tweaking

ory · Aug 31, 2022 · daefc17 · daefc17
1 parent 65e7254
commit daefc17
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 37 deletions.
diff --git a/internal/httpclient/api/openapi.yaml b/internal/httpclient/api/openapi.yaml
@@ -1270,25 +1270,7 @@ paths:
   /self-service/methods/saml/auth:
     get:
       description: |-
-        This endpoint initiates a registration flow for API clients such as mobile devices, smart TVs, and so on.
-
-        If a valid provided session cookie or session token is provided, a 400 Bad Request error
-        will be returned unless the URL query parameter `?refresh=true` is set.
-
-        To fetch an existing registration flow call `/self-service/registration/flows?flow=<flow_id>`.
-
-        You MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server
-        Pages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make
-        you vulnerable to a variety of CSRF attacks.
-
-        In the case of an error, the `error.id` of the JSON response body can be one of:
-
-        `session_already_available`: The user is already signed in.
-        `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.
-
-        This endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).
-
-        More information can be found at [Ory Kratos User Login and User Registration Documentation](https://www.ory.sh/docs/next/kratos/self-service/flows/user-login-user-registration).
+        Initiates and performs the SAML authentication request to the identity provider
       operationId: initializeSelfServiceSamlFlowForBrowsers
       responses:
         "200":

diff --git a/internal/httpclient/docs/V0alpha2Api.md b/internal/httpclient/docs/V0alpha2Api.md
@@ -29,7 +29,7 @@ Method | HTTP request | Description
 [**InitializeSelfServiceRecoveryFlowWithoutBrowser**](V0alpha2Api.md#InitializeSelfServiceRecoveryFlowWithoutBrowser) | **Get** /self-service/recovery/api | Initialize Recovery Flow for APIs, Services, Apps, ...
 [**InitializeSelfServiceRegistrationFlowForBrowsers**](V0alpha2Api.md#InitializeSelfServiceRegistrationFlowForBrowsers) | **Get** /self-service/registration/browser | Initialize Registration Flow for Browsers
 [**InitializeSelfServiceRegistrationFlowWithoutBrowser**](V0alpha2Api.md#InitializeSelfServiceRegistrationFlowWithoutBrowser) | **Get** /self-service/registration/api | Initialize Registration Flow for APIs, Services, Apps, ...
-[**InitializeSelfServiceSamlFlowForