Ensure SAML POST requests preserve an existing session#5624
Merged
Conversation
orenyk
commented
Nov 21, 2021
orenyk
force-pushed
the
oyk-saml-cookies-posthaste
branch
2 times, most recently
from
eafc61e to
e153724
Compare
orenyk
commented
Nov 21, 2021
orenyk
force-pushed
the
oyk-saml-cookies-posthaste
branch
from
e153724 to
987fb15
Compare
orenyk
commented
Nov 21, 2021
jmhooper
reviewed
Nov 22, 2021
orenyk
force-pushed
the
oyk-saml-cookies-posthaste
branch
2 times, most recently
from
4cc7f75 to
176bad6
Compare
orenyk
commented
Nov 23, 2021
Contributor
Author
There was a problem hiding this comment.
@jmhooper @zachmargolis so this test works (e.g. fails when we don't update the path in the concern) but only when the routes are reordered a little so that the get comes after the post. I think this has to do with the fact that RSpec looks for a match in the routes file but doesn't check the HTTP verb, so if the get comes first it actually sets the request path to /api/saml/auth2021, even though this controller action is handled by /api/saml/authpost2021 when post is used.
orenyk
force-pushed
the
oyk-saml-cookies-posthaste
branch
from
176bad6 to
e4d28a6
Compare
orenyk
force-pushed
the
oyk-saml-cookies-posthaste
branch
from
e4d28a6 to
a596eee
Compare
jmhooper
reviewed
Nov 23, 2021
jmhooper
approved these changes
Nov 23, 2021
Contributor
jmhooper
left a comment
jmhooper
left a comment
There was a problem hiding this comment.
Had a comment about a test, but think this should work otherwise
orenyk
force-pushed
the
oyk-saml-cookies-posthaste
branch
from
a596eee to
a3e4ff9
Compare
Currently, an external POST request to the IdP will not have access to an existing session since the cookie is blocked due to `SameSite=Lax`. This results in users with an active session having to sign in again if sent back to the IdP with a POST SAML request. However, if the POST request comes _from_ the IdP the session will be available in that request. Therefore, this commit inserts a new action within our SAML POST handling that captures the SAML parameters of the original POST request, populates a form with them (with appropriate CSRF handling), and then submits that form with JS to create an "internal" POST request with access to the session. This new action skips session handling so it does not override an existing IdP session cookie.
orenyk
force-pushed
the
oyk-saml-cookies-posthaste
branch
from
a3e4ff9 to
69b7362
Compare
jmhooper
approved these changes
Nov 23, 2021
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Currently, an external POST request to the IdP will not have access to
an existing session since the cookie is blocked due to
SameSite=Lax.This results in users with an active session having to sign in again if
sent back to the IdP with a POST SAML request.
However, if the POST request comes from the IdP the session will be
available in that request. Therefore, this commit inserts a new action
within our SAML POST handling that captures the SAML parameters of the
original POST request, populates a form with them (with appropriate CSRF
handling), and then submits that form with JS to create an "internal"
POST request with access to the session. This new action skips session
handling so it does not override an existing IdP session cookie.