feat: allow request uuid to be stored #174
Conversation
Jamedjo
force-pushed
the
jej/allow-storing-request-uuid
branch
from
250c64b to
220d9be
Compare
Jamedjo
force-pushed
the
jej/allow-storing-request-uuid
branch
from
220d9be to
cf08ad5
Compare
|
@md5 @supernova32 Does this look ok? |
There was a problem hiding this comment.
@Jamedjo the code looks good. Are you using this already in your apps?
Introduces a :store_request_uuid option for later comparison with InResponseTo By default it saves the request uuid in the session as "saml_transaction_id", but also accepts a proc that will then be called with the uuid for custom storage.
Jamedjo
force-pushed
the
jej/allow-storing-request-uuid
branch
from
cf08ad5 to
8ac901c
Compare
|
Was this ever solved in a different way? I see no updates here, and I was trying to do SP-initiated only log-in by looking at the InResponseTo, but I don't think that is currently possible, is it? Is there any recommendation to avoid CSFR otherwise? How do you recommend to go about this? |
|
I just want to mention, if you are reading this 6+ years later, because you are using omniauth-saml and trying to do a SP flow by implementing a patch like this. If you use Use a separate cookie/session [signed and/or encrypted] to store the session id, possibly using For further checks, read this comment that explains some other considerations with storing authenticated ids and validating if you see them re-used. |
What
Introduces a :store_request_uuid option for later comparison with InResponseTo
By default it saves the request uuid in the session as "saml_transaction_id",
but also accepts a proc that will then be called with the uuid for custom storage.
Why
Needed for #172, although we may also want to pass the value to ruby-saml with
matches_request_id:.