TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-12 01:47:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: SAML and OIDC issuer (in proxied use cases) (#9638)

Browse Source 
# Which Problems Are Solved

When using implicit flow through the session API and a login UI on a
custom domain (proxy), the tokens were signed by the API domain of the
instance, rather than the public (proxy) domain.
The SAML response had the same issue. Additionally, the saml library had
an issue and lost the issuer context. This prevented also a successful
login through the hosted login UI.

# How the Problems Are Solved

- The issuer of the SAML and Auth request is persisted to provide the
information when signing the responses and tokens.
- The SAML library is updated to the latest version.

# Additional Changes

None

# Additional Context

None
This commit is contained in:
Stefan Benz
2025-03-26 18:08:13 +01:00
committed by GitHub
parent 1c0c08307f
commit 0e10ed0e0b
19 changed files with 226 additions and 162 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
internal/api/grpc/oidc/v2/oidc.go
View File

@@ -10,7 +10,7 @@ import (
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
"github.com/zitadel/zitadel/internal/api/http"
http_utils "github.com/zitadel/zitadel/internal/api/http"
"github.com/zitadel/zitadel/internal/api/oidc"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/query"
@@ -158,7 +158,11 @@ func (s *Server) linkSessionToAuthRequest(ctx context.Context, authRequestID str
return nil, err
}
authReq := &oidc.AuthRequestV2{CurrentAuthRequest: aar}
ctx = op.ContextWithIssuer(ctx, http.DomainContext(ctx).Origin())
issuer := authReq.Issuer
if issuer == "" {
issuer = http_utils.DomainContext(ctx).Origin()
}
ctx = op.ContextWithIssuer(ctx, issuer)
var callback string
if aar.ResponseType == domain.OIDCResponseTypeCode {
callback, err = oidc.CreateCodeCallbackURL(ctx, authReq, s.op.Provider())

7
internal/api/grpc/saml/v2/saml.go
View File

@@ -4,9 +4,11 @@ import (
"context"
"github.com/zitadel/logging"
"github.com/zitadel/saml/pkg/provider"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
http_utils "github.com/zitadel/zitadel/internal/api/http"
"github.com/zitadel/zitadel/internal/api/saml"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/query"
@@ -76,6 +78,11 @@ func (s *Server) linkSessionToSAMLRequest(ctx context.Context, samlRequestID str
return nil, err
}
authReq := &saml.AuthRequestV2{CurrentSAMLRequest: aar}
responseIssuer := authReq.ResponseIssuer
if responseIssuer == "" {
responseIssuer = http_utils.DomainContext(ctx).Origin()
}
ctx = provider.ContextWithIssuer(ctx, responseIssuer)
url, body, err := s.idp.CreateResponse(ctx, authReq)
if err != nil {
return nil, err

1
internal/api/oidc/auth_request.go
View File

@@ -111,6 +111,7 @@ func (o *OPStorage) createAuthRequestLoginClient(ctx context.Context, req *oidc.
Prompt: PromptToBusiness(req.Prompt),
UILocales: UILocalesToBusiness(req.UILocales),
MaxAge: MaxAgeToBusiness(req.MaxAge),
Issuer: o.contextToIssuer(ctx),
}
if req.LoginHint != "" {
authRequest.LoginHint = &req.LoginHint

