Giter VIP home page Giter VIP logo

Comments (14)

mithun-daa avatar mithun-daa commented on July 19, 2024

Sorry. This was a silly mistake. Forgot to return the Stratergy on line 3.

from passport-wsfed-saml2.

mithun-daa avatar mithun-daa commented on July 19, 2024

A complete simple example would be helpful though.

from passport-wsfed-saml2.

jfromaniello avatar jfromaniello commented on July 19, 2024

hi @mithun-daa sorry or the delay, I just saw your message on twitter.

Thanks for the feedback, Do you think we can improve the examples/ directory?

There are two examples there

from passport-wsfed-saml2.

mithun-daa avatar mithun-daa commented on July 19, 2024

I did download the examples. First off, I am not using ADFS but using Thinktecture's Identity Server. I don't see why this strategy wouldn't work with it.
I got the login example working with the newest version of express and all the middleware but I keep getting stuck in this loop - the login endpoint redirects me to my Identity Server's login page (as expected), after entering my credentials there it posts to the /login/callback but looks like the

passport.authenticate('wsfed-saml2', { failureRedirect: '/', failureFlash: true }),

line is redirecting me back to the Identity Server. If I comment that line it doesn't redirect me back to the Identity Server but regardless of what I do I do not see anything in my req.user - it is always undefined.
Also, I never seem to hit the callback function while setting up the Strategy:

passport.use(new wsfedsaml2(
  {
    path: '/login/callback',
    realm: 'urn:node:app',
    homeRealm: '', // specify an identity provider to avoid showing the idp selector
    identityProviderUrl: 'https://myIdSrv/issue/wsfed',
    thumbprint: 'xxx'
  },
  function(profile, done) {
    console.log("Auth with", profile);
));

from passport-wsfed-saml2.

jfromaniello avatar jfromaniello commented on July 19, 2024

I don't see why it will redirect you back to the auth server, have you setup passport session as in the two examples?

Can you show me your entire example?

If you could open chrome dev tools before trying the authentication workflow and then exporting the network tab to a HAR file and send me that har it will help.

Thanks

from passport-wsfed-saml2.

mithun-daa avatar mithun-daa commented on July 19, 2024

Here you go. This is pretty much the same example as the one in the repo - the Login example but has been updated to use Express 4.0. I will send in a pull request if it ends up working.

var express = require('express')
  , passport = require('passport')
  , util = require('util')
  , wsfedsaml2 = require('passport-wsfed-saml2').Strategy
  , fs = require('fs')
  , morgan = require('morgan')
  , cookieParser = require('cookie-parser')
  , bodyParser = require('body-parser')
  , methodOverride = require('method-override')
  , session = require('express-session');

var users = [
    { id: 1, givenName: 'matias', email: '[email protected]' }
  , { id: 2, givenName: 'foo', email: '[email protected]' }
];

function findByEmail(email, fn) {
  for (var i = 0, len = users.length; i < len; i++) {
    var user = users[i];
    if (user.email === email) {
      return fn(null, user);
    }
  }
  return fn(null, null);
}


// Passport session setup.
//   To support persistent login sessions, Passport needs to be able to
//   serialize users into and deserialize users out of the session.  Typically,
//   this will be as simple as storing the user ID when serializing, and finding
//   the user by ID when deserializing.
passport.serializeUser(function(user, done) {
  done(null, user.email);
});

passport.deserializeUser(function(id, done) {
  findByEmail(id, function (err, user) {
    done(err, user);
  });
});

passport.use(new wsfedsaml2(
  {
    path: '/login/callback',
    realm: 'urn:node:app',
    homeRealm: '', // specify an identity provider to avoid showing the idp selector
    identityProviderUrl: 'https://xxx/issue/wsfed',
    // setup either a certificate base64 encoded (cer) or just the thumbprint of the certificate if public key is embedded in the signature

    thumbprint: 'xxxx'
  },
  function(profile, done) {
    console.log("Auth with", profile);
    if (!profile.email) {
      return done(new Error("No email found"), null);
    }
    // asynchronous verification, for effect...
    process.nextTick(function () {
      console.log('In!!');
      findByEmail(profile.email, function(err, user) {
        if (err) {
          return done(err);
        }
        if (!user) {
          // "Auto-registration"
          users.push(profile);
          return done(null, profile);
        }
        return done(null, user);
      })
    });
  }
));

var app = express();
var router = express.Router();

// configure Express
// app.configure(function() {
  app.set('views', __dirname + '/views');
  app.set('view engine', 'ejs');
  app.use(morgan('combined'));
  app.use(cookieParser());
  app.use(bodyParser.text());
  app.use(methodOverride());
  app.use(session({ 
    secret: 'keyboard cat',
    resave: false,
     saveUninitialized: true
     }));
  app.use(passport.initialize());
  app.use(passport.session());
  app.use('', router);
  app.use(express.static(__dirname + '/../../public'));
// });


app.get('/', function(req, res){
  res.render('index', { user: req.user });
});

app.get('/account', ensureAuthenticated, function(req, res){
  res.render('account', { user: req.user });
});

app.get('/login',
  passport.authenticate('wsfed-saml2', { failureRedirect: '/', failureFlash: true }),
  function(req, res) {
    res.redirect('/');
  }
);

app.post('/login/callback',
  passport.authenticate('wsfed-saml2', { failureRedirect: '/', failureFlash: true }),
  function(req, res) {
    console.log(req.body);
    console.log(req.user);
    res.redirect('/');
  }
);

app.get('/logout', function(req, res){
  req.logout();
  res.redirect('/');
});

app.listen(3000, function () {
  console.log("Server listening in http://localhost:3000");
});

// Simple route middleware to ensure user is authenticated.
//   Use this route middleware on any resource that needs to be protected.  If
//   the request is authenticated (typically via a persistent login session),
//   the request will proceed.  Otherwise, the user will be redirected to the
//   login page.
function ensureAuthenticated(req, res, next) {
  if (req.isAuthenticated()) { return next(); }
  res.redirect('/login')
}

from passport-wsfed-saml2.

jfromaniello avatar jfromaniello commented on July 19, 2024

I can't see any obvious error in the code, would you mind to send me a har?

Maybe to jose at auth0.com

Thanks

from passport-wsfed-saml2.

mithun-daa avatar mithun-daa commented on July 19, 2024

Pardon my ignorance, but what is a har?

from passport-wsfed-saml2.

jfromaniello avatar jfromaniello commented on July 19, 2024

@mithun-daa https://auth0.com/docs/har

Thanks

from passport-wsfed-saml2.

mithun-daa avatar mithun-daa commented on July 19, 2024

Sent!

from passport-wsfed-saml2.

jfromaniello avatar jfromaniello commented on July 19, 2024

The har looks fine, Thinktecture's Identity Server is returning you the assertion..

One thing that I think is wrong in your example, you are missing a bodyParser for urlencoded content, the only parsing middleware is this:

app.use(bodyParser.text());

I know that express 4 doesn't have bodyParser per se, but you can use this :

https://github.com/expressjs/body-parser

var bodyParser = require('body-parser');
app.use(bodyParser.urlencoded());

I think this is your problem, the strategy can't find req.body.wsresult to validate the assertion:
https://github.com/auth0/passport-wsfed-saml2/blob/master/lib/passport-wsfed-saml2/strategy.js#L96-L103

Let me know if it works with that.

from passport-wsfed-saml2.

mithun-daa avatar mithun-daa commented on July 19, 2024

I udpated the body parser to use URL encoded and looks like i got a step further but i run into the following error:

TypeError: Cannot read property 'firstChild' of undefined
   at Object.WsFederation.extractToken (D:\Playground\passport-wsfed-saml2\examples\login\node_modules\passport-wsfed-saml2\lib\passport-wsfed-saml2\wsfederation.js:33:119)
   at Strategy._authenticate_saml (D:\Playground\passport-wsfed-saml2\examples\login\node_modules\passport-wsfed-saml2\lib\passport-wsfed-saml2\strategy.js:45:27)
   at executeWsfed (D:\Playground\passport-wsfed-saml2\examples\login\node_modules\passport-wsfed-saml2\lib\passport-wsfed-saml2\strategy.js:101:14)
   at Strategy.authenticate (D:\Playground\passport-wsfed-saml2\examples\login\node_modules\passport-wsfed-saml2\lib\passport-wsfed-saml2\strategy.js:145:7)
   at attempt (D:\Playground\passport-wsfed-saml2\examples\login\node_modules\passport\lib\middleware\authenticate.js:341:16)
   at authenticate (D:\Playground\passport-wsfed-saml2\examples\login\node_modules\passport\lib\middleware\authenticate.js:342:7)
   at Layer.handle [as handle_request] (D:\Playground\passport-wsfed-saml2\examples\login\node_modules\express\lib\router\layer.js:82:5)
   at next (D:\Playground\passport-wsfed-saml2\examples\login\node_modules\express\lib\router\route.js:110:13)
   at Route.dispatch (D:\Playground\passport-wsfed-saml2\examples\login\node_modules\express\lib\router\route.js:91:3)
   at Layer.handle [as handle_request] (D:\Playground\passport-wsfed-saml2\examples\login\node_modules\express\lib\router\layer.js:82:5)

I now see that the body does have a wresult property. Looks like the XML that wsfederation.js is expecting is different. It is looking for http://schemas.xmlsoap.org/ws/2005/02/trust and cannot find it.

I am emailing you the value of the wresult property.

from passport-wsfed-saml2.

jfromaniello avatar jfromaniello commented on July 19, 2024

Good man, you are very close.

It looks like the response has a different namespace. We use:

  • we use this: http://schemas.xmlsoap.org/ws/2005/02/trust
  • thinktecture use this: http://docs.oasis-open.org/ws-sx/ws-trust/200512

Do you know if thinktecture has a way to change this?

from passport-wsfed-saml2.

mithun-daa avatar mithun-daa commented on July 19, 2024

Sweet! I changed the namespace in wsfederation.js to the one that thinktecture uses and it worked :). I will look into to see if I can change the namespace that thinktecture sets so it would be consistent. Thank you very much for all the help.

from passport-wsfed-saml2.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.