Skip to content

Commit

Permalink
Added DISABLE_SSO_TRACE flag to control logging to sso trace
Browse files Browse the repository at this point in the history
  • Loading branch information
nitendra-new committed Dec 17, 2024
1 parent feaa341 commit 5572d68
Show file tree
Hide file tree
Showing 2 changed files with 105 additions and 84 deletions.
5 changes: 4 additions & 1 deletion .env.example
Original file line number Diff line number Diff line change
Expand Up @@ -115,4 +115,7 @@ ENTERPRISE_ORY_PROJECT_ID=
#OPENID_REQUEST_PROFILE_SCOPE=false

# Uncomment below if you wish to forward the OpenID params (https://openid.net/specs/openid-connect-core-1_0-errata2.html#AuthRequest) to the OpenID IdP
#OPENID_REQUEST_FORWARD_PARAMS=true
#OPENID_REQUEST_FORWARD_PARAMS=true

# disable logging into sso trace
# DISABLE_SSO_TRACE=true
184 changes: 101 additions & 83 deletions npm/src/controller/oauth.ts
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ import { SSOHandler } from './sso-handler';
import { ValidateOption, extractSAMLResponseAttributes } from '../saml/lib';
import { oidcClientConfig } from './oauth/oidc-client';
import { App } from '../ee/identity-federation/app';
import { error } from 'console';

Check failure on line 51 in npm/src/controller/oauth.ts

View workflow job for this annotation

GitHub Actions / ci (22)

'error' is defined but never used

const deflateRawAsync = promisify(deflateRaw);

Expand Down Expand Up @@ -595,6 +596,8 @@ export class OAuthController implements IOAuthController {
let redirect_uri: string | undefined;
const { SAMLResponse, idp_hint, RelayState = '' } = body;

const should_disable_sso_trace = process.env.DISABLE_SSO_TRACE === 'true';

try {
isIdPFlow = !RelayState.startsWith(relayStatePrefix);
rawResponse = Buffer.from(SAMLResponse, 'base64').toString();
Expand Down Expand Up @@ -708,29 +711,31 @@ export class OAuthController implements IOAuthController {
if (session && session.id) {
validateOpts['inResponseTo'] = session.id;
}

redirect_uri = ((session && session.redirect_uri) as string) || connection.defaultRedirectUrl;
} catch (err: unknown) {
// Save the error trace
await this.ssoTraces.saveTrace({
error: getErrorMessage(err),
context: {
samlResponse: rawResponse,
tenant: session?.requested?.tenant || connection?.tenant,
product: session?.requested?.product || connection?.product,
clientID: session?.requested?.client_id || connection?.clientID,
providerName: connection?.idpMetadata?.provider,
redirectUri: isIdPFlow ? connection?.defaultRedirectUrl : session?.redirect_uri,
issuer,
isSAMLFederated,
isOIDCFederated,
isIdPFlow,
requestedOIDCFlow: !!session?.requested?.oidc,
acsUrl: session?.requested?.acsUrl,
entityId: session?.requested?.entityId,
relayState: RelayState,
},
});
if (!should_disable_sso_trace) {
await this.ssoTraces.saveTrace({
error: getErrorMessage(err),
context: {
samlResponse: rawResponse,
tenant: session?.requested?.tenant || connection?.tenant,
product: session?.requested?.product || connection?.product,
clientID: session?.requested?.client_id || connection?.clientID,
providerName: connection?.idpMetadata?.provider,
redirectUri: isIdPFlow ? connection?.defaultRedirectUrl : session?.redirect_uri,
issuer,
isSAMLFederated,
isOIDCFederated,
isIdPFlow,
requestedOIDCFlow: !!session?.requested?.oidc,
acsUrl: session?.requested?.acsUrl,
entityId: session?.requested?.entityId,
relayState: RelayState,
},
});
}

throw err; // Rethrow the error
}
let profile: SAMLProfile | undefined;
Expand Down Expand Up @@ -763,26 +768,30 @@ export class OAuthController implements IOAuthController {
} catch (err: unknown) {
const error_description = getErrorMessage(err);
// Trace the error
const traceId = await this.ssoTraces.saveTrace({
error: error_description,
context: {
samlResponse: rawResponse,
tenant: connection.tenant,
product: connection.product,
clientID: connection.clientID,
providerName: connection?.idpMetadata?.provider,
redirectUri: isIdPFlow ? connection?.defaultRedirectUrl : session?.redirect_uri,
isSAMLFederated,
isOIDCFederated,
isIdPFlow,
acsUrl: session?.requested?.acsUrl,
entityId: session?.requested?.entityId,
requestedOIDCFlow: !!session?.requested?.oidc,
relayState: RelayState,
issuer,
profile,
},
});
let traceId: string | undefined;