12
internal/api/oidc/op.go
View File

@@ -75,6 +75,7 @@ type OPStorage struct {
encAlg crypto.EncryptionAlgorithm
locker crdb.Locker
assetAPIPrefix func(ctx context.Context) string
contextToIssuer func(context.Context) string
}
// Provider is used to overload certain [op.Provider] methods
@@ -119,7 +120,7 @@ func NewServer(
if err != nil {
return nil, zerrors.ThrowInternal(err, "OIDC-EGrqd", "cannot create op config: %w")
}
storage := newStorage(config, command, query, repo, encryptionAlg, es, projections)
storage := newStorage(config, command, query, repo, encryptionAlg, es, projections, ContextToIssuer)
keyCache := newPublicKeyCache(ctx, config.PublicKeyCacheMaxAge, queryKeyFunc(query))
accessTokenKeySet := newOidcKeySet(keyCache, withKeyExpiryCheck(true))
idTokenHintKeySet := newOidcKeySet(keyCache)
@@ -182,9 +183,13 @@ func NewServer(
return server, nil
}
func ContextToIssuer(ctx context.Context) string {
return http_utils.DomainContext(ctx).Origin()
}
func IssuerFromContext(_ bool) (op.IssuerFromRequest, error) {
return func(r *http.Request) string {
return http_utils.DomainContext(r.Context()).Origin()
return ContextToIssuer(r.Context())
}, nil
}
@@ -220,7 +225,7 @@ func createOPConfig(config Config, defaultLogoutRedirectURI string, cryptoKey []
return opConfig, nil
}
func newStorage(config Config, command *command.Commands, query *query.Queries, repo repository.Repository, encAlg crypto.EncryptionAlgorithm, es *eventstore.Eventstore, db *database.DB) *OPStorage {
func newStorage(config Config, command *command.Commands, query *query.Queries, repo repository.Repository, encAlg crypto.EncryptionAlgorithm, es *eventstore.Eventstore, db *database.DB, contextToIssuer func(context.Context) string) *OPStorage {
return &OPStorage{
repo: repo,
command: command,
@@ -236,6 +241,7 @@ func newStorage(config Config, command *command.Commands, query *query.Queries,
encAlg: encAlg,
locker: crdb.NewLocker(db.DB, locksTable, signingKey),
assetAPIPrefix: assets.AssetAPI(),
contextToIssuer: contextToIssuer,
}
}

9
internal/api/saml/auth_request.go
View File

@@ -3,7 +3,6 @@ package saml
import (
"context"
"encoding/base64"
"net/http"
"net/url"
"github.com/zitadel/saml/pkg/provider"
@@ -34,15 +33,9 @@ func (p *Provider) CreateResponse(ctx context.Context, authReq models.AuthReques
AcsUrl: authReq.GetAccessConsumerServiceURL(),
RequestID: authReq.GetAuthRequestID(),
Audience: authReq.GetIssuer(),
Issuer: p.GetEntityID(ctx),
}
issuer := ContextToIssuer(ctx)
req, err := http.NewRequestWithContext(provider.ContextWithIssuer(ctx, issuer), http.MethodGet, issuer, nil)
if err != nil {
return "", "", err
}
resp.Issuer = p.GetEntityID(req)
samlResponse, err := p.AuthCallbackResponse(ctx, authReq, resp)
if err != nil {
return "", "", err

3
internal/api/saml/provider.go
View File

@@ -60,6 +60,7 @@ func NewProvider(
projections,
fmt.Sprintf("%s%s?%s=", login.HandlerPrefix, login.EndpointLogin, login.QueryAuthRequestID),
conf.DefaultLoginURLV2,
ContextToIssuer,
)
if err != nil {
return nil, err
@@ -117,6 +118,7 @@ func newStorage(
db *database.DB,
defaultLoginURL string,
defaultLoginURLV2 string,
contextToIssuer func(context.Context) string,
) (*Storage, error) {
return &Storage{
encAlg: encAlg,
@@ -128,6 +130,7 @@ func newStorage(
query: query,
defaultLoginURL: defaultLoginURL,
defaultLoginURLv2: defaultLoginURLV2,
contextToIssuer: contextToIssuer,
}, nil
}

18
internal/api/saml/storage.go
View File

@@ -64,6 +64,7 @@ type Storage struct {
defaultLoginURL string
defaultLoginURLv2 string
contextToIssuer func(context.Context) string
}
func (p *Storage) GetEntityByID(ctx context.Context, entityID string) (*serviceprovider.ServiceProvider, error) {
@@ -137,14 +138,15 @@ func (p *Storage) createAuthRequestLoginClient(ctx context.Context, req *samlp.A
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
samlRequest := &command.SAMLRequest{
ApplicationID: applicationID,
ACSURL: acsUrl,
RelayState: relayState,
RequestID: req.Id,
Binding: protocolBinding,
Issuer: req.Issuer.Text,
Destination: req.Destination,
LoginClient: loginClient,
ApplicationID: applicationID,
ACSURL: acsUrl,
RelayState: relayState,
RequestID: req.Id,
Binding: protocolBinding,
Issuer: req.Issuer.Text,
Destination: req.Destination,
LoginClient: loginClient,
ResponseIssuer: p.contextToIssuer(ctx),
}
aar, err := p.command.AddSAMLRequest(ctx, samlRequest)

