feat: exchange saml assertion for an access token

author: mo khan <mo@mokhan.ca> 2025-03-25 09:51:32 -0600
committer: mo khan <mo@mokhan.ca> 2025-03-25 09:51:32 -0600
commit: 0704a779e5a20611bb8ee685a0dcdc1bebe74ba9 (patch)
tree: ff3d136c49888be9c48ede137d2d1e516729921d /bin
parent: c866f5e8fe3d3d5fd311711bfc07d23ecfec3cd1 (diff)
2 files changed, 29 insertions, 5 deletions
diff --git a/bin/idp b/bin/idp
index e93a14eb..9c2ff1df 100755
--- a/bin/idp
+++ b/bin/idp
@@ -99,8 +99,20 @@ module Authn
         end
       end
 
-      def find_by_username(username)
+      def find_by
         all.find do |user|
+          yield user
+        end
+      end
+
+      def find_by_email(email)
+        find_by do |user|
+          user[:email] == email
+        end
+      end
+
+      def find_by_username(username)
+        find_by do |user|
           user[:username] == username
         end
       end
@@ -443,7 +455,7 @@ module Authz
           client_credentials_grant(params)
         when 'password'
           password_grant(params[:username], params[:password])
-        when 'urn:ietf:params:oauth:grant-type:saml2-bearer' # RFC7522
+        when "urn:ietf:params:oauth:grant-type:saml2-bearer" # RFC-7522
           saml_assertion_grant(params[:assertion])
         when 'urn:ietf:params:oauth:grant-type:jwt-bearer' # RFC7523
           jwt_bearer_grant(params)
@@ -469,8 +481,19 @@ module Authz
         raise NotImplementedError
       end
 
-      def saml_assertion_grant(saml_assertion)
-        raise NotImplementedError
+      def saml_assertion_grant(encoded_saml_assertion)
+        xml = Base64.decode64(encoded_saml_assertion)
+        saml_response = Saml::Kit::Document.to_saml_document(xml)
+        saml_assertion = saml_response.assertion
+        # TODO:: Validate signature and prevent assertion reuse
+
+        user = case saml_assertion.name_id_format
+        when Saml::Kit::Namespaces::EMAIL_ADDRESS
+          ::Authn::User.find_by_email(saml_assertion.name_id)
+        when Saml::Kit::Namespaces::PERSISTENT
+          ::Authn::User.find(saml_assertion.name_id)
+        end
+        new(user, saml_assertion: saml_assertion)
       end
 
       def jwt_bearer_grant(params)
@@ -517,7 +540,7 @@ module Authz
         expires_in: 3600,
         refresh_token: SecureRandom.hex(32)
       }.tap do |body|
-        if params['scope'].include?("openid")
+        if params["scope"]&.include?("openid")
           body[:id_token] = user.create_id_token.to_jwt
         end
       end
diff --git a/bin/ui b/bin/ui
index 894f9a6e..8dab9df1 100755
--- a/bin/ui
+++ b/bin/ui
@@ -388,6 +388,7 @@ class UI
         <body style="background-color: pink;">
           <h2>Received SAML Response</h2>
           <textarea readonly="readonly" disabled="disabled" cols=220 rows=40><%=- saml_response.to_xml(pretty: true) -%></textarea>
+          <pre id="saml-response"><%= request.params["SAMLResponse"] %></pre>
         </body>
       </html>
     ERB
author	mo khan <mo@mokhan.ca>	2025-03-25 09:51:32 -0600
committer	mo khan <mo@mokhan.ca>	2025-03-25 09:51:32 -0600
commit	0704a779e5a20611bb8ee685a0dcdc1bebe74ba9 (patch)
tree	ff3d136c49888be9c48ede137d2d1e516729921d /bin
parent	c866f5e8fe3d3d5fd311711bfc07d23ecfec3cd1 (diff)