boxyhq / jackson Goto Github PK

Is your proposal related to a problem?

Send back the requested params like product, tenant, clientId and clientSecret in userinfo.

• What options should I pass?
• Should I create the table beforehand?

curl --request POST \
  --url 'http://localhost:5000/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'grant_type=authorization_code' \
  --data 'client_id=<a invalid tenant and product combination>' \
  --data 'client_secret=<some value>' \
  --data 'redirect_uri=<redirect URL>' \
  --data 'code=<code from the query parameter above>'

Issue Summary

The token creation method doesn't evaluate the tenant and product is valid or not. It validates only the code at the moment.

Issue Summary

Got the error "SAML configuration not found." when initiating the SAML request. Note, I'm using the pre-loaded SAML config options.

Steps to Reproduce

1. Created a new express app
2. Added the express routes as per the doc
3. Pre-loaded one Idp metadata (Create 2 files abc.js and abc.xml)
4. Added the correct pre-loaded config path (I can confirm Jackson could access the file)
5. Visited the following URL

http://localhost:3000/sso/oauth/authorize?response_type=code&provider=saml&client_id=abc&redirect_uri=http://localhost:3000/sso/oauth/completed&state=1234

Notes

I think oauth.authorize() method is not considering the preLoadedConfig

• Easy to deploy
• Add production deployment guide

Is your proposal related to a problem?

Currently, there is no way to delete an IdP config once it is saved in jackson.

Describe the solution you'd like

Expose a deleteConfig function in the API controller and use it in jackson/jackson-next services.

Is your proposal related to a problem?

Paginate using offset and limit.

Is your proposal related to a problem?

With the growing vulnerabilities in the software supply chain (like log4j) it makes a lot of sense to add an SBOM to our project.

Describe the solution you'd like

• We should support all 3 SBOM formats - https://www.settletop.com/insights/understanding-sbom-standards-cyclonedx-spdx-swid.
• We should automate updating of the SBOM when we add more dependencies
• We need it for our npm package, next.js service and docker container

Describe alternatives you've considered

n/a

Additional context

n/a

Currently we send the response payload back as either json or plaintext. It would be better to standardise the format into JSON with defined structure for error and data. Eg:-
Error

{
 "status": 400 
 "error": {
  msg: "Please provide a defaultRedirectUrl" , 
  description: "Jackson needs the URL to complete the IdP flow"
 }
}

Success

{
"status": 200
"data": {
      client_id: clientID,
      client_secret: clientSecret,
      provider: idpMetadata.provider,
  }
}

Is your proposal related to a problem?

Some IdPs allow the uploading of a metadata file that will help populate all the fields when creating a SAML app.

Describe the solution you'd like

We should provide this metadata file with all the required fields at an endpoint so that the user can point their customers to it. This will ease the manual configuration of setting up the SAML app.

Issue Summary

Using the PRE_LOADED_CONFIG fails to load the config js file.

config api error: Error: Cannot find module '/Users/xxxxx/Code/jackson/_config/boxyhq.js'

Steps to Reproduce

1. Run jackson with PRE_LOADED_CONFIG set to point to a local dir
2. Invoke the GET config
3. Requests fails with above error

Technical details

Summarized nicely at https://stackoverflow.com/a/42804941/3939061

You cannot use a variable as argument to require. Webpack needs to know what files to bundle at compile time. As it does no program flow analysis, it can't know what you pass to the function. In that case it might be obvious, but this could go as far as using user input to decide what module to require, and there is no way webpack can possibly know which modules to include at compile time, so webpack does not allow it.

Is your proposal related to a problem?

We'll need an admin interface in the future, next.js seems like a good fit.

Describe the solution you'd like

Move service to next.js, deployment is easier too and taps into the Vercel/next.js ecosystem.

Is your proposal related to a problem?

SAML support ForceAuthn to indicate to the provider that they should force an authentication of the user even if already logged in.

Describe the solution you'd like

We need to set a flag on the config and also maybe allow an override on the back of the OAuth 2.0 authorize request through a custom parameter.

Is your proposal related to a problem?

It would be nice to have a way to integrate SAML login with remix applications.

Describe the solution you'd like

Develop a strategy using https://github.com/sergiodxa/remix-auth-strategy-template.

Is your proposal related to a problem?

We need a mock service that emulates a SAML Identity Provider. Prototyping has begun here - https://github.com/boxyhq/mock-saml

Is your proposal related to a problem?

In heavily regulated industries transfer or identification of employee information (even email) outside the boundary of the company leads to heavy compliance burden. If we provide a way to strip all info except the id then this opens up some interesting opportunities.

Describe the solution you'd like

• Document mapping of only the ID skipping everything else
• For any other info that might come via the SAML response we include a flag to strip that out
• Hash the id so it cannot be mapped back in any form, this also caters to the case where some providers send email as the id

Is your proposal related to a problem?

Currently, the POST method is used to fetch the IdP metadata. GET would be more apt for the operation.

Describe the solution you'd like

Swap out the POST method with GET and pass the body as a query string in the URL.
Also update the endpoint api/v1/saml/config/get -> /api/v1/saml/config

Is your proposal related to a problem?

We need to configure a plugin which automatically sorts the classes on save.

Describe the solution you'd like

prettier-plugin-tailwindcss can work well with tailwindcss classes.

Issue Summary

The husky pre-commit hook is not running now.

Steps to Reproduce

1. Change a variable declaration to use var instead of const
2. Stage and commit locally
3. Ideally the script runs and fixes the eslint issues.

Technical details

• git commit warning

hint: The '.husky/pre-commit' hook was ignored because it's not set as executable.
hint: You can disable this warning with `git config advice.ignoredHook false`.

• Missing a prepare script in package json to "To automatically have Git hooks enabled after install"
  https://typicode.github.io/husky/#/?id=manual

Is your proposal related to a problem?

Test more SAML providers and add instructions for each provider.

Describe the solution you'd like

Okta, Google and Auth0 have been tested and supported so far. Test the following popular providers and document specific instructions - OneLogin, Duo, Azure, CyberArk, ADFS, JumpCloud, Shibboleth (not an exhaustive list).

Is your proposal related to a problem?

Add tracing via OpenTelemetry

Is your proposal related to a problem?

Support error reporting and logging.

Describe the solution you'd like

Opentelemetry has support for logging event. Pino for nodejs logging. For frontend if there is no library out there that consolidates this like Opentelemetry we should look to create one.

Is your proposal related to a problem?

For our APIs it would be good to generate docs and spec files for the products listed above. Should ideally be in Github Actions if possible.

Found a bug? Please fill out the sections below. 👍

Issue Summary

redirect_uri should be validated at all steps including code exchange - #26

Is your proposal related to a problem?

Read XML metadata from a URL if available.

Describe the solution you'd like

We can divide this task into two subtasks:

• Make the required changes to /npm.
• Admin UI: Add an additional text input for Metadata URL to the create/update SSO connection UI. We'll do this after finishing the first one.

Make the required changes to /npm

• You can now create an SSO connection by passing an encoded or raw XML metadata to the createSAMLConnection method. Most of the identity providers also provide the URL to read the metadata. So createSAMLConnection should also allow passing a metadata URL if available.
• We have to add another attribute to the body called metadataUrl to pass the metadata URL.
• Make the required changes to the method createSAMLConnection within the /npm/src/controller/api.ts file.
• The new approach should fetch the raw metadata from the URL and use it as rawMetadata.
• Here are a few additional things you should consider during the implementation.
  • Only accept HTTPS URLs.
  • Set a timeout while fetching the data from the metadata URL and throw an error if the timeout exceeds.
  • Limit the payload size.
• Since no UI is involved, writing unit tests is the best way to test this implementation. You can create new unit test cases to address code changes you will make. You can find all the test cases in /npm/test/sso folder.
• Here is a sample metadata URL you can use to test https://mocksaml.com/api/saml/metadata

Is your proposal related to a problem?

Decrease docker image size by using the new self-hosted feature in next.js

Describe the solution you'd like

https://nextjs.org/blog/next-12-1#self-hosted-nextjs-improvements

Is your proposal related to a problem?

Hasura has a plug-and-play auth interface, set up a demo showcasing auth with SAML.

Describe the solution you'd like

SAML Jackson + Hasura, what a mind-blowing combo.

Is your proposal related to a problem?

• Provide tenant and product in userinfo as context or requested params. This will ease things on the frontend during integration - #113.
• Add a recipe to https://github.com/supertokens/supertokens-node which encapsulates the routes needed for SAML config.

Describe the solution you'd like

Improve developer experience by providing the above quality of service improvements.

Sample response

{
  audience: 'https://saml.boxyhq.com',
  claims: {
    'user.id': undefined,
    ...
  },
}

Is your proposal related to a problem?

Currently, AuthnRequest is signed but there's no public cert being added to the signature. This means that the request is not being validated.

Describe the solution you'd like

Send the public cert along with AuthnRequest.

Would be nice to have some one click deploy buttons for jackson

Is your proposal related to a problem?

Support for API Gateways.

Describe the solution you'd like

We have simple API key auth support but should support the ability to add an API gateway in front. Kong, APISIX and Tyk are a few of the ones we should look at first.

Is your proposal related to a problem?

We are starting to have a list of growing examples and integrations. They should be moved to a monorepo, a new one called jackson-examples.

Describe the solution you'd like

Monorepo using Turborepo.

Issue Summary

Certain gateways might reject the config API request because of rawMetadata, we need to encode it to avoid this.

Steps to Reproduce

Send a config API request to Jackson that is hosted on AWS.

Potential Solution

Add a new attribute, encodedRawMetadata which is a base64 encoding of rawMetadata. This will maintain backwards compatibility.