3
internal/command/auth_request.go
View File

@@ -29,6 +29,7 @@ type AuthRequest struct {
LoginHint *string
HintUserID *string
NeedRefreshToken bool
Issuer string
}
type CurrentAuthRequest struct {
@@ -73,6 +74,7 @@ func (c *Commands) AddAuthRequest(ctx context.Context, authRequest *AuthRequest)
authRequest.LoginHint,
authRequest.HintUserID,
authRequest.NeedRefreshToken,
authRequest.Issuer,
))
if err != nil {
return nil, err
@@ -180,6 +182,7 @@ func authRequestWriteModelToCurrentAuthRequest(writeModel *AuthRequestWriteModel
MaxAge: writeModel.MaxAge,
LoginHint: writeModel.LoginHint,
HintUserID: writeModel.HintUserID,
Issuer: writeModel.Issuer,
},
SessionID: writeModel.SessionID,
UserID: writeModel.UserID,

2
internal/command/auth_request_model.go
View File

@@ -36,6 +36,7 @@ type AuthRequestWriteModel struct {
AuthMethods []domain.UserAuthMethodType
AuthRequestState domain.AuthRequestState
NeedRefreshToken bool
Issuer string
}
func NewAuthRequestWriteModel(ctx context.Context, id string) *AuthRequestWriteModel {
@@ -68,6 +69,7 @@ func (m *AuthRequestWriteModel) Reduce() error {
m.HintUserID = e.HintUserID
m.AuthRequestState = domain.AuthRequestStateAdded
m.NeedRefreshToken = e.NeedRefreshToken
m.Issuer = e.Issuer
case *authrequest.SessionLinkedEvent:
m.SessionID = e.SessionID
m.UserID = e.UserID

22
internal/command/auth_request_test.go
View File

@@ -62,6 +62,7 @@ func TestCommands_AddAuthRequest(t *testing.T) {
nil,
nil,
false,
"issuer",
),
),
),
@@ -101,6 +102,7 @@ func TestCommands_AddAuthRequest(t *testing.T) {
gu.Ptr("loginHint"),
gu.Ptr("hintUserID"),
false,
"issuer",
),
),
),
@@ -127,6 +129,7 @@ func TestCommands_AddAuthRequest(t *testing.T) {
MaxAge: gu.Ptr(time.Duration(0)),
LoginHint: gu.Ptr("loginHint"),
HintUserID: gu.Ptr("hintUserID"),
Issuer: "issuer",
},
},
&CurrentAuthRequest{
@@ -150,6 +153,7 @@ func TestCommands_AddAuthRequest(t *testing.T) {
MaxAge: gu.Ptr(time.Duration(0)),
LoginHint: gu.Ptr("loginHint"),
HintUserID: gu.Ptr("hintUserID"),
Issuer: "issuer",
},
},
nil,
@@ -234,6 +238,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
eventFromEventPusher(
@@ -276,6 +281,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
),
@@ -317,6 +323,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
),
@@ -356,6 +363,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
),
@@ -418,6 +426,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
),
@@ -469,6 +478,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
),
@@ -527,6 +537,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
Audience: []string{"audience"},
ResponseType: domain.OIDCResponseTypeCode,
ResponseMode: domain.OIDCResponseModeQuery,
Issuer: "issuer",
},
SessionID: "sessionID",
UserID: "userID",
@@ -557,6 +568,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
),
@@ -616,6 +628,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
Audience: []string{"audience"},
ResponseType: domain.OIDCResponseTypeCode,
ResponseMode: domain.OIDCResponseModeQuery,
Issuer: "issuer",
},
SessionID: "sessionID",
UserID: "userID",
@@ -646,6 +659,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
),
@@ -706,6 +720,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
Audience: []string{"audience"},
ResponseType: domain.OIDCResponseTypeCode,
ResponseMode: domain.OIDCResponseModeQuery,
Issuer: "issuer",
},
SessionID: "sessionID",
UserID: "userID",
@@ -736,6 +751,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
),
@@ -797,6 +813,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
Audience: []string{"audience"},
ResponseType: domain.OIDCResponseTypeCode,
ResponseMode: domain.OIDCResponseModeQuery,
Issuer: "issuer",
},
SessionID: "sessionID",
UserID: "userID",
@@ -827,6 +844,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
),
@@ -950,6 +968,7 @@ func TestCommands_FailAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
),
@@ -978,6 +997,7 @@ func TestCommands_FailAuthRequest(t *testing.T) {
Audience: []string{"audience"},
ResponseType: domain.OIDCResponseTypeCode,
ResponseMode: domain.OIDCResponseModeQuery,
Issuer: "issuer",
},
},
},
@@ -1050,6 +1070,7 @@ func TestCommands_AddAuthRequestCode(t *testing.T) {
gu.Ptr("loginHint"),
gu.Ptr("hintUserID"),
true,
"issuer",
),
),
),
@@ -1088,6 +1109,7 @@ func TestCommands_AddAuthRequestCode(t *testing.T) {
gu.Ptr("loginHint"),
gu.Ptr("hintUserID"),
true,
"issuer",
),
),
eventFromEventPusher(

7
internal/command/oidc_session_test.go
View File

@@ -138,6 +138,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
gu.Ptr("loginHint"),
gu.Ptr("hintUserID"),
true,
"issuer",
),
),
eventFromEventPusher(
@@ -182,6 +183,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
gu.Ptr("loginHint"),
gu.Ptr("hintUserID"),
true,
"issuer",
),
),
eventFromEventPusher(
@@ -234,6 +236,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
gu.Ptr("loginHint"),
gu.Ptr("hintUserID"),
true,
"issuer",
),
),
eventFromEventPusher(
@@ -331,6 +334,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
gu.Ptr("loginHint"),
gu.Ptr("hintUserID"),
true,
"issuer",
),
),
eventFromEventPusher(
@@ -465,6 +469,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
gu.Ptr("loginHint"),
gu.Ptr("hintUserID"),
true,
"issuer",
),
),
eventFromEventPusher(
@@ -610,6 +615,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
gu.Ptr("loginHint"),
gu.Ptr("hintUserID"),
true,
"issuer",
),
),
eventFromEventPusher(
@@ -748,6 +754,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
gu.Ptr("loginHint"),
gu.Ptr("hintUserID"),
false,
"issuer",
),
),
eventFromEventPusher(

35
internal/command/saml_request.go
View File

@@ -15,13 +15,14 @@ type SAMLRequest struct {
ID string
LoginClient string
ApplicationID string
ACSURL string
RelayState string
RequestID string
Binding string
Issuer string
Destination string
ApplicationID string
ACSURL string
RelayState string
RequestID string
Binding string
Issuer string
Destination string
ResponseIssuer string
}
type CurrentSAMLRequest struct {
@@ -56,6 +57,7 @@ func (c *Commands) AddSAMLRequest(ctx context.Context, samlRequest *SAMLRequest)
samlRequest.Binding,
samlRequest.Issuer,
samlRequest.Destination,
samlRequest.ResponseIssuer,
))
if err != nil {
return nil, err
@@ -131,15 +133,16 @@ func (c *Commands) FailSAMLRequest(ctx context.Context, id string, reason domain
func samlRequestWriteModelToCurrentSAMLRequest(writeModel *SAMLRequestWriteModel) (_ *CurrentSAMLRequest) {
return &CurrentSAMLRequest{
SAMLRequest: &SAMLRequest{
ID: writeModel.AggregateID,
LoginClient: writeModel.LoginClient,
ApplicationID: writeModel.ApplicationID,
ACSURL: writeModel.ACSURL,
RelayState: writeModel.RelayState,
RequestID: writeModel.RequestID,
Binding: writeModel.Binding,
Issuer: writeModel.Issuer,
Destination: writeModel.Destination,
ID: writeModel.AggregateID,
LoginClient: writeModel.LoginClient,
ApplicationID: writeModel.ApplicationID,
ACSURL: writeModel.ACSURL,
RelayState: writeModel.RelayState,
RequestID: writeModel.RequestID,
Binding: writeModel.Binding,
Issuer: writeModel.Issuer,
Destination: writeModel.Destination,
ResponseIssuer: writeModel.ResponseIssuer,
},
SessionID: writeModel.SessionID,
UserID: writeModel.UserID,

