Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pass "next" URL through SAML RelayState #851

Merged
merged 2 commits into from
Nov 10, 2023
Merged

Pass "next" URL through SAML RelayState #851

merged 2 commits into from
Nov 10, 2023

Conversation

RJPercival
Copy link
Contributor

@RJPercival RJPercival commented Nov 7, 2023
edited
Loading

Passing the "next" URL to redirect to after authentication completes is the primary use case for RelayState, but the SAML backend did not previously support this use. Instead, it relied on the Strategy to store the "next" URL in session state and restore it from there after login. Unfortunately, in the case of SAML, this does not work if the server has set the session cookie's SameSite attribute to "Lax" or "Strict", as the SAML POST request from the IdP will not contain the session cookie.

The new RelayState format (a JSON object) allows for further extensibility, as arbitrary additional fields can be added in the future.

A number of additional SAML response test fixtures have been added - these differ only in the value of the RelayState parameter, and are used for testing different values (e.g. missing keys in the JSON).

I've manually tested this with Okta and Django and the redirect works as intended (it previously did not).

@codecov Codecov
Copy link

codecov bot commented Nov 7, 2023
edited
Loading

Codecov Report

Attention: 2 lines in your changes are missing coverage. Please review.

Comparison is base (b9d9937) 77.20% compared to head (b631796) 77.27%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #851      +/-   ##
==========================================
+ Coverage   77.20%   77.27%   +0.06%     
==========================================
  Files         339      339              
  Lines       10340    10380      +40     
  Branches      696      699       +3     
==========================================
+ Hits         7983     8021      +38     
- Misses       2200     2201       +1     
- Partials      157      158       +1
Flag Coverage Δ
unittests 77.27% <95.83%> (+0.06%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Coverage Δ
social_core/actions.py 80.88% <100.00%> (ø)
social_core/tests/actions/actions.py 97.97% <100.00%> (+0.02%) ⬆️
social_core/tests/actions/test_login.py 100.00% <100.00%> (ø)
social_core/tests/backends/test_saml.py 97.75% <100.00%> (+0.45%) ⬆️
social_core/backends/saml.py 80.57% <84.61%> (+0.10%) ⬆️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@RJPercival RJPercival force-pushed the next_url_in_relay_state branch 3 times, most recently from 212a1ea to 9e9df11 Compare November 7, 2023 11:49
@RJPercival RJPercival marked this pull request as ready for review November 7, 2023 11:55
@nijel nijel requested a review from a team November 9, 2023 11:24
@digismack
Copy link
Contributor

Looks good to me. Thanks!

@RJPercival
Pass redirect_name from do_complete action to Backend
0d629f4 
Almost all other arguments to `do_complete` were being passed to the
backend, except for this. Without it, the backend cannot reliably access
the redirect URL in the session state (which is useful if the backend
wants to set the redirect URL, e.g. based on SAML RelayState).
@RJPercival
Pass "next" URL through SAML RelayState
b631796 
This is the primary use case for RelayState, but the SAML backend did not
previously support this use. Instead, it relied on the Strategy to store
the "next" URL in session state and restore it from there after login.
Unfortunately, in the case of SAML, this does not work if the server has
set the session cookie's `SameSite` attribute to "Lax" or "Strict", as the
SAML POST request from the IdP will not contain the session cookie.

The new `RelayState` format (a JSON object) allows for further
extensibility, as arbitrary additional fields can be added in the future.
@RJPercival RJPercival force-pushed the next_url_in_relay_state branch from 9e9df11 to b631796 Compare November 10, 2023 00:30
@RJPercival
Copy link
Contributor Author

Looks like I'm not authorized to merge this @digismack.

@digismack digismack merged commit fcc6894 into python-social-auth:master Nov 10, 2023
8 checks passed
@RJPercival RJPercival deleted the next_url_in_relay_state branch November 10, 2023 07:56
@RJPercival
Copy link
Contributor Author

@digismack, thanks for merging. Any idea when this will go out in a release?

@nijel
Copy link
Member

nijel commented Nov 10, 2023

We need a new release soon to address #854, but it needs to be fixed first…

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@digismack digismack digismack approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@RJPercival @digismack @nijel