if (!should_disable_sso_trace) {
traceId = await this.ssoTraces.saveTrace({
error: error_description,
context: {
samlResponse: rawResponse,
tenant: connection.tenant,
product: connection.product,
clientID: connection.clientID,
providerName: connection?.idpMetadata?.provider,
redirectUri: isIdPFlow ? connection?.defaultRedirectUrl : session?.redirect_uri,
isSAMLFederated,
isOIDCFederated,
isIdPFlow,
acsUrl: session?.requested?.acsUrl,
entityId: session?.requested?.entityId,
requestedOIDCFlow: !!session?.requested?.oidc,
relayState: RelayState,
issuer,
profile,
},
});
}

if (isSAMLFederated) {
throw err;
Expand Down Expand Up @@ -811,6 +820,8 @@ export class OAuthController implements IOAuthController {

const callbackParams = body;

const should_disable_sso_trace = process.env.DISABLE_SSO_TRACE === 'true';

let RelayState = callbackParams.state || '';
try {
if (!RelayState) {
Expand Down Expand Up @@ -849,23 +860,26 @@ export class OAuthController implements IOAuthController {
}
}
} catch (err) {
await this.ssoTraces.saveTrace({
error: getErrorMessage(err),
context: {
tenant: session?.requested?.tenant || oidcConnection?.tenant,
product: session?.requested?.product || oidcConnection?.product,
clientID: session?.requested?.client_id || oidcConnection?.clientID,
providerName: oidcConnection?.oidcProvider?.provider,
acsUrl: session?.requested?.acsUrl,
entityId: session?.requested?.entityId,
redirectUri: redirect_uri,
relayState: RelayState,
isSAMLFederated,
isOIDCFederated,
requestedOIDCFlow: !!session?.requested?.oidc,
oidcIdPRequest: session?.requested?.oidcIdPRequest,
},
});
if (!should_disable_sso_trace) {
await this.ssoTraces.saveTrace({
error: getErrorMessage(err),
context: {
tenant: session?.requested?.tenant || oidcConnection?.tenant,
product: session?.requested?.product || oidcConnection?.product,
clientID: session?.requested?.client_id || oidcConnection?.clientID,
providerName: oidcConnection?.oidcProvider?.provider,
acsUrl: session?.requested?.acsUrl,
entityId: session?.requested?.entityId,
redirectUri: redirect_uri,
relayState: RelayState,
isSAMLFederated,
isOIDCFederated,
requestedOIDCFlow: !!session?.requested?.oidc,
oidcIdPRequest: session?.requested?.oidcIdPRequest,
},
});
}

// Rethrow err and redirect to Jackson error page
throw err;
}
Expand Down Expand Up @@ -929,36 +943,40 @@ export class OAuthController implements IOAuthController {
}

await this.sessionStore.delete(RelayState);

return { redirect_url: redirect.success(redirect_uri!, params) };
} catch (err: any) {
const { error, error_description, error_uri, session_state, scope, stack } = err;
const error_message = error_description || getErrorMessage(err);
const traceId = await this.ssoTraces.saveTrace({
error: error_message,
context: {
tenant: oidcConnection.tenant,
product: oidcConnection.product,
clientID: oidcConnection.clientID,
providerName: oidcConnection.oidcProvider.provider,
redirectUri: redirect_uri,
relayState: RelayState,
isSAMLFederated,
isOIDCFederated,
acsUrl: session.requested.acsUrl,
entityId: session.requested.entityId,
requestedOIDCFlow: !!session.requested.oidc,
oidcIdPRequest: session?.requested?.oidcIdPRequest,
profile,
error,
error_description,
error_uri,
session_state_from_op_error: session_state,
scope_from_op_error: scope,
stack,
oidcTokenSet: { id_token: tokens?.id_token, access_token: tokens?.access_token },
},
});
let traceId: string | undefined;

if (!should_disable_sso_trace) {
traceId = await this.ssoTraces.saveTrace({
error: error_message,
context: {
tenant: oidcConnection.tenant,
product: oidcConnection.product,
clientID: oidcConnection.clientID,
providerName: oidcConnection.oidcProvider.provider,
redirectUri: redirect_uri,
relayState: RelayState,
isSAMLFederated,
isOIDCFederated,
acsUrl: session.requested.acsUrl,
entityId: session.requested.entityId,
requestedOIDCFlow: !!session.requested.oidc,
oidcIdPRequest: session?.requested?.oidcIdPRequest,
profile,
error,
error_description,
error_uri,
session_state_from_op_error: session_state,
scope_from_op_error: scope,
stack,
oidcTokenSet: { id_token: tokens?.id_token, access_token: tokens?.access_token },
},
});
}

if (isSAMLFederated) {
throw err;
}
Expand Down

0 comments on commit 5572d68

Please sign in to comment.