18
internal/command/saml_request_model.go
View File

@@ -15,14 +15,15 @@ type SAMLRequestWriteModel struct {
eventstore.WriteModel
aggregate *eventstore.Aggregate
LoginClient string
ApplicationID string
ACSURL string
RelayState string
RequestID string
Binding string
Issuer string
Destination string
LoginClient string
ApplicationID string
ACSURL string
RelayState string
RequestID string
Binding string
Issuer string
Destination string
ResponseIssuer string
SessionID string
UserID string
@@ -52,6 +53,7 @@ func (m *SAMLRequestWriteModel) Reduce() error {
m.Binding = e.Binding
m.Issuer = e.Issuer
m.Destination = e.Destination
m.ResponseIssuer = e.ResponseIssuer
m.SAMLRequestState = domain.SAMLRequestStateAdded
case *samlrequest.SessionLinkedEvent:
m.SessionID = e.SessionID

145
internal/command/saml_request_test.go
View File

@@ -54,6 +54,7 @@ func TestCommands_AddSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -82,6 +83,7 @@ func TestCommands_AddSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -90,27 +92,29 @@ func TestCommands_AddSAMLRequest(t *testing.T) {
args{
ctx: mockCtx,
request: &SAMLRequest{
LoginClient: "login",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
LoginClient: "login",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ResponseIssuer: "responseissuer",
},
},
&CurrentSAMLRequest{
SAMLRequest: &SAMLRequest{
ID: "V2_id",
LoginClient: "login",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ID: "V2_id",
LoginClient: "login",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ResponseIssuer: "responseissuer",
},
},
nil,
@@ -187,6 +191,7 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
eventFromEventPusher(
@@ -222,6 +227,7 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -255,6 +261,7 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -286,6 +293,7 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -340,6 +348,7 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -383,6 +392,7 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -431,15 +441,16 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
details: &domain.ObjectDetails{ResourceOwner: "instanceID"},
authReq: &CurrentSAMLRequest{
SAMLRequest: &SAMLRequest{
ID: "V2_id",
LoginClient: "login",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ID: "V2_id",
LoginClient: "login",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ResponseIssuer: "responseissuer",
},
SessionID: "sessionID",
UserID: "userID",
@@ -462,6 +473,7 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -511,15 +523,16 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
details: &domain.ObjectDetails{ResourceOwner: "instanceID"},
authReq: &CurrentSAMLRequest{
SAMLRequest: &SAMLRequest{
ID: "V2_id",
LoginClient: "loginClient",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ID: "V2_id",
LoginClient: "loginClient",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ResponseIssuer: "responseissuer",
},
SessionID: "sessionID",
UserID: "userID",
@@ -541,6 +554,7 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -591,15 +605,16 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
details: &domain.ObjectDetails{ResourceOwner: "instanceID"},
authReq: &CurrentSAMLRequest{
SAMLRequest: &SAMLRequest{
ID: "V2_id",
LoginClient: "loginClient",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ID: "V2_id",
LoginClient: "loginClient",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ResponseIssuer: "responseissuer",
},
SessionID: "sessionID",
UserID: "userID",
@@ -622,6 +637,7 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -672,15 +688,16 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
details: &domain.ObjectDetails{ResourceOwner: "instanceID"},
authReq: &CurrentSAMLRequest{
SAMLRequest: &SAMLRequest{
ID: "V2_id",
LoginClient: "loginClient",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ID: "V2_id",
LoginClient: "loginClient",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ResponseIssuer: "responseissuer",
},
SessionID: "sessionID",
UserID: "userID",
@@ -703,6 +720,7 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -817,6 +835,7 @@ func TestCommands_FailSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
samlrequest.NewFailedEvent(mockCtx, &samlrequest.NewAggregate("V2_id", "instanceID").Aggregate,
@@ -850,6 +869,7 @@ func TestCommands_FailSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -870,15 +890,16 @@ func TestCommands_FailSAMLRequest(t *testing.T) {
details: &domain.ObjectDetails{ResourceOwner: "instanceID"},
samlReq: &CurrentSAMLRequest{
SAMLRequest: &SAMLRequest{
ID: "V2_id",
LoginClient: "login",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ID: "V2_id",
LoginClient: "login",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ResponseIssuer: "responseissuer",
},
},
},

4
internal/command/saml_session_test.go
View File

@@ -99,6 +99,7 @@ func TestCommands_CreateSAMLSessionFromSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -129,6 +130,7 @@ func TestCommands_CreateSAMLSessionFromSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
eventFromEventPusher(
@@ -167,6 +169,7 @@ func TestCommands_CreateSAMLSessionFromSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
eventFromEventPusher(
@@ -248,6 +251,7 @@ func TestCommands_CreateSAMLSessionFromSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
eventFromEventPusher(

3
internal/repository/authrequest/auth_request.go
View File

@@ -38,6 +38,7 @@ type AddedEvent struct {
LoginHint *string `json:"login_hint,omitempty"`
HintUserID *string `json:"hint_user_id,omitempty"`
NeedRefreshToken bool `json:"need_refresh_token,omitempty"`
Issuer string `json:"issuer,omitempty"`
}
func (e *AddedEvent) Payload() interface{} {
@@ -66,6 +67,7 @@ func NewAddedEvent(ctx context.Context,
loginHint,
hintUserID *string,
needRefreshToken bool,
issuer string,
) *AddedEvent {
return &AddedEvent{
BaseEvent: *eventstore.NewBaseEventForPush(
@@ -89,6 +91,7 @@ func NewAddedEvent(ctx context.Context,
LoginHint: loginHint,
HintUserID: hintUserID,
NeedRefreshToken: needRefreshToken,
Issuer: issuer,
}
}

35
internal/repository/samlrequest/saml_request.go
View File

@@ -19,14 +19,15 @@ const (
type AddedEvent struct {
*eventstore.BaseEvent `json:"-"`
LoginClient string `json:"login_client,omitempty"`
ApplicationID string `json:"application_id,omitempty"`
ACSURL string `json:"acs_url,omitempty"`
RelayState string `json:"relay_state,omitempty"`
RequestID string `json:"request_id,omitempty"`
Binding string `json:"binding,omitempty"`
Issuer string `json:"issuer,omitempty"`
Destination string `json:"destination,omitempty"`
LoginClient string `json:"login_client,omitempty"`
ApplicationID string `json:"application_id,omitempty"`
ACSURL string `json:"acs_url,omitempty"`
RelayState string `json:"relay_state,omitempty"`
RequestID string `json:"request_id,omitempty"`
Binding string `json:"binding,omitempty"`
Issuer string `json:"issuer,omitempty"`
Destination string `json:"destination,omitempty"`
ResponseIssuer string `json:"response_issuer,omitempty"`
}
func (e *AddedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
@@ -51,6 +52,7 @@ func NewAddedEvent(ctx context.Context,
binding string,
issuer string,
destination string,
responseIssuer string,
) *AddedEvent {
return &AddedEvent{
BaseEvent: eventstore.NewBaseEventForPush(
@@ -58,14 +60,15 @@ func NewAddedEvent(ctx context.Context,
aggregate,
AddedType,
),
LoginClient: loginClient,
ApplicationID: applicationID,
ACSURL: acsURL,
RelayState: relayState,
RequestID: requestID,
Binding: binding,
Issuer: issuer,
Destination: destination,
LoginClient: loginClient,
ApplicationID: applicationID,
ACSURL: acsURL,
RelayState: relayState,
RequestID: requestID,
Binding: binding,
Issuer: issuer,
Destination: destination,
ResponseIssuer: responseIssuer,
}
}