feat: Add SAML support (browser-post)

[scanning]

Add basic browser-post SAML support using @node-saml/node-saml.

Tested via a modified authorizer.ts using Okta, as below.

import { authorizer } from "@openauthjs/openauth"
import { MemoryStorage } from "@openauthjs/openauth/storage/memory"
import { subjects } from "../../subjects.js"
import { SamlAdapter } from "@openauthjs/openauth/adapter/saml"

async function getUser(nameID: string) {
  // Get user from database
  // Return user ID
  return nameID
}

export default authorizer({
  subjects,
  storage: MemoryStorage({
    persist: "./persist.json",
  }),
  providers: {
    saml: SamlAdapter({
      idpCert: 'MIIDpjCCAo6gAwIBAgIGAZPxVe/7MA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFDASBgNVBAMMC2Rldi03NjgzMzc5MRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMB4XDTI0MTIyMzAyMjUwMVoXDTM0MTIyMzAyMjYwMVowgZMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEUMBIGA1UEAwwLZGV2LTc2ODMzNzkxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkeCKYAi+Fhjw/8XXfPrLmFQGkAG43AD5L57ODvdQozYai1hCTxIc/m+9TiuaeS+Ujq9DuSqfdg5JypZ+tmk4btFyj8NwHUV1gUgnY/yHIzGxGwuMGlb5PlVASN4pCvOSsEApjolGOnHV0OyKmGJPB8HlIarEYC9oKh2TByq8O+fJbaTs0ifWlg1xTE8emPhE/QQKzSZKccwaZC5eo/0R+tt7J5r4qCjki1wtPRYDQPh7mNoJ+EjBtnPEAJiHvA5Jn1K0EuHf07OC3in91j0boPzh1vlgXI3//P/BVDkTUuyindFh/gdkhVEDXISI9yqqGrWJ8kSHOUdoEYBvbFTORAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGPVYctYWJTM7tkvjdDo9S2KAOMcEG4O+elz2IuXXnkjQiLLQx98HUm6PT35EEr/3rNpMviHRjC2s5V4P3I9/LKg3VyNVli8KoFjFX5166PqL2cJpfo8vwe3WYwY9skWqvrYvaPUiQrio6g+TsVpsUkIj3wwAJHGFgQnTykHSMi4lWgWNIIrWGfd9fivqFhbc7F41wt/zr+hB32Nl1EYNb51dlQhVLB4lVm4JQXkzJ7VJeJkk46E72noiU6tyIN0HKVoEvERm+nmZOLbjvRuR7GprE4/JiDJI76rgUjOTPFz77ZvfiONw0gwHlmDalgusm+DTXoqqsNSQIMYR2WMeXs=',
      idpIssuer: 'http://www.okta.com/exkm2znudk4iKZc3u5d7',
      idpSignonUrl: 'https://dev-7683379.okta.com/app/dev-7683379_openauthjs_1/exkm2znudk4iKZc3u5d7/sso/saml'
    }) 
  },
  success: async (ctx, value) => {
    if (value.provider === "saml") {
      return ctx.subject("user", {
        id: await getUser(value.claims.nameID),
      })
    }
    throw new Error("Invalid provider")
  },
})

[changeset-bot]

🦋 Changeset detected

Latest commit: 63c6425

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@openauthjs/openauth	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[thdxr]

how important do you think @node-saml is?

i'm trying to limit dependencies so the library stays light + ensuring that code can run across lambda, cloudflare workers, etc

[scanning]

how important do you think @node-saml is?

i'm trying to limit dependencies so the library stays light + ensuring that code can run across lambda, cloudflare workers, etc

The dependencies are all xml related libs. I suspect you'd probably want to use these same libs if you were implementing from scratch? I know there are also some gnarly xml-related security issues that these libs and implementation (I assume) takes care of.

  "dependencies": {
    "@types/debug": "^4.1.12",
    "@types/qs": "^6.9.11",
    "@types/xml-encryption": "^1.2.4",
    "@types/xml2js": "^0.4.14",
    "@xmldom/is-dom-node": "^1.0.1",
    "@xmldom/xmldom": "^0.8.10",
    "debug": "^4.3.4",
    "xml-crypto": "^6.0.0",
    "xml-encryption": "^3.0.2",
    "xml2js": "^0.6.2",
    "xmlbuilder": "^15.1.1",
    "xpath": "^0.0.34"
  },

If you're worried about dependency bloat this adapter could always be released as a separate module/package? Not sure if that's for or against the philosophy you're going for here though.

[Cmion]

Hey @thdxr I think adapters should be installed as separate packages, that way we can limit the number of dependencies whilst giving users the choice to choose which adapters they want.
for example: @openauthjs/google, @openauthjs/saml, @openauthjs/github ...
That way openauth core can ship with the mininum dependencies. We could do same for the storage and also encourage community submissions; so openauth can stay on mission

import { authorizer } from "@openauthjs/openauth"
import { MemoryStorage } from "@openauthjs/openauth/storage/memory"
import { subjects } from "../../subjects.js"
import SamlAdapter from "@openauthjs/saml"

async function getUser(nameID: string) {
  // Get user from database
  // Return user ID
  return nameID
}

export default authorizer({
  subjects,
  storage: MemoryStorage({
    persist: "./persist.json",
  }),
  providers: {
    saml: SamlAdapter({
      idpCert: 'MIIDpjCCAo6gAwIBAgIGAZPxVe/7MA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFDASBgNVBAMMC2Rldi03NjgzMzc5MRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMB4XDTI0MTIyMzAyMjUwMVoXDTM0MTIyMzAyMjYwMVowgZMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEUMBIGA1UEAwwLZGV2LTc2ODMzNzkxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkeCKYAi+Fhjw/8XXfPrLmFQGkAG43AD5L57ODvdQozYai1hCTxIc/m+9TiuaeS+Ujq9DuSqfdg5JypZ+tmk4btFyj8NwHUV1gUgnY/yHIzGxGwuMGlb5PlVASN4pCvOSsEApjolGOnHV0OyKmGJPB8HlIarEYC9oKh2TByq8O+fJbaTs0ifWlg1xTE8emPhE/QQKzSZKccwaZC5eo/0R+tt7J5r4qCjki1wtPRYDQPh7mNoJ+EjBtnPEAJiHvA5Jn1K0EuHf07OC3in91j0boPzh1vlgXI3//P/BVDkTUuyindFh/gdkhVEDXISI9yqqGrWJ8kSHOUdoEYBvbFTORAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGPVYctYWJTM7tkvjdDo9S2KAOMcEG4O+elz2IuXXnkjQiLLQx98HUm6PT35EEr/3rNpMviHRjC2s5V4P3I9/LKg3VyNVli8KoFjFX5166PqL2cJpfo8vwe3WYwY9skWqvrYvaPUiQrio6g+TsVpsUkIj3wwAJHGFgQnTykHSMi4lWgWNIIrWGfd9fivqFhbc7F41wt/zr+hB32Nl1EYNb51dlQhVLB4lVm4JQXkzJ7VJeJkk46E72noiU6tyIN0HKVoEvERm+nmZOLbjvRuR7GprE4/JiDJI76rgUjOTPFz77ZvfiONw0gwHlmDalgusm+DTXoqqsNSQIMYR2WMeXs=',
      idpIssuer: 'http://www.okta.com/exkm2znudk4iKZc3u5d7',
      idpSignonUrl: 'https://dev-7683379.okta.com/app/dev-7683379_openauthjs_1/exkm2znudk4iKZc3u5d7/sso/saml'
    }) 
  },
  success: async (ctx, value) => {
    if (value.provider === "saml") {
      return ctx.subject("user", {
        id: await getUser(value.claims.nameID),
      })
    }
    throw new Error("Invalid provider")
  },
})