trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sources/saml: fix previous request ID being wrongly compared 

request ID was compared to request ID not InResponseTo field
This commit is contained in:
Jens Langhammer 2020-09-13 14:00:56 +02:00
parent ca0ba85023
commit 0161205c82
2 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
e2e/test_sources_oauth.py → e2e/test_source_oauth.py
View File

9
passbook/sources/saml/processors/response.py
View File

@ -76,11 +76,14 @@ class ResponseProcessor:
def _verify_request_id(self, request: HttpRequest): def _verify_request_id(self, request: HttpRequest):
if self._source.allow_idp_initiated: if self._source.allow_idp_initiated:
return return
if SESSION_REQUEST_ID not in request.session or "ID" not in self._root.attrib: if (
SESSION_REQUEST_ID not in request.session
or "InResponseTo" not in self._root.attrib
):
raise MismatchedRequestID( raise MismatchedRequestID(
"Missing request ID and IdP-initiated Logins are not allowed" "Missing InResponseTo and IdP-initiated Logins are not allowed"
) )
if request.session[SESSION_REQUEST_ID] != self._root.attrib["ID"]: if request.session[SESSION_REQUEST_ID] != self._root.attrib["InResponseTo"]:
raise MismatchedRequestID("Mismatched request ID") raise MismatchedRequestID("Mismatched request ID")
def _handle_name_id_transient(self, request: HttpRequest) -> HttpResponse: def _handle_name_id_transient(self, request: HttpRequest) -> HttpResponse: