-
Notifications
You must be signed in to change notification settings - Fork 475
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exposing signature validation errors? #247
Comments
(specifically, would a pull request adding this be welcome?) |
Yes, a PR is welcome. . Before I was a maintainer myself, I ran into this problem, and it was maddening that there were multiple cases that could trigger the same 'Invalid Signature' error, and I couldn't tell from the error which case had been triggered. I tried to find the previous PR or Issue discussing this very issue, but I couldn't find it just now. |
I'm in favor of more specific error messages. You are right to be concerned that the more detailed error messages might be a security concern, but the developer is always welcome to catch the errors and throw a more generic error back to the user if they prefer. |
I may be able to help with this; I've just spent all day with the Node debugger attached to a process in my production environment hunting down an invalid signature. Looking through the code, in most cases it should be as simple as just throwing an error instead of just returning false. In others - those which use |
@ccampanale Just yesterday I realized a new version of |
@markstos I didn't even realize that! Let me bump our package refs and take a look. I'll let you know. Thanks! |
👍 Sorry I never got around to making a PR 🙈 |
Bumped the version and tested. Still seeing our same issues but I'm pretty sure the issues are with our IDP. The new error messages are nice as they let you know where exactly in |
@ccampanale If you'd like to make a PR to pass along the detailed failures from |
Yeah, since I'm still fighting the good fight with my organization's IDP and can't get our production deployment to work I may very well do that. As you said, if nothing else it may save others a good deal of time troubleshooting strange failures and/or from a forensics collection perspective. |
I just about pulled my hair out with a recent integration, only to eventually realize that the profile field mapping between them and us wasn't as expected. It's increasingly tempting to consider using Okta or OneLogin for their "Service Provider" offering. |
Currently whatever error causes the SAML response signature validation to fail, the same error message is returned.
Would you be open to exposing these somehow? (Either in more detailed error messages, or via a property on the SAML object and method on the strategy to read it), or is hiding the specific error a deliberate decision to make attacks harder?
The text was updated successfully, but these errors were encountered: