ProviderConfig._load_federation_metadata loads expired certificates

[erfaan]

The ADFS Server 2012 R2 configuration looks like this:

Please note that the first certificate is active whereas the second one is expired.

The Federation metadata lists both certificates under fed:SecurityTokenServiceType.

Following code loads all certificates including the expired one.

django-auth-adfs/django_auth_adfs/config.py

Lines 295 to 304 in 378f141

	# Extract token signing certificates
	xml_tree = ElementTree.fromstring(response.content)
	cert_nodes = xml_tree.findall(
	"./{urn:oasis:names:tc:SAML:2.0:metadata}RoleDescriptor"
	"[@{http://www.w3.org/2001/XMLSchema-instance}type='fed:SecurityTokenServiceType']"
	"/{urn:oasis:names:tc:SAML:2.0:metadata}KeyDescriptor[@use='signing']"
	"/{http://www.w3.org/2000/09/xmldsig#}KeyInfo"
	"/{http://www.w3.org/2000/09/xmldsig#}X509Data"
	"/{http://www.w3.org/2000/09/xmldsig#}X509Certificate")
	signing_certificates = [node.text for node in cert_nodes]

This causes the callback to fail with "Signature verification failed" error.

Upvote & Fund

• We're using Polar.sh so you can upvote and help fund this issue.
• We receive the funding once the issue is completed & confirmed by you.
• Thank you in advance for helping prioritize & fund our backlog.

[tim-schilling]

Thank you for opening an issue, would you be able to create a PR to fix this?