-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(providers): add BoxyHQ SAML Jackson provider #3782
Merged
Merged
Changes from all commits
Commits
Show all changes
24 commits
Select commit
Hold shift + click to select a range
1d0b89a
added saml-jackson provider
deepakprabhakara 94fd46b
Merge branch 'main' into boxyhq-saml
deepakprabhakara 94be271
Merge branch 'main' into boxyhq-saml
deepakprabhakara 9aee942
Merge branch 'main' into boxyhq-saml
deepakprabhakara 8955ffd
incorporated code review changes
deepakprabhakara a727b78
Merge branch 'main' into boxyhq-saml
deepakprabhakara c0972e0
fixed SAMLJacksonProfile type
deepakprabhakara bf62a08
Merge branch 'main' into boxyhq-saml
deepakprabhakara 152af78
Merge branch 'main' into boxyhq-saml
deepakprabhakara d1c2bbf
trying to adjust code for monorepo
deepakprabhakara 98845f2
Merge branch 'main' into boxyhq-saml
deepakprabhakara 32622d8
Merge branch 'main' into boxyhq-saml
deepakprabhakara c762463
Merge branch 'main' into boxyhq-saml
deepakprabhakara 483634d
Merge branch 'main' into boxyhq-saml
deepakprabhakara d507c6c
Merge branch 'main' into boxyhq-saml
deepakprabhakara b6b24bf
Merge branch 'main' into boxyhq-saml
deepakprabhakara 23532f1
Merge branch 'main' into boxyhq-saml
deepakprabhakara c5ad8a7
cleanup from merge with main
deepakprabhakara 42ee902
updated docs link
deepakprabhakara afbdc5b
added example
deepakprabhakara 603d1f5
consistent naming
deepakprabhakara 28a2794
Merge branch 'main' into boxyhq-saml
deepakprabhakara c8dc125
Incorporated code review changes:
deepakprabhakara ab81e1a
email is guaranteed to be present
deepakprabhakara File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
--- | ||
id: boxyhq-saml | ||
title: BoxyHQ SAML | ||
--- | ||
|
||
## Documentation | ||
|
||
BoxyHQ SAML is an open source service that handles the SAML login flow as an OAuth 2.0 flow, abstracting away all the complexities of the SAML protocol. | ||
|
||
You can deploy BoxyHQ SAML as a separate service or embed it into your app using our NPM library. [Check out the documentation for more details](https://boxyhq.com/docs/jackson/deploy) | ||
|
||
## Configuration | ||
|
||
SAML login requires a configuration for every tenant of yours. One common method is to use the domain for an email address to figure out which tenant they belong to. You can also use a unique tenant ID (string) from your backend for this, typically some kind of account or organization ID. | ||
|
||
Check out the [documentation](https://boxyhq.com/docs/jackson/saml-flow#2-saml-config-api) for more details. | ||
|
||
## Options | ||
|
||
The **BoxyHQ SAML Provider** comes with a set of default options: | ||
|
||
- [BoxyHQ Provider options](https://github.com/nextauthjs/next-auth/tree/main/packages/next-auth/src/providers/boxyhq-saml.ts) | ||
|
||
You can override any of the options to suit your own use case. | ||
|
||
## Example | ||
|
||
```ts | ||
import BoxyHQSAMLProvider from "next-auth/providers/boxyhq-saml" | ||
... | ||
providers: [ | ||
BoxyHQSAMLProvider({ | ||
issuer: "http://localhost:5000", | ||
clientId: "dummy", // The dummy here is necessary since we'll pass tenant and product custom attributes in the client code | ||
clientSecret: "dummy", // The dummy here is necessary since we'll pass tenant and product custom attributes in the client code | ||
}) | ||
} | ||
... | ||
``` | ||
|
||
On the client side you'll need to pass additional parameters `tenant` and `product` to the `signIn` function. This will allow BoxyHQL SAML to figure out the right SAML configuration and take your user to the right SAML Identity Provider to sign them in. | ||
|
||
```tsx | ||
import { signIn } from "next-auth/react"; | ||
... | ||
|
||
// Map your users's email to a tenant and product | ||
const tenant = email.split("@")[1]; | ||
const product = 'my_awesome_product'; | ||
... | ||
<Button | ||
onClick={async (event) => { | ||
event.preventDefault(); | ||
|
||
signIn("boxyhq-saml", {}, { tenant, product }); | ||
}}> | ||
... | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
import type { OAuthConfig, OAuthUserConfig } from "." | ||
|
||
export interface BoxyHQSAMLProfile { | ||
id: string | ||
email: string | ||
firstName?: string | ||
lastName?: string | ||
} | ||
|
||
export default function SAMLJackson< | ||
P extends Record<string, any> = BoxyHQSAMLProfile | ||
>(options: OAuthUserConfig<P>): OAuthConfig<P> { | ||
return { | ||
id: "boxyhq-saml", | ||
name: "BoxyHQ SAML", | ||
type: "oauth", | ||
version: "2.0", | ||
checks: ["pkce", "state"], | ||
authorization: { | ||
url: `${options.issuer}/api/oauth/authorize`, | ||
params: { | ||
provider: "saml", | ||
}, | ||
}, | ||
token: `${options.issuer}/api/oauth/token`, | ||
userinfo: `${options.issuer}/api/oauth/userinfo`, | ||
profile(profile) { | ||
return { | ||
id: profile.id, | ||
email: profile.email, | ||
name: [profile.firstName, profile.lastName].filter(Boolean).join(" "), | ||
image: null, | ||
} | ||
}, | ||
options, | ||
} | ||
} |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So that I understand this correctly. These values are always dummy? 馃
It might be my limited knowledge of SAML, but setting a hardcoded
clientSecret
does not sound right in OAuth 2.0. What am I missing?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@balazsorban44 Please see here - #3782 (comment). User can opt for a proper clientSecret or the convenience of tenant and product.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also this configuration can be set during deployment to change the default
dummy
value - https://boxyhq.com/docs/jackson/deploy/env-variables#client_secret_verifier