Session Refactor: Add SAMLSession (#94490)

* add saml session struct * resolve saml session * Add NameID --------- Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>
2024-11-24 09:50:29 -06:00 · 2024-10-10 16:57:34 +02:00 · 2024-10-10 16:57:34 +02:00 · 21d26de4d8
commit 21d26de4d8
parent e30c398087
3 changed files with 26 additions and 10 deletions
--- a/pkg/services/authn/authnimpl/service.go
+++ b/pkg/services/authn/authnimpl/service.go
@ -491,7 +491,7 @@ func orgIDFromHeader(req *http.Request) int64 {
 }

 func (s *Service) resolveExternalSessionFromIdentity(ctx context.Context, identity *authn.Identity, userID int64) *auth.ExternalSession {
-	if identity.OAuthToken == nil {
+	if identity.OAuthToken == nil && identity.SAMLSession == nil {
 		return nil
 	}

@ -506,18 +506,26 @@ func (s *Service) resolveExternalSessionFromIdentity(ctx context.Context, identi
 		UserAuthID: info.Id,
 		UserID:     userID,
 	}
-	extSession.AccessToken = identity.OAuthToken.AccessToken
-	extSession.RefreshToken = identity.OAuthToken.RefreshToken
-	extSession.ExpiresAt = identity.OAuthToken.Expiry

-	if idToken, ok := identity.OAuthToken.Extra("id_token").(string); ok && idToken != "" {
-		extSession.IDToken = idToken
+	if identity.OAuthToken != nil {
+		extSession.AccessToken = identity.OAuthToken.AccessToken
+		extSession.RefreshToken = identity.OAuthToken.RefreshToken
+		extSession.ExpiresAt = identity.OAuthToken.Expiry
+
+		if idToken, ok := identity.OAuthToken.Extra("id_token").(string); ok && idToken != "" {
+			extSession.IDToken = idToken
+		}
+
+		// As of https://openid.net/specs/openid-connect-session-1_0.html
+		if sessionState, ok := identity.OAuthToken.Extra("session_state").(string); ok && sessionState != "" {
+			extSession.SessionID = sessionState
+		}
+
+		return extSession
 	}

-	// As of https://openid.net/specs/openid-connect-session-1_0.html
-	if sessionState, ok := identity.OAuthToken.Extra("session_state").(string); ok && sessionState != "" {
-		extSession.SessionID = sessionState
-	}
+	extSession.SessionID = identity.SAMLSession.SessionIndex
+	extSession.NameID = identity.SAMLSession.NameID

 	return extSession
 }
--- a/pkg/services/authn/identity.go
+++ b/pkg/services/authn/identity.go
@ -64,6 +64,8 @@ type Identity struct {
 	Groups []string
 	// OAuthToken is the OAuth token used to authenticate the entity.
 	OAuthToken *oauth2.Token
+	// SAMLSession is the SAML session information.
+	SAMLSession *login.SAMLSession
 	// SessionToken is the session token used to authenticate the entity.
 	SessionToken *usertoken.UserToken
 	// ClientParams are hints for the auth service on how to handle the identity.
--- a/pkg/services/login/model.go
+++ b/pkg/services/login/model.go
@ -27,6 +27,7 @@ type UserAuth struct {

 type ExternalUserInfo struct {
 	OAuthToken     *oauth2.Token
+	SAMLSession    *SAMLSession
 	AuthModule     string
 	AuthId         string
 	UserId         int64
@ -40,6 +41,11 @@ type ExternalUserInfo struct {
 	SkipTeamSync   bool
 }

+type SAMLSession struct {
+	NameID       string
+	SessionIndex string
+}
+
 func (e *ExternalUserInfo) String() string {
 	isGrafanaAdmin := "nil"
 	if e.IsGrafanaAdmin != nil {