Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support SAML okta login #149

Closed
wants to merge 42 commits into from
Closed

feat: support SAML okta login #149

wants to merge 42 commits into from

Conversation

ebreak
Copy link
Member

@ebreak ebreak commented Jul 6, 2021
edited
Loading

I have implemented all steps of SAML auth, and it can already sign in via SAML (Okta).

But there are still some problems.

1. I can not find any keyword to prove that the xml comes from SAML server

Okta Auth server redirected to Casdoor with a xml file like this:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="http://localhost:7001/" ID="id34511785908251771146679018" IssueInstant="2021-07-06T09:01:57.342Z" Version="2.0"
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exk77kxqxalhWrJJr695</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#id34511785908251771146679018">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>uVZVTw2oxC5CmVrq0HLLFfmOOccO2UZ9l/8B82T0K0s=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>J2kQ1aN0h+vCT52r6dpf2KrOrEcGikJs41cVudtmeEB5HZQ5wKY/ywCCKzoSMyLZ4/I+znmf9KMFjIk0va1cEeihdkxzf+ngZjGmhOPs0Ye127AnoW3a/t/i2Nez34cni3+yoF3vHEbCONzVvkH9VIJh3r0YMf5/AtHMuZjC+XTN1uqEuu8Sjv03SPZ+22aBWFMVHmneA++JbRL3mLOPIV8nFyKllJXfCBuuQwNdrqPZl/j02I+b7DJFSRzjcowE5PdYhiDu42LIy1+c6NE02xg3Vtly8bveY7Ni0EJfis0sAE0cGlDRVEx3cujbUMT/1N4rOQmYECEpQ/tjLiW+jw==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
                    ...
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion ID="id3451178590906809807497440" IssueInstant="2021-07-06T09:01:57.342Z" Version="2.0"
        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
            xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    http://www.okta.com/exk77kxqxalhWrJJr695
        </saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <ds:Reference URI="#id3451178590906809807497440">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <ds:DigestValue>Krvw4cHzgPstyrN/IaIbu1vke/+5vtoaofvSo7P2hKc=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>hNcYZT1LcWs38GaX9RDjtfirUhg9bIC6LFco9f7qHr6QbfymzyLRpaFV10otMrqi+1cqUcXTZcdW/ZbJiI5P+KjmKrGoVUc2DRZ9x62k4nyjcg/DNkg6TihYmKpxMcShjt1omI8tlnV4gAf4keAZQOOtOQ8otpfNWqm52vDKyIny+w+re+mlgIlS+yft+z11asJmHPnMkHv+Y7iVUbZZ2VkC4leYKFUDXHOGnZ6xpf+Sd2jWY02gdF5VDgWzhoyKM++gaBO/RrU8he2hATKgR5KlbW1CzsmYswR4WB6F6EM+ckysQ9dzrzUii+X7sM7k0SozqBRlw9/yZcfUS9JCQA==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
                        ...
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">me@mail.kininaru.dev</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData NotOnOrAfter="2021-07-06T09:06:57.342Z" Recipient="http://localhost:7001/"/>
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2021-07-06T08:56:57.342Z" NotOnOrAfter="2021-07-06T09:06:57.342Z"
            xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:AudienceRestriction>
                <saml2:Audience>saml-test</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2021-07-06T09:00:55.974Z" SessionIndex="id1625562117341.45657483"
            xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>

I can not find any keyword to prove that this request comes from the SAML server.

Anyone can write this xml, and send it to Casdoor to declare their identity.

2. SAML server will let browsers make POST requests when redirecting to Casdoor

React can not handle a POST request, so I made a new api /api/saml-callback in Go back-end to handle the redirection from a SAML server. And now it works fine.

But I wonder if this is a more suitable way to solve the situation...

This is a draft PR, because I want to get some suggestions...

Here is a video of the whole process.

2021-07-06.23-47-57.mp4

@ebreak ebreak force-pushed the master branch 2 times, most recently from 0b1b0a9 to 27dd0ed Compare July 9, 2021 15:52
hsluoyz and others added 10 commits July 10, 2021 00:08
hsluoyz and others added 8 commits July 11, 2021 23:51
@hsluoyz
Replace getDefaultApplication() with getUserApplication().
a355798
@hsluoyz
Add defaultAvatar column.
cca6a63
@hsluoyz
Fix adding provider UI bug.
7e6af1e
@MRGUOKING
fix: The count-down will be disabled
e7de0e4 
Signed-off-by: MRGUOKING <420919469@qq.com>

The count-down will be disabled after sending the code

Signed-off-by: MRGUOKING <420919469@qq.com>
@hsluoyz
Merge pull request casdoor#164 from MRGUOKING/door-dev1
532dc75 
fix: The count-down will be disabled
@actions-user
Sync from crowdin
2297251
@oranges-eating
feat: add run casdoor through docker
21eb1e8 
Signed-off-by: killer <1533063601@qq.com>
@hsluoyz
Merge pull request casdoor#162 from oranges-eating/master
ee92a9b 
feat: add run casdoor through docker
turbodog03 and others added 9 commits July 16, 2021 22:32
@turbodog03
feat: add language select box and background color change when hover
78c5757 
Signed-off-by: turbodog03 <63595854+turbodog03@users.noreply.github.com>
@hsluoyz
Merge pull request casdoor#175 from turbodog03/master
814ab9c 
feat: add language select box and background color change when hover
@actions-user
Sync from crowdin
8ae4e30
@WindSpiritSR
fix: db data init and frontend warning
bbec117 
Signed-off-by: WindSpiritSR <simon343riley@gmail.com>
@hsluoyz
Merge pull request casdoor#174 from WindSpiritSR/patch-fix-err
e16ff7f 
fix: db data init and frontend warning
@actions-user
Sync from crowdin
3905df8
@WindSpiritSR
feat: support LDAP (casdoor#160)
3820a01 
Signed-off-by: WindSpiritSR <simon343riley@gmail.com>
@actions-user
Sync from crowdin
0967217
@oranges-eating
fix: Fix the user list cannot be displayed completely
1550956 
Signed-off-by: killer <1533063601@qq.com>
hsluoyz and others added 7 commits July 17, 2021 22:55
@hsluoyz
Merge pull request casdoor#177 from oranges-eating/master
441d69f 
fix: Fix the user list cannot be displayed completely
@ebreak
refactor: SessionUser -> SessionUsername
ae9ebd2 
Signed-off-by: Kininaru <shiftregister233@outlook.com>
@ebreak
feat: session without autosignin will expire
b2dd8f4 
Signed-off-by: Kininaru <shiftregister233@outlook.com>
@hsluoyz
Merge pull request casdoor#153 from Kininaru/auto-login
4ff4961 
feat: auto login session will expire after 24h
@hsluoyz
Use signup app for GetApplicationByUser().
bce6068
@hsluoyz
Improve footer.
eeda5e5
@ebreak
feat: add properties to Provider
022cd5f 
Signed-off-by: Kininaru <shiftregister233@outlook.com>

typo
@ebreak
feat: customize OAuth provider URL
e1a30c1 
Signed-off-by: Kininaru <shiftregister233@outlook.com>
@ebreak ebreak closed this Jul 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@ebreak @sh1luo @hsluoyz @ErikQQY @casbin-bot @oranges-eating @MRGUOKING @turbodog03 @WindSpiritSR