FR: SAML Sign In - Interstitial page to send users directly to IdP login screen

chrome/browser/resources/gaia_auth_host/authenticator.js

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 <include src="saml_handler.js">
 
 /**
  * @fileoverview An UI component to authenciate to Chrome. The component hosts
  * IdP web pages in a webview. A client who is interested in monitoring
  * authentication events should pass a listener object of type
@@ skipping 13 matching lines @@
       'chrome-extension://mfffpogegjflfpflabcdkioaeobkgjik/success.html';
   var SIGN_IN_HEADER = 'google-accounts-signin';
   var EMBEDDED_FORM_HEADER = 'google-accounts-embedded';
   var LOCATION_HEADER = 'location';
   var COOKIE_HEADER = 'cookie';
   var SET_COOKIE_HEADER = 'set-cookie';
   var OAUTH_CODE_COOKIE = 'oauth_code';
   var GAPS_COOKIE = 'GAPS';
   var SERVICE_ID = 'chromeoslogin';
   var EMBEDDED_SETUP_CHROMEOS_ENDPOINT = 'embedded/setup/chromeos';
+  var SAML_REDIRECTION_PATH = 'samlredirect';
 
   /**
    * The source URL parameter for the constrained signin flow.
    */
   var CONSTRAINED_FLOW_SOURCE = 'chrome';
 
   /**
    * Enum for the authorization mode, must match AuthMode defined in
    * chrome/browser/ui/webui/inline_login_ui.cc.
    * @enum {number}
@@ skipping 87 matching lines @@
     this.idpOrigin_ = null;
     this.continueUrl_ = null;
     this.continueUrlWithoutParams_ = null;
     this.initialFrameUrl_ = null;
     this.reloadUrl_ = null;
     this.trusted_ = true;
     this.oauthCode_ = null;
     this.gapsCookie_ = null;
     this.gapsCookieSent_ = false;
     this.newGapsCookie_ = null;
+    this.readyFired_ = false;
 
     this.useEafe_ = false;
     this.clientId_ = null;
 
     this.samlHandler_ = new cr.login.SamlHandler(this.webview_);
     this.confirmPasswordCallback = null;
     this.noPasswordCallback = null;
     this.insecureContentBlockedCallback = null;
     this.samlApiUsedCallback = null;
     this.missingGaiaInfoCallback = null;
@@ skipping 106 matching lines @@
 
   /**
    * Reloads the authenticator component.
    */
   Authenticator.prototype.reload = function() {
     this.clearCredentials_();
     this.webview_.src = this.reloadUrl_;
   };
 
   Authenticator.prototype.constructInitialFrameUrl_ = function(data) {
+    if (data.doSamlRedirect) {
+      var url = this.idpOrigin_ + SAML_REDIRECTION_PATH;
+      url = appendParam(url, 'domain', data.enterpriseDomain);
+      url = appendParam(url, 'continue', data.gaiaUrl +
+          'o/oauth2/programmatic_auth?hl=' + data.hl +
+          '&scope=https%3A%2F%2Fwww.google.com%2Faccounts%2FOAuthLogin&' +
+          'client_id=' + encodeURIComponent(data.clientId) +
+          '&access_type=offline');
+
+      return url;
+    }
+
     var path = data.gaiaPath;
     if (!path && this.isNewGaiaFlow)
       path = EMBEDDED_SETUP_CHROMEOS_ENDPOINT;
     if (!path)
       path = IDP_PATH;
     var url = this.idpOrigin_ + path;
 
     if (this.isNewGaiaFlow) {
       if (data.chromeType)
         url = appendParam(url, 'chrometype', data.chromeType);
@@ skipping 400 matching lines @@
   /**
    * Invoked when |samlHandler_| fires 'authPageLoaded' event.
    * @private
    */
   Authenticator.prototype.onAuthPageLoaded_ = function(e) {
     if (!e.detail.isSAMLPage)
       return;
 
     this.authDomain = this.samlHandler_.authDomain;
     this.authFlow = AuthFlow.SAML;
+
+    if (!this.readyFired_) {
+      this.dispatchEvent(new Event('ready'));
+      this.readyFired_ = true;
+    }

[xiyuan, 2016/03/29 02:10:49]

nit: Can we make this a method, e.g. fireReadyEvent, and call it here and  in
onContentLoad_?

[afakhry, 2016/03/29 03:12:02]

Done.

   };
 
   /**
    * Invoked when a link is dropped on the webview.
    * @private
    */
   Authenticator.prototype.onDropLink_ = function(e) {
     this.dispatchEvent(new CustomEvent('dropLink', {detail: e.url}));
   };
 
@@ skipping 21 matching lines @@
     // Posts a message to IdP pages to initiate communication.
     var currentUrl = this.webview_.src;
     if (currentUrl.lastIndexOf(this.idpOrigin_) == 0) {
       var msg = {
         'method': 'handshake',
       };
 
       this.webview_.contentWindow.postMessage(msg, currentUrl);
 
       this.dispatchEvent(new Event('ready'));
+      this.readyFired_ = true;
       // Focus webview after dispatching event when webview is already visible.
       this.webview_.focus();
     }
   };
 
   /**
    * Invoked when the webview fails loading a page.
    * @private
    */
   Authenticator.prototype.onLoadAbort_ = function(e) {
@@ skipping 21 matching lines @@
         this.webview_.contentWindow.postMessage(msg, this.idpOrigin_);
       }).bind(this), EAFE_INITIAL_MESSAGE_DELAY_IN_MS);
     }
   };
 
   /**
    * Invoked when the webview navigates withing the current document.
    * @private
    */
   Authenticator.prototype.onLoadCommit_ = function(e) {
+    if (e.isTopLevel)
+      this.readyFired_ = false;

[xiyuan, 2016/03/29 02:10:49]

Good catch. Move this to clearCredentials_, which is called on every
load/reload. (If you want, you can give it a better name, e.g. resetStates or
something :))

[afakhry, 2016/03/29 03:12:02]

Done. But just to make sure, you meant to remove it from here altogether,
correct?

+
     if (this.oauthCode_)
       this.maybeCompleteAuth_();
   };
 
   /**
    * Returns |true| if event |e| was sent from the hosted webview.
    * @private
    */
   Authenticator.prototype.isWebviewEvent_ = function(e) {
     // Note: <webview> prints error message to console if |contentWindow| is not
@@ skipping 19 matching lines @@
   Authenticator.AuthMode = AuthMode;
   Authenticator.SUPPORTED_PARAMS = SUPPORTED_PARAMS;
 
   return {
     // TODO(guohui, xiyuan): Rename GaiaAuthHost to Authenticator once the old
     // iframe-based flow is deprecated.
     GaiaAuthHost: Authenticator,
     Authenticator: Authenticator
   };
 });