Conversation
* Implemented changes * Fixes * Fixes * Fixes * Fixes * chore: fix ruff check --------- Co-authored-by: Nicolas Asanov <nicolas.a.asanov@gmail.com>
* feat: Add test SAML IdP container to dev environment * fix: Update apiClient to only import authOptions in server context * feat: Add SAML authentication to frontend * chore: Document SAML dev setup * chore: Add env var to determine if unencrypted assertions are allowed * feat: Automatically generate SAML certs in dev container * feat: Hardcode dev SAML cert in env template * chore: Re-add refresh token logic to NextAuth config * feat: Add error handling for SAML cert loading * chore: Improve error handling for SAML login callback * chore: Ignore certs directory in frontend * chore: Add default credentials for dev SAML IdP to README
|
Note that NextAuth is used to retrieve the session and instead of using providers, there are server routes that handle SAML and credentials validation that directly encode the JWT session. This is because the http-only cookie for the refresh token could not be set from within the providers' authorize functions since we don't have access to the NextResponse object from there, so we can't call res.cookies.set(...) to set the http-only cookie. |
naasanov
left a comment
naasanov
left a comment
There was a problem hiding this comment.
Of the stuff that exists, it looks great. Just need to DRY some stuff up and keep to codebase conventions.
However, theres a couple things missing. The goal of this ticket is to get auth hooked up end to end, so we need login pages/buttons/flows for all roles on their pages. It should look very close to the final project in regards to auth.
Ideally a student/admin would navigate to any of their pages, and
if not signed in -> kicks them straight to IdP to sign in (or have a simple landing page similar to canvas if necessary)
if signed in -> automatically load whatever page they wanted
We also need a simple police login page that hooks into the flow, also kicking them to the login page if not signed in.
The logout button in the header should also work as intended.
naasanov
left a comment
naasanov
left a comment
There was a problem hiding this comment.
Some fetches fail because they are still using the mock client (confirmed for student dashboard, may be true for others). Since this is meant to be the final iteration of auth feature, please go through and make sure all queries are working.
Also a couple small code comments
A couple small code comments.
… can now access role via session.role
|
Removed useRole + RoleProvider + RoleContext since we're no longer mocking the role and instead accessing it off of session. useRole could technically have stayed but it was a thin wrapper that just returned session.role which can be accessed via the useSession hook. |
naasanov
left a comment
naasanov
left a comment
There was a problem hiding this comment.
Looks great, just waiting on merge conflicts
|
Merge conflicts have been resolved |
3 participants
Motivation
The existing SAML IdP needs to output the same attributes as the Onyen SSO IdP so that it could be mocked for testing. Additionally, users need to be authenticated by role and the entire auth flow should be linked to the backend so that the access and refresh token exchange can be successful.
Changes
Closes #201