Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Response mode: “form_post” #31

Open
ar-filho opened this issue Jan 16, 2023 · 5 comments
Open

Response mode: “form_post” #31

ar-filho opened this issue Jan 16, 2023 · 5 comments

Comments

@ar-filho
Copy link

When trying to authenticate with the parameter [ 'response_mode': 'form_post' ], the plugin generates the message by “oidcop.oauth2.authorization.authz_part2:905”, however when trying to respond, satosa_oidcop, displays the message:

File "/usr/local/lib/python3.11/site-packages/satosa_oidcop/idpy_oidcop.py", line 699, in _handle_backend_response
     data = _args["response_args"].to_dict()
            ~~~~~^^^^^^^^^^^^^^^^^
KeyError: 'response_args'

When debugging, the variable “response_args” has no content.

Expected action:
Frontend posts the content of:
'response_msg' generated in oidcop.oauth2.authorization.authz_part2:905
for the requester in 'session_id'.

*Lines may be different because of pdb.
@peppelinux
Copy link
Member

peppelinux commented Jan 16, 2023
edited
Loading

Ok,

To get a good solution in a collaborative way I have to ask you to start a branch/PR with a unit test that reproduces this problem

Then I'll add my commits and then we'll decide when merge and release

Thank you @ar-filho, your contribution Is really appreciated

@peppelinux
Copy link
Member

peppelinux commented Jan 17, 2023
edited
Loading

This issue focuses our attention on the support of https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html in oidcop and idpy-oidc

both supports form_post (see https://github.com/IdentityPython/oidc-op/search?q=form_post)

So I would use a unit test that reproduces a request with response_mode=form_post and then check the value of response_placement here https://github.com/UniversitaDellaCalabria/SATOSA-oidcop/blob/main/satosa_oidcop/idpy_oidcop.py#L690

@peppelinux
Copy link
Member

do you still have this issue @ar-filho ?

@Yoroitchi
Copy link
Contributor

Hello,
As of today, i can confirm this issue is still there

[2024-08-28 11:37:12,804] [ERROR] [satosa.proxy_server.__call__] Unknown error
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/satosa/base.py", line 254, in run
    resp = self._run_bound_endpoint(context, spec)
  File "/usr/local/lib/python3.9/site-packages/satosa/base.py", line 179, in _run_bound_endpoint
    return spec(context)
  File "/usr/local/lib/python3.9/site-packages/satosa/backends/saml2.py", line 419, in authn_response
    return self.auth_callback_func(context, self._translate_response(authn_response, context.state))
  File "/usr/local/lib/python3.9/site-packages/satosa/base.py", line 150, in _auth_resp_callback_func
    return self._auth_resp_finish(context, internal_response)
  File "/usr/local/lib/python3.9/site-packages/satosa/base.py", line 119, in _auth_resp_finish
    return frontend.handle_authn_response(context, internal_response)
  File "/usr/local/lib/python3.9/site-packages/satosa_oidcop/idpy_oidcop.py", line 814, in handle_authn_response
    response = self._handle_backend_response(context, internal_resp)
  File "/usr/local/lib/python3.9/site-packages/satosa_oidcop/idpy_oidcop.py", line 786, in _handle_backend_response
    data = _args["response_args"].to_dict()
KeyError: 'response_args'

@Yoroitchi
Copy link
Contributor

After further investigation, this issue seems a bit complicated.
The problem comes from here https://github.com/UniversitaDellaCalabria/SATOSA-oidcop/blob/main/satosa_oidcop/idpy_oidcop.py#L782 as info doesn't hold response_placement as shown in the logs I gathered
With form post

[2024-08-29 11:34:41,555] [DEBUG] [satosa_oidcop.idpy_oidcop._handle_backend_response] info: {'response': 'https://dev-test-rp.federation.renater.fr/redirect_uri', 'http_headers': [('Content-type', 'application/x-www-form-urlencoded'), ('Pragma', 'no-cache'), ('Cache-Control', 'no-store')]}

withtout form post

[2024-08-29 11:35:52,317] [DEBUG] [satosa_oidcop.idpy_oidcop._handle_backend_response] info: {'response': 'https://dev-test-rp.federation.renater.fr/redirect_uri', 'http_headers': [('Content-type', 'application/x-www-form-urlencoded'), ('Pragma', 'no-cache'), ('Cache-Control', 'no-store')]}

We can even see that in both cases, info has the exact same values which leads _response_placement to always be set to endpoint.response_placement aka "url" as it is the default value, see https://github.com/IdentityPython/idpy-oidc/blob/main/src/idpyoidc/server/oauth2/authorization.py

In this case we can observe that when using form_post, _args doesn't hold an AuthorizationResponse, which is more an issue on the side of idpyoidc IMO, but that is a story for another time.
Using form_post

[2024-08-29 12:14:30,523] [DEBUG] [satosa_oidcop.idpy_oidcop._handle_backend_response] _args: dict_keys(['session_id', 'response_msg', 'content_type', 'response_placement', 'cookie'])

Using query

[2024-08-29 12:15:15,829] [DEBUG] [satosa_oidcop.idpy_oidcop._handle_backend_response] _args: dict_keys(['response_args', 'fragment_enc', 'session_id', 'return_uri', 'cookie'])

BUT, we can observe that _args holds response_placement when using form_post, which I think can be a good starting point to correct this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peppelinux @Yoroitchi @ar-filho