feat(schemas): add idp-initiated SSO client side callback url columns

[simeng-li]

Summary

Alternate the sso_connector_idp_initiated_auth_configs to support directly redirecting the user to the client app to initiate a standard OIDC authorization request.

Context

For better security and to support SPA applications, instead of automatically sending the OIDC authorization requests from the server side, we provide a more recommended option, redirect the user to the client side to initiate an OIDC authentication flow.

Since the IdP-initiated SAML SSO authentication request is unsolicited, thus sending an OIDC authorization request directly from the server side can not provide the necessary CRSF attack protection.

E.g. the state parameter and PKCE flow for SPA application.

As a better recommendation, by default, we redirect the user to a given client callback URL to initiate a standard OIDC auth flow, while keeping a live IdP-initiated SSO assertion session, so the user can be automatically authenticated via the same SSO connector.

Option A (Default):

• auto_send_authorization_request set to false.
• Provide a fieldclient_idp_initiated_auth_callback_uri` in the config.
• Logto will create an idp-initiated SAML SSO session, and redirect the user to the above URL to trigger a standard OIDC authentication request with sign-in param `direct-sign-in=sso:{connectorId}

Option B (Previously implemented):

• auto_send_authorization_request set to true.
• Set the redirect_uri and other auth_parameters
• Logto generate and send an OIDC authorization request on behave of the user.

Updates

• Add new field auto_send_authorization_request. Default false. When disabled, Logto will redirect the user to the client side to trigger an auth request.
• Add new field client_idp_initiated_auth_callback_uri. Exclusively stores the client side idp-initiated auth callback URL.
• Add SPA application type.

Testing

Checklist

• [ ] .changeset
• [ ] unit tests
• [ ] integration tests
• [x] necessary TSDoc comments