Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ENHANCE] support passive option to getAuthorizeUrlAsync and getAuthorizeFormAsync #228

Open
tjenkinson opened this issue Nov 25, 2022 · 5 comments
Open

[ENHANCE] support passive option to getAuthorizeUrlAsync and getAuthorizeFormAsync #228

tjenkinson opened this issue Nov 25, 2022 · 5 comments
Labels
enhancement New feature or request pr-welcome

Comments

@tjenkinson
Copy link

Is your feature request related to a problem? Please describe.
Would be great to support passive option to getAuthorizeUrlAsync and getAuthorizeFormAsync, which would override the passive option provided to the constructor.

This means we could use a single SAML instance to handle both passive and not passive requests.

Describe the solution you'd like
If passive is provided in the options to either of the functions above it would take precedence over the one provided in the constructor.

Describe alternatives you've considered
We could work around this by creating multiple SAML instances, or by always creating it on the fly, but I think it would be nicer if we didn't have to do that.

Happy to prepare a PR.
@tjenkinson tjenkinson added the enhancement New feature or request label Nov 25, 2022
@cjbarth
Copy link
Collaborator

cjbarth commented Jan 11, 2023

What is the use-case for this?

@tjenkinson
Copy link
Author

Hey @cjbarth we have 2 endpoints on our server, one that does not use passive and one that does, and it would be great if we can handle this with a single instance of SAML

@cjbarth
Copy link
Collaborator

cjbarth commented Jan 12, 2023

Why do you maintain two load-balanced endpoints with different configurations? That seems like a disaster just waiting to happen? If you actively select between the two different endpoints, then it seems like you should be using the multi-SAML setup.

@tjenkinson
Copy link
Author

We have 2 api endpoints, where one is used to login the user and redirect back if the user is signed in. The other endpoint is used as a way to determine if a user is logged in or not, where we don't want the user to be shown the sign in screen

It's the same saml endpoint. The only thing we change is the passive flag

@cjbarth
Copy link
Collaborator

cjbarth commented Jan 23, 2023

So, if you have two API endpoints, that do two different things, then you need two different configurations. You, in fact, have two SAML endpoints, perhaps with the same backing credential store, but that is immaterial for this discussion. Since you you already have logic in your code to pick the correct endpoint, you can, and should, extend that code to also pick the correct SAML provider instance.

You could probably make things easier on yourself and have one SAML config JSON that you modify a property on before using to init the second of your multi-SAML config in passport-saml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request pr-welcome
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cjbarth @tjenkinson