-
Notifications
You must be signed in to change notification settings - Fork 475
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificate mismatch does not throw descriptive error #381
Comments
Also this is a great library! Thanks for making it! |
Came to add the same issue. I am writing tests for the case where a rogue IdP in a multi-saml configuration tries to spoof a login response for a user associated with a different IdP. This gets correctly handled by In our express app, I added the following to our global error handling:
so the client sees this as 401 rather than 500 (as 500 errors trigger alerts for engineers to investigate the cause). |
What do maintainers think about a PR that replaces the
|
@markstos based on my understanding of the code, it seems like the signature validation functions return For reference, the error is thrown here: which internally calls: and the validation is performed here: Are you okay with an error being thrown much deeper in the stack and being bubbled up, or did you want to keep it such that signature validation returns @mishawakerman I'm not a maintainer, but I think
Throwing a Based on my understanding of the code, I think somewhere in this method would be a good place to put the error: I think you can use the existing XML utilities to parse the signing certificate in the response body and add an initial check to ensure this matches the expected certificate passed in options (which is already in scope of the function as the |
@DbCrWk I think your analysis and recommendation are spot-on. Throwing a custom error class is a great why to go. I think one error class with unique error messages will be sufficient. Would you be willing to submit a PR for this? Thanks. |
@markstos awesome, I can start working on that. I will be careful to avoid making it a breaking change, but if some internal interface changes, I will flag that explicitly. I don't know what your development priorities look like, but would this still be useful in, say, like a month or two? |
No rush here. There is some talk of a big overhaul for a v2 (see pinned issue), but no work has started on that. It will be helpful to @ mention me in the pull request to bring it to my attention. Thanks. |
Awesome, will do! |
Any update on this? |
A SAML response comes back with a signature and the certificate used to generate that signature. When invoking the library, we pass a
cert
in options that specifies the key that we expect to have been used in creating the signature.If the certificate that comes back in the SAML response does not match the
cert
option that is passed, it would be nice to have separately error-handling that provides a descriptive error. Although the current behavior is not wrong (in that it throws an error because the signature is invalid), it would be nice to have a more descriptive error message in this particular case.The text was updated successfully, but these errors were encountered: