Skip to content

feat(core,schemas): implement sso token storage #7522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

Conversation

simeng-li
Copy link
Contributor

Summary

This PR implements the token storage for the enterprise SSO authentication flow.

Key updates

  • Extract the encryptTokenResponse util method from the social library to secret utils. So the method can be shared by the enterprise SSO library.

  • Implement the query method and library method to store the token set secret from the enterprise SSO connector to the DB.

  • Update all OIDC SSO connectors to return the token response from the getUserInfo method.

  • Update the verifySsoIdentity utility method used in experience interactions. If token storage is enabled for the connector, return the encrypted token set received from the SSO provider.

  • Update the experience interaction SSO verification and profile classes to handle and store the encrypted enterprise SSO token set.

  • During interaction submission, if enterpriseSsoConnectorTokenSetSecret exists in the current interaction profile data, store the token set in the Logto Secret Vault for the user.

Testing

test locally.
interaction tests in the upcoming PR.

Checklist

  • .changeset
  • unit tests
  • integration tests
  • necessary TSDoc comments

@simeng-li simeng-li requested a review from Copilot July 7, 2025 08:30
@github-actions github-actions bot added the feature Cool stuff label Jul 7, 2025
Copy link

github-actions bot commented Jul 7, 2025

COMPARE TO master

Total Size Diff 📈 +7.85 KB

Diff by File
Name Diff
packages/core/src/libraries/social.ts 📈 +841 Bytes
packages/core/src/libraries/sso-connector.ts 📈 +1.08 KB
packages/core/src/queries/secret.ts 📈 +1.53 KB
packages/core/src/routes/experience/classes/experience-interaction.ts 📈 +299 Bytes
packages/core/src/routes/experience/classes/helpers.ts 📈 +268 Bytes
packages/core/src/routes/experience/classes/libraries/provision-library.ts 📈 +255 Bytes
packages/core/src/routes/experience/classes/verifications/enterprise-sso-verification.ts 📈 +1.05 KB
packages/core/src/routes/experience/types.ts 📈 +661 Bytes
packages/core/src/routes/interaction/utils/single-sign-on.test.ts 📈 +38 Bytes
packages/core/src/routes/interaction/utils/single-sign-on.ts 📈 +1.24 KB
packages/core/src/test-utils/mock-libraries.ts 📈 +48 Bytes
packages/core/src/utils/secret-encryption.ts 📈 +1.11 KB
packages/schemas/src/types/logto-config/jwt-customizer.ts 📈 +67 Bytes
packages/schemas/src/types/secrets.ts 📈 +889 Bytes
packages/schemas/src/types/verification-records/enterprise-sso-verification.ts 📈 +177 Bytes
packages/schemas/src/types/verification-records/social-verification.ts 📈 +70 Bytes
packages/toolkit/connector-kit/src/types/social.ts 📈 +94 Bytes
single-sign-on.test.js 0 Bytes

@github-actions github-actions bot added the size/l label Jul 7, 2025
@simeng-li simeng-li force-pushed the simeng-log-11722-experience-api-refactor-sso-connector-get-user-info branch from 32c7d9c to b6a2dab Compare July 7, 2025 08:31
@simeng-li simeng-li force-pushed the simeng-log-11722-experience-api-enterprise-sso-token-storage branch from a01134e to 36f2b52 Compare July 7, 2025 08:32
@github-actions github-actions bot removed the size/l label Jul 7, 2025
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements persistent storage for SSO token sets in the enterprise authentication flow by extracting encryption utilities, extending schemas, and wiring up database queries and experience flows to store encrypted tokens.

  • Extract and reuse encryptTokenResponse utility for both social and enterprise SSO.
  • Extend schemas and interaction types to include encryptedTokenSet and enterprise SSO secret relations.
  • Add new upsertEnterpriseSsoTokenSetSecret database query and propagate it through SSO connector library and experience provisioning.

Reviewed Changes

Copilot reviewed 17 out of 18 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
packages/toolkit/connector-kit/src/types/social.ts Accept string or number for expires_in in TokenResponse
packages/schemas/src/types/verification-records/social-verification.ts Remove tokenResponse from social verification record schema
packages/schemas/src/types/verification-records/enterprise-sso-verification.ts Add encryptedTokenSet to enterprise SSO record schema
packages/schemas/src/types/secrets.ts Consolidate token-set metadata guard and add enterprise guard
packages/schemas/src/types/logto-config/jwt-customizer.ts Omit encryptedTokenSet in JWT customizer record union
packages/core/src/utils/secret-encryption.ts Extract encryptTokenResponse util and update imports
packages/core/src/test-utils/mock-libraries.ts Add mock for upsertEnterpriseSsoTokenSetSecret
packages/core/src/routes/interaction/utils/single-sign-on.ts Integrate token encryption into SSO verification flow
packages/core/src/routes/interaction/utils/single-sign-on.test.ts Update test to expect encryptedTokenSet field
packages/core/src/routes/experience/types.ts Extend InteractionProfile with enterprise SSO token secret
packages/core/src/routes/experience/classes/verifications/enterprise-sso-verification.ts Persist and expose encryptedTokenSet in verification class
packages/core/src/routes/experience/classes/libraries/provision-library.ts Provision enterprise SSO token secret via library
packages/core/src/routes/experience/classes/helpers.ts Unify handling of social vs. enterprise token secrets
packages/core/src/routes/experience/classes/experience-interaction.ts Sync enterprise SSO token secret during user creation
packages/core/src/queries/secret.ts Implement new upsertEnterpriseSsoTokenSetSecret query
packages/core/src/libraries/sso-connector.ts Add upsertEnterpriseSsoTokenSetSecret to connector library
packages/core/src/libraries/social.ts Refactor social token encryption to use shared util
Comments suppressed due to low confidence (1)

packages/core/src/queries/secret.ts:90

  • The new upsertEnterpriseSsoTokenSetSecret method lacks unit or integration tests. Consider adding tests to cover the delete-and-insert logic and error path.
  public async upsertEnterpriseSsoTokenSetSecret(

@github-actions github-actions bot added size/l and removed size/l labels Jul 7, 2025
Base automatically changed from simeng-log-11722-experience-api-refactor-sso-connector-get-user-info to master July 8, 2025 02:15
@github-actions github-actions bot removed the size/l label Jul 8, 2025
simeng-li added 2 commits July 8, 2025 10:16
implement the enterprise sso sign-in flow token storage
optimize the expiresAt calculation logic
@github-actions github-actions bot added the size/l label Jul 8, 2025
@simeng-li simeng-li force-pushed the simeng-log-11722-experience-api-enterprise-sso-token-storage branch from cced63a to 117e6f0 Compare July 8, 2025 02:17
@github-actions github-actions bot added size/l and removed size/l labels Jul 8, 2025
@simeng-li simeng-li merged commit da3f601 into master Jul 9, 2025
53 of 55 checks passed
@simeng-li simeng-li deleted the simeng-log-11722-experience-api-enterprise-sso-token-storage branch July 9, 2025 02:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

Successfully merging this pull request may close these issues.

3 participants