it('should parse attributes', function (done) { // cert created with: // openssl req -x509 -new -newkey rsa:2048 -nodes -subj '/CN=auth0.auth0.com/O=Auth0 LLC/C=US/ST=Washington/L=Redmond' -keyout auth0.key -out auth0.pem var options = { cert: fs.readFileSync(__dirname + '/test-auth0.pem'), key: fs.readFileSync(__dirname + '/test-auth0.key'), issuer: 'urn:issuer', lifetimeInSeconds: 600, audiences: 'urn:myapp', attributes: { 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '*****@*****.**', 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar' }, nameIdentifier: 'foo', nameIdentifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' }; var signedAssertion = saml11.create(options); var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp'}); saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { assert.ok(profile); assert.equal('foo', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier']); assert.equal('Foo Bar', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name']); assert.equal('*****@*****.**', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']); assert.equal('*****@*****.**', profile['email']); assert.equal('urn:issuer', profile['issuer']); done(); }); });
it('should handle unicode', function (done) { var options = { cert: fs.readFileSync(__dirname + '/test-auth0.pem'), key: fs.readFileSync(__dirname + '/test-auth0.key'), issuer: 'urn:issuer', lifetimeInSeconds: 600, audiences: 'urn:myapp', attributes: { 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': 'сообщить@bar.com', 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'сообщить вКонтакте' }, nameIdentifier: 'вКонтакте', nameIdentifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' }; var signedAssertion = saml11.create(options); var publicKey = fs.readFileSync(__dirname + '/test-auth0.cer').toString(); var saml_passport = new SamlPassport({cert: publicKey, realm: 'urn:myapp'}); var profile = saml_passport.validateSamlAssertion(signedAssertion, function(error, profile) { if (error) return done(error); assert.ok(profile); assert.equal('вКонтакте', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier']); assert.equal('сообщить вКонтакте', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name']); assert.equal('сообщить@bar.com', profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']); done(); }); });
function execute (postUrl, req, res, next) { var audience = options.audience || req.query.wtrealm || req.query.wreply; if(!audience){ return next(new Error('audience is required')); } audience = asResource(audience); var user = options.getUserFromRequest(req); if(!user) return res.send(401); var ctx = options.wctx || req.query.wctx; if (!options.jwt) { var profileMap = options.profileMapper(user); var claims = profileMap.getClaims(options); var ni = profileMap.getNameIdentifier(options); saml11.create({ signatureAlgorithm: options.signatureAlgorithm, digestAlgorithm: options.digestAlgorithm, cert: options.cert, key: options.key, issuer: asResource(options.issuer), lifetimeInSeconds: options.lifetime || options.lifetimeInSeconds || (60 * 60 * 8), audiences: audience, attributes: claims, nameIdentifier: ni.nameIdentifier, nameIdentifierFormat: ni.nameIdentifierFormat, encryptionPublicKey: options.encryptionPublicKey, encryptionCert: options.encryptionCert }, function(err, assertion) { if (err) return next(err); var escapedWctx = utils.escape(ctx); assertion = '<t:RequestSecurityTokenResponse Context="'+ escapedWctx + '" xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"><t:RequestedSecurityToken>' + assertion + '</t:RequestedSecurityToken></t:RequestSecurityTokenResponse>'; return responseHandler(res, postUrl, ctx, assertion); }); } else { if (options.extendJWT && typeof options.extendJWT === 'object') { user = xtend(user, options.extendJWT); } var signed = jwt.sign(user, options.key.toString(), { expiresInMinutes: (options.lifetime || options.lifetimeInSeconds || (60 * 60 * 8)) / 60, audience: audience, issuer: asResource(options.issuer), algorithm: options.jwtAlgorithm || 'RS256' }); return responseHandler(res, postUrl, ctx, signed); } }