Skip to content

feat: allow request uuid to be stored#174

Open
Jamedjo wants to merge 1 commit intoomniauth:masterfrom
Jamedjo:jej/allow-storing-request-uuid
Open

feat: allow request uuid to be stored#174
Jamedjo wants to merge 1 commit intoomniauth:masterfrom
Jamedjo:jej/allow-storing-request-uuid

Conversation

@Jamedjo
Copy link

@Jamedjo Jamedjo commented Mar 25, 2019

What

Introduces a :store_request_uuid option for later comparison with InResponseTo

By default it saves the request uuid in the session as "saml_transaction_id",
but also accepts a proc that will then be called with the uuid for custom storage.

Why

Needed for #172, although we may also want to pass the value to ruby-saml with matches_request_id:.

@Jamedjo Jamedjo force-pushed the jej/allow-storing-request-uuid branch from 250c64b to 220d9be Compare March 25, 2019 09:33
@coveralls
Copy link

coveralls commented Mar 25, 2019
edited
Loading

Coverage Status

Coverage remained the same at 100.0% when pulling 8ac901c on Jamedjo:jej/allow-storing-request-uuid into 715cc44 on omniauth:master.

@Jamedjo Jamedjo force-pushed the jej/allow-storing-request-uuid branch from 220d9be to cf08ad5 Compare March 25, 2019 10:58
@Jamedjo
Copy link
Author

Jamedjo commented Mar 25, 2019

@md5 @supernova32 Does this look ok?

suprnova32
suprnova32 previously approved these changes Apr 17, 2019
View reviewed changes
Copy link
Member

@suprnova32 suprnova32 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Jamedjo the code looks good. Are you using this already in your apps?

bufferoverflow
bufferoverflow previously approved these changes May 5, 2019
View reviewed changes
feat: allow request uuid to be stored
8ac901c 
Introduces a :store_request_uuid option for later comparison with InResponseTo

By default it saves the request uuid in the session as "saml_transaction_id",
but also accepts a proc that will then be called with the uuid for custom storage.
@Jamedjo Jamedjo dismissed stale reviews from bufferoverflow and suprnova32 via 8ac901c March 13, 2020 12:11
@Jamedjo Jamedjo force-pushed the jej/allow-storing-request-uuid branch from cf08ad5 to 8ac901c Compare March 13, 2020 12:11
@alexrecuenco
Copy link

alexrecuenco commented Oct 6, 2023

Was this ever solved in a different way? I see no updates here, and I was trying to do SP-initiated only log-in by looking at the InResponseTo, but I don't think that is currently possible, is it?

Is there any recommendation to avoid CSFR otherwise?

How do you recommend to go about this?

@alexrecuenco
Copy link

alexrecuenco commented Feb 20, 2025

I just want to mention, if you are reading this 6+ years later, because you are using omniauth-saml and trying to do a SP flow by implementing a patch like this.

If you use SameSite Lax or Strict on your session cookies, which you probably should do, it won't work because the reply back is a POST request, so it doesn't have any session cookie.

Use a separate cookie/session [signed and/or encrypted] to store the session id, possibly using __Host- that has SameSite none, and perhaps with a name that contains the provider name and a short expiration time.

For further checks, read this comment that explains some other considerations with storing authenticated ids and validating if you see them re-used.
simplesamlphp/simplesamlphp#230 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bufferoverflow bufferoverflow bufferoverflow left review comments

@suprnova32 suprnova32 suprnova32 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Jamedjo @coveralls @alexrecuenco @bufferoverflow @suprnova32