[BUG] `issuer` is now required in getSamlOptions() callback, even where it's already specified in MultiSamlStrategy config

[oliverlockwood]

From reading past issues, I think this bug is likely to be a consequence of the fix for #89.

If you are using MultiSamlStrategy, you might initialise it like:

        return new MultiSamlStrategy(
            {
                issuer: 'my-issuer',
                passReqToCallback: true,
                getSamlOptions: async (req: Request, done: SamlOptionsCallback) => await this.fetchConfig(req, done)
            },
            // for sign-on
            (req: Request, profile: any, done: VerifiedCallback) => done(null, profile),
            // for logout
            (req: Request, profile: any, done: VerifiedCallback) => done(null, profile)
        );

In the constructor, the first argument is defined to have type MultiStrategyConfig, which is Partial<SamlConfig> & StrategyOptions & BaseMultiStrategyConfig;

Since it's a Partial<SamlConfig>, it's clearly not mandatory to provide issuer here. I have no problem with this.
However, you are free to choose to provide it, and the documentation at http://www.passportjs.org/packages/passport-saml/ clearly says:

The options passed when the MultiSamlStrategy is initialized are also passed as default values to each provider. e.g. If you provide an issuer on MultiSamlStrategy, this will be also a default value for every provider. You can override these defaults by passing a new value through the getSamlOptions function.

The SamlOptionsCallback function type is defined such that you must provide a SamlConfig (or null).
Thereby, you are forced to specify the issuer field, which is in direct conflict with the documentation above.

This issue can be worked around, but it causes a bit of spaghetti in our case, and since the documentation says otherwise, it would be good to fix.

[cjbarth]

That sounds like a deficiency in the types. Please feel free to put up a PR to suggest a fix for this.

[oliverlockwood]

Thanks @cjbarth. I've just raised PR node-saml/passport-saml#838 as a proposal for this. Apologies that the PR has turned out to be in a different repo!

[oliverlockwood]

Update: this issue is fundamentally caused by #90.

[cjbarth]

It could very well be so, and I wasn't rigorous enough in my requirements for tests to well-define the scope of the need for issuer. Since #89 called out an actual run-time problem which would have been caught by having more rigorous typing, I let it slide a little. Sorry.

In order to prevent going back-and-forth on this matter, it would be nice if we could have a definitive set of tests to establish exactly when issuer is required. I don't have the bandwidth at the moment to have a look at this as I'm trying to finish some stuff up with xml-crypto before I turn my full attention back to node-saml.