-
-
Notifications
You must be signed in to change notification settings - Fork 578
feat(core,schemas): implement sso token storage #7522
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(core,schemas): implement sso token storage #7522
Conversation
COMPARE TO
|
Name | Diff |
---|---|
packages/core/src/libraries/social.ts | 📈 +841 Bytes |
packages/core/src/libraries/sso-connector.ts | 📈 +1.08 KB |
packages/core/src/queries/secret.ts | 📈 +1.53 KB |
packages/core/src/routes/experience/classes/experience-interaction.ts | 📈 +299 Bytes |
packages/core/src/routes/experience/classes/helpers.ts | 📈 +268 Bytes |
packages/core/src/routes/experience/classes/libraries/provision-library.ts | 📈 +255 Bytes |
packages/core/src/routes/experience/classes/verifications/enterprise-sso-verification.ts | 📈 +1.05 KB |
packages/core/src/routes/experience/types.ts | 📈 +661 Bytes |
packages/core/src/routes/interaction/utils/single-sign-on.test.ts | 📈 +38 Bytes |
packages/core/src/routes/interaction/utils/single-sign-on.ts | 📈 +1.24 KB |
packages/core/src/test-utils/mock-libraries.ts | 📈 +48 Bytes |
packages/core/src/utils/secret-encryption.ts | 📈 +1.11 KB |
packages/schemas/src/types/logto-config/jwt-customizer.ts | 📈 +67 Bytes |
packages/schemas/src/types/secrets.ts | 📈 +889 Bytes |
packages/schemas/src/types/verification-records/enterprise-sso-verification.ts | 📈 +177 Bytes |
packages/schemas/src/types/verification-records/social-verification.ts | 📈 +70 Bytes |
packages/toolkit/connector-kit/src/types/social.ts | 📈 +94 Bytes |
single-sign-on.test.js | 0 Bytes |
32c7d9c
to
b6a2dab
Compare
a01134e
to
36f2b52
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR implements persistent storage for SSO token sets in the enterprise authentication flow by extracting encryption utilities, extending schemas, and wiring up database queries and experience flows to store encrypted tokens.
- Extract and reuse
encryptTokenResponse
utility for both social and enterprise SSO. - Extend schemas and interaction types to include
encryptedTokenSet
and enterprise SSO secret relations. - Add new
upsertEnterpriseSsoTokenSetSecret
database query and propagate it through SSO connector library and experience provisioning.
Reviewed Changes
Copilot reviewed 17 out of 18 changed files in this pull request and generated 2 comments.
Show a summary per file
File | Description |
---|---|
packages/toolkit/connector-kit/src/types/social.ts | Accept string or number for expires_in in TokenResponse |
packages/schemas/src/types/verification-records/social-verification.ts | Remove tokenResponse from social verification record schema |
packages/schemas/src/types/verification-records/enterprise-sso-verification.ts | Add encryptedTokenSet to enterprise SSO record schema |
packages/schemas/src/types/secrets.ts | Consolidate token-set metadata guard and add enterprise guard |
packages/schemas/src/types/logto-config/jwt-customizer.ts | Omit encryptedTokenSet in JWT customizer record union |
packages/core/src/utils/secret-encryption.ts | Extract encryptTokenResponse util and update imports |
packages/core/src/test-utils/mock-libraries.ts | Add mock for upsertEnterpriseSsoTokenSetSecret |
packages/core/src/routes/interaction/utils/single-sign-on.ts | Integrate token encryption into SSO verification flow |
packages/core/src/routes/interaction/utils/single-sign-on.test.ts | Update test to expect encryptedTokenSet field |
packages/core/src/routes/experience/types.ts | Extend InteractionProfile with enterprise SSO token secret |
packages/core/src/routes/experience/classes/verifications/enterprise-sso-verification.ts | Persist and expose encryptedTokenSet in verification class |
packages/core/src/routes/experience/classes/libraries/provision-library.ts | Provision enterprise SSO token secret via library |
packages/core/src/routes/experience/classes/helpers.ts | Unify handling of social vs. enterprise token secrets |
packages/core/src/routes/experience/classes/experience-interaction.ts | Sync enterprise SSO token secret during user creation |
packages/core/src/queries/secret.ts | Implement new upsertEnterpriseSsoTokenSetSecret query |
packages/core/src/libraries/sso-connector.ts | Add upsertEnterpriseSsoTokenSetSecret to connector library |
packages/core/src/libraries/social.ts | Refactor social token encryption to use shared util |
Comments suppressed due to low confidence (1)
packages/core/src/queries/secret.ts:90
- The new
upsertEnterpriseSsoTokenSetSecret
method lacks unit or integration tests. Consider adding tests to cover the delete-and-insert logic and error path.
public async upsertEnterpriseSsoTokenSetSecret(
implement the enterprise sso sign-in flow token storage
optimize the expiresAt calculation logic
cced63a
to
117e6f0
Compare
Summary
This PR implements the token storage for the enterprise SSO authentication flow.
Key updates
Extract the
encryptTokenResponse
util method from the social library to secret utils. So the method can be shared by the enterprise SSO library.Implement the query method and library method to store the token set secret from the enterprise SSO connector to the DB.
Update all OIDC SSO connectors to return the token response from the
getUserInfo
method.Update the
verifySsoIdentity
utility method used in experience interactions. If token storage is enabled for the connector, return the encrypted token set received from the SSO provider.Update the experience interaction SSO verification and profile classes to handle and store the encrypted enterprise SSO token set.
During interaction submission, if
enterpriseSsoConnectorTokenSetSecret
exists in the current interaction profile data, store the token set in the Logto Secret Vault for the user.Testing
test locally.
interaction tests in the upcoming PR.
Checklist
.changeset