From beab1e09bb9d7bb5c69275505a05deb445df9925 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E3=81=BE=E3=81=A3=E3=81=A1=E3=82=83=E3=81=A8=E3=83=BC?= =?UTF-8?q?=E3=81=AB=E3=82=85?= <17376330+u1-liquid@users.noreply.github.com> Date: Sun, 17 Mar 2024 23:07:03 +0900 Subject: [PATCH] =?UTF-8?q?fix(SSO):=20=E8=AA=8D=E8=A8=BC=E3=81=AE?= =?UTF-8?q?=E7=B5=90=E6=9E=9C=E3=81=AE=E3=83=87=E3=83=BC=E3=82=BF=E3=81=8C?= =?UTF-8?q?XML=E3=82=B9=E3=82=AD=E3=83=BC=E3=83=9E=E3=81=A8=E5=90=88?= =?UTF-8?q?=E3=82=8F=E3=81=AA=E3=81=84=E5=95=8F=E9=A1=8C=E3=82=92=E4=BF=AE?= =?UTF-8?q?=E6=AD=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../server/sso/JWTIdentifyProviderService.ts | 6 +-- .../server/sso/SAMLIdentifyProviderService.ts | 49 +++++++++---------- 2 files changed, 25 insertions(+), 30 deletions(-) diff --git a/packages/backend/src/server/sso/JWTIdentifyProviderService.ts b/packages/backend/src/server/sso/JWTIdentifyProviderService.ts index c639bec91d..9069c24fdf 100644 --- a/packages/backend/src/server/sso/JWTIdentifyProviderService.ts +++ b/packages/backend/src/server/sso/JWTIdentifyProviderService.ts @@ -171,11 +171,11 @@ export class JWTIdentifyProviderService { const roles = await this.roleService.getUserRoles(user.id); const payload: JWTPayload = { - name: user.name, + name: user.name ?? user.username, preferred_username: user.username, profile: `${this.config.url}/@${user.username}`, - picture: user.avatarUrl, - email: profile.email, + picture: user.avatarUrl ?? undefined, + email: profile.emailVerified ? profile.email : undefined, email_verified: profile.emailVerified, mfa_enabled: profile.twoFactorEnabled, updated_at: Math.floor((user.updatedAt?.getTime() ?? user.createdAt.getTime()) / 1000), diff --git a/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts b/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts index 2a07e4a123..fef53a5e00 100644 --- a/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts +++ b/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts @@ -477,16 +477,9 @@ export class SAMLIdentifyProviderService { '#text': ssoServiceProvider.issuer, }, 'saml:Subject': { - 'saml:NameID': [ - { - '@Format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', - '#text': profile.email, - }, - { - '@Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', - '#text': user.id, - }, - ], + 'saml:NameID': profile.emailVerified + ? { '@Format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', '#text': profile.email } + : { '@Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', '#text': user.id }, 'saml:SubjectConfirmation': { '@Method': 'urn:oasis:names:tc:SAML:2.0:cm:bearer', 'saml:SubjectConfirmationData': { @@ -541,7 +534,7 @@ export class SAMLIdentifyProviderService { '@NameFormat': 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', 'saml:AttributeValue': { '@xsi:type': 'xs:string', - '#text': user.name, + '#text': user.name ?? user.username, }, }, { @@ -568,30 +561,32 @@ export class SAMLIdentifyProviderService { '#text': `${this.config.url}/@${user.username}`, }, }, - { + ...(user.avatarUrl ? [{ '@Name': 'picture', '@NameFormat': 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', 'saml:AttributeValue': { '@xsi:type': 'xs:string', '#text': user.avatarUrl, }, - }, - { - '@Name': 'mail', - '@NameFormat': 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', - 'saml:AttributeValue': { - '@xsi:type': 'xs:string', - '#text': profile.email, + }] : []), + ...(profile.emailVerified ? [ + { + '@Name': 'mail', + '@NameFormat': 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', + 'saml:AttributeValue': { + '@xsi:type': 'xs:string', + '#text': profile.email, + }, }, - }, - { - '@Name': 'email', - '@NameFormat': 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', - 'saml:AttributeValue': { - '@xsi:type': 'xs:string', - '#text': profile.email, + { + '@Name': 'email', + '@NameFormat': 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', + 'saml:AttributeValue': { + '@xsi:type': 'xs:string', + '#text': profile.email, + }, }, - }, + ] : []), { '@Name': 'email_verified', '@NameFormat': 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic',