feat(core,schemas): implement sso token storage #7522
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
COMPARE TO
|
| Name | Diff |
|---|---|
| packages/core/src/libraries/social.ts | 📈 +841 Bytes |
| packages/core/src/libraries/sso-connector.ts | 📈 +1.08 KB |
| packages/core/src/queries/secret.ts | 📈 +1.53 KB |
| packages/core/src/routes/experience/classes/experience-interaction.ts | 📈 +299 Bytes |
| packages/core/src/routes/experience/classes/helpers.ts | 📈 +268 Bytes |
| packages/core/src/routes/experience/classes/libraries/provision-library.ts | 📈 +255 Bytes |
| packages/core/src/routes/experience/classes/verifications/enterprise-sso-verification.ts | 📈 +1.05 KB |
| packages/core/src/routes/experience/types.ts | 📈 +661 Bytes |
| packages/core/src/routes/interaction/utils/single-sign-on.test.ts | 📈 +38 Bytes |
| packages/core/src/routes/interaction/utils/single-sign-on.ts | 📈 +1.24 KB |
| packages/core/src/test-utils/mock-libraries.ts | 📈 +48 Bytes |
| packages/core/src/utils/secret-encryption.ts | 📈 +1.11 KB |
| packages/schemas/src/types/logto-config/jwt-customizer.ts | 📈 +67 Bytes |
| packages/schemas/src/types/secrets.ts | 📈 +889 Bytes |
| packages/schemas/src/types/verification-records/enterprise-sso-verification.ts | 📈 +177 Bytes |
| packages/schemas/src/types/verification-records/social-verification.ts | 📈 +70 Bytes |
| packages/toolkit/connector-kit/src/types/social.ts | 📈 +94 Bytes |
| single-sign-on.test.js | 0 Bytes |
simeng-li
force-pushed
the
simeng-log-11722-experience-api-refactor-sso-connector-get-user-info
branch
from
32c7d9c to
b6a2dab
Compare
simeng-li
force-pushed
the
simeng-log-11722-experience-api-enterprise-sso-token-storage
branch
from
a01134e to
36f2b52
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR implements persistent storage for SSO token sets in the enterprise authentication flow by extracting encryption utilities, extending schemas, and wiring up database queries and experience flows to store encrypted tokens.
- Extract and reuse
encryptTokenResponseutility for both social and enterprise SSO. - Extend schemas and interaction types to include
encryptedTokenSetand enterprise SSO secret relations. - Add new
upsertEnterpriseSsoTokenSetSecretdatabase query and propagate it through SSO connector library and experience provisioning.
Reviewed Changes
Copilot reviewed 17 out of 18 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/toolkit/connector-kit/src/types/social.ts | Accept string or number for expires_in in TokenResponse |
| packages/schemas/src/types/verification-records/social-verification.ts | Remove tokenResponse from social verification record schema |
| packages/schemas/src/types/verification-records/enterprise-sso-verification.ts | Add encryptedTokenSet to enterprise SSO record schema |
| packages/schemas/src/types/secrets.ts | Consolidate token-set metadata guard and add enterprise guard |
| packages/schemas/src/types/logto-config/jwt-customizer.ts | Omit encryptedTokenSet in JWT customizer record union |
| packages/core/src/utils/secret-encryption.ts | Extract encryptTokenResponse util and update imports |
| packages/core/src/test-utils/mock-libraries.ts | Add mock for upsertEnterpriseSsoTokenSetSecret |
| packages/core/src/routes/interaction/utils/single-sign-on.ts | Integrate token encryption into SSO verification flow |
| packages/core/src/routes/interaction/utils/single-sign-on.test.ts | Update test to expect encryptedTokenSet field |
| packages/core/src/routes/experience/types.ts | Extend InteractionProfile with enterprise SSO token secret |
| packages/core/src/routes/experience/classes/verifications/enterprise-sso-verification.ts | Persist and expose encryptedTokenSet in verification class |
| packages/core/src/routes/experience/classes/libraries/provision-library.ts | Provision enterprise SSO token secret via library |
| packages/core/src/routes/experience/classes/helpers.ts | Unify handling of social vs. enterprise token secrets |
| packages/core/src/routes/experience/classes/experience-interaction.ts | Sync enterprise SSO token secret during user creation |
| packages/core/src/queries/secret.ts | Implement new upsertEnterpriseSsoTokenSetSecret query |
| packages/core/src/libraries/sso-connector.ts | Add upsertEnterpriseSsoTokenSetSecret to connector library |
| packages/core/src/libraries/social.ts | Refactor social token encryption to use shared util |
Comments suppressed due to low confidence (1)
packages/core/src/queries/secret.ts:90
- The new
upsertEnterpriseSsoTokenSetSecretmethod lacks unit or integration tests. Consider adding tests to cover the delete-and-insert logic and error path.
public async upsertEnterpriseSsoTokenSetSecret(
wangsijie
approved these changes
Jul 8, 2025
Base automatically changed from
simeng-log-11722-experience-api-refactor-sso-connector-get-user-info
to
master
July 8, 2025 02:15
implement the enterprise sso sign-in flow token storage
optimize the expiresAt calculation logic
simeng-li
force-pushed
the
simeng-log-11722-experience-api-enterprise-sso-token-storage
branch
from
cced63a to
117e6f0
Compare
darcyYe
approved these changes
Jul 8, 2025
simeng-li
deleted the
simeng-log-11722-experience-api-enterprise-sso-token-storage
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR implements the token storage for the enterprise SSO authentication flow.
Key updates
Extract the
encryptTokenResponseutil method from the social library to secret utils. So the method can be shared by the enterprise SSO library.Implement the query method and library method to store the token set secret from the enterprise SSO connector to the DB.
Update all OIDC SSO connectors to return the token response from the
getUserInfomethod.Update the
verifySsoIdentityutility method used in experience interactions. If token storage is enabled for the connector, return the encrypted token set received from the SSO provider.Update the experience interaction SSO verification and profile classes to handle and store the encrypted enterprise SSO token set.
During interaction submission, if
enterpriseSsoConnectorTokenSetSecretexists in the current interaction profile data, store the token set in the Logto Secret Vault for the user.Testing
test locally.
interaction tests in the upcoming PR.
Checklist
.changeset