doorkeeper icon indicating copy to clipboard operation
doorkeeper copied to clipboard
verified publisher icon doorkeeper-gem

Integrating SAML SSO

Open KevinColemanInc opened this issue 10 years ago • 11 comments

Is there any documentation for creating custom grant types?

Basically, I want to be able to issue oAuth tokens if the client provides valid SAML parameters. I am following this draft https://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-03 and it proposes a saml sso grant type.

KevinColemanInc avatar Dec 21 '15 19:12 KevinColemanInc

looking at the code it looks like I need to create my own strategy and it figures out what klass to use for a grant type based on camelized grant_type.

So if the spec wants the grant type to be: 'http://oauth.net/grant_type/assertion/saml/2.0/bearer' I am thinking this code needs to be changed to something with more flexible grant_type options.

KevinColemanInc avatar Dec 21 '15 20:12 KevinColemanInc

Is this aa bug in doorkeeper? Is there anything we can do in the main repository for you to more easily implement the SAML strategy you are after? I suggest you ask in StackOverflow too, as someone there might have done something similar to this and might be able to better help.

tute avatar Dec 23 '15 18:12 tute

@tute, its not so much a bug in doorkeeper in that, the draft spec wants this string to be the grant type: http://oauth.net/grant_type/assertion/saml/2.0/bearer

But, the way doorkeeper is currently designed, it camelizes and constantizes the grant type into a class name. This works for grant types like 'password' or 'implicit_grant', but it won't work for a grant type that looks like a URI.

I propose that grant types to classes are mapped via a hash instead of inferring the class from the name. This would give more flexibility in the future to support grant types that are not formatted with lowercase_separated_by_underscores.

KevinColemanInc avatar Dec 25 '15 16:12 KevinColemanInc

I propose that grant types to classes are mapped via a hash instead of inferring the class from the name. This would give more flexibility in the future to support grant types that are not formatted with lowercase_separated_by_underscores.

Here is an implementation that addresses this issue: https://github.com/doorkeeper-gem/doorkeeper/pull/733

tute avatar Jan 21 '16 19:01 tute

Also related with: https://github.com/doorkeeper-gem/doorkeeper-grants_assertion/issues/9#issuecomment-166970162

tute avatar Jan 21 '16 19:01 tute

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Dec 26 '19 09:12 stale[bot]

https://tools.ietf.org/html/rfc7522

The draft is finalized.

KevinColemanInc avatar Dec 26 '19 17:12 KevinColemanInc

@KevinColemanInc it's now possible to register custom grant types, one step forward to implement this ticket :)

nbulaj avatar May 29 '20 21:05 nbulaj

Has anyone on this ticket made any progress with SAML? I'm about to start implementing it for my app, but if there's already some work-in-progress that would be a big help.

emptyflask avatar Nov 04 '20 23:11 emptyflask

When I implemented SAML, I used the ruby-saml gem and "manually" created the Doorkeeper tokens and returned them to the client. I didn't bother to try to add it to doorkeeper b/c the learning curve for doorkeeper was a bit higher than I felt comfortable to bill my client for.

KevinColemanInc avatar Nov 04 '20 23:11 KevinColemanInc