Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deflating request when sending POST #241

Open
nkovalenko-sc opened this issue Oct 18, 2017 · 6 comments
Open

Deflating request when sending POST #241

nkovalenko-sc opened this issue Oct 18, 2017 · 6 comments
Labels
bug pr-welcome

Comments

@nkovalenko-sc
Copy link

Hi. I have a problem with skipRequestCompression parameter.
If it's set to false then script (https://github.com/bergie/passport-saml/blob/master/lib/passport-saml/saml.js#L433) deflates request and sends deflated and base64 encoded request using POST (https://github.com/bergie/passport-saml/blob/master/lib/passport-saml/saml.js#L417).

But deflating must be used only when sending HTTP-Redirecting GET request regarding SAML documentation http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html.

Please, remove if (self.options.skipRequestCompression) condition and leave only getAuthorizeFormHelper function calling instead.
@markstos
Copy link
Contributor

If you you've believe you've found a bug, please add new test coverage which illustrates the case, if possible.

@nkovalenko-sc
Copy link
Author

Mhm, you can see the logic in provided links and I described the problem. Why do I need to implement a tests?
You have two choices: use GET instead of POST to send login request when skipRequestCompression is false.
Or disable deflating of request when sending login request when skipRequestCompression is false.

@sibelius
Copy link
Contributor

I've hit this issue as well

when skipRequestCompression is false it does not work at well

@sibelius
Copy link
Contributor

Here is more information about it

https://en.wikipedia.org/wiki/SAML_2.0#HTTP_Redirect_Binding

SAML requests or responses transmitted via HTTP Redirect have a SAMLRequest or SAMLResponse query string parameter, respectively. Before it's sent, the message is deflated (without header and checksum), base64-encoded, and URL-encoded, in that order. Upon receipt, the process is reversed to recover the original message.

@markstos
Copy link
Contributor

markstos commented Sep 27, 2018
edited
Loading

@sibelius It sounds like we might not be spec-compliant here, but this isn't a feature I use. Would you be interested in submitting a patch?

@nkovalenko-sc To answer your question: Why do I need to implement a tests? Because this is a community-maintained open source project. No one here is paid to work on the project for you. If you've run into something that seems to be working not quite right for you, you are precisely the person with an incentive to fix it. Automated tests help insure the correctness of the code changes. (In this case, @sibelius has also run into the issue, so perhaps @sibelius will contribute a patch.

@fcorneli
Copy link

When using

authnRequestBinding: "HTTP-POST"

the compression should indeed not kick in.

@PaulaSazonov PaulaSazonov mentioned this issue Aug 27, 2020
Closed
@cjbarth cjbarth removed the 1.0 label Mar 31, 2021
@laurentlp laurentlp mentioned this issue Mar 9, 2022
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug pr-welcome
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@markstos @fcorneli @sibelius @cjbarth @nkovalenko-sc