action sequence above.
 
 ```ts
diff --git a/src/strategies/SAML/saml-strategy-factory-provider.ts b/src/strategies/SAML/saml-strategy-factory-provider.ts
@@ -55,14 +55,13 @@ export class SamlStrategyFactoryProvider
     if (options && options.passReqToCallback === true) {
       strategy = new Strategy(
         options,
-        logoutVerify as VerifyWithRequest,
         // eslint-disable-next-line @typescript-eslint/no-misused-promises
         func,
+        logoutVerify as VerifyWithRequest,
       );
     } else {
       strategy = new Strategy(
         options,
-        logoutVerify as unknown as VerifyWithoutRequest,
         // eslint-disable-next-line @typescript-eslint/no-misused-promises
         async (profile: Profile | null | undefined, cb: VerifiedCallback) => {
           try {
@@ -77,6 +76,7 @@ export class SamlStrategyFactoryProvider
             cb(err);
           }
         },
+        logoutVerify as unknown as VerifyWithoutRequest,
       );
     }
     this._setupProxy(strategy);
