How to initiate sign in from server side? (Implementing SAML SSO for single tenant application with next-auth)

[jackrdye]

Hi :), Love your guys work. I am building a next app with SAML SSO. I am following your guide at Add SAML SSO to Next.js App. However my next app is built with the idea of a single organization running it internally, therefore I do not need support for dynamic tenants/products.

Despite that I have been following the guide implementing it as if it were multi-tenants. However, upon the final step at Starts OAUTH Sign In Flow I do not wish the login to be initiated from the client side. I intend on only supporting SAML SSO, thus the desire is to have the user immediately redirected to the Providers login page if they are not authenticated. The suggested signIn function from 'next-auth/react' uses client-side code, I wish for the server to initiate the redirect if it detects they are not authenticated.

Does anyone have any suggestions as to how I can initiate the SAML SSO flow - from server side code - without using the client side signIn function?

Thanks for saml-jackson too, great library something that is needed. Thought I'd use it since I may use it for multi-tenant apps in future. Thanks so much for any suggestions for initialing sign in from server side.

[deepakprabhakara]

You just redirect to the authorize route on the server side instead of initiating it from the client side.

[jackrdye]

Hey going back to the redirect, how should I redirect to the /api/oauth/authorize.ts page?

Current Code:

//login.tsx
import { NextResponse, NextRequest } from 'next/server'
import { getToken } from 'next-auth/jwt'

export async function middleware(req: NextRequest) {
  const session = await getToken({ req });

  if (!session && !(req.nextUrl.pathname.startsWith('/api/oauth') || req.nextUrl.pathname.match('/login'))) {
    return NextResponse.redirect(`${process.env.NEXTAUTH_URL}/api/oauth/authorize`);
  }

  return NextResponse.next();
}

//middleware.ts
import { NextResponse, NextRequest } from 'next/server'
import { getToken } from 'next-auth/jwt'

export async function middleware(req: NextRequest) {
  const session = await getToken({ req });

  if (!session && !req.nextUrl.pathname.startsWith('/api/oauth') && !req.nextUrl.pathname.match('/login'))) {
    return NextResponse.redirect(`${process.env.NEXTAUTH_URL}/api/oauth/authorize`);
  }

  return NextResponse.next();
}

The login.tsx file redirects with the tenant and product provided. How can the middleware redirect with the same args?

Currently when I redirect just to the authorize URL I get a Please specify a redirect URL error, which I don't get when I use the login.tsx. I assume this is due to lack of being able to recognise tenant/product. Thanks for reply's btw, so close to getting it working.

[niwsa]

@jackrdye On the client side, the signin call initiates a POST request to /api/auth/signin/boxyhq-saml?tenant=<tenant>&product=<product>** to get the redirect path. So all that you need to do is make the same POST request on the server side. In doing so you will need to send couple of params in the POST body like the csrfToken. For reference you can have a look at the signIn implementation from next-auth.

Having said that it's much easier for you to initiate the sign in from the client side via the signIn method.

** The tenant and product can be loaded via process.env

[jackrdye]

Awesome thanks so much :)). Ok sounds like I'll just keep a page specific for initiating the process which I'll redirect to.

All seems to be working thanks again :).

[jackrdye]

Hey came back to it a day later and I'm getting an 'Assertion is expired' error. Any ideas?

[jackrdye]

FYI WSL clock falling behind was the issue - microsoft/WSL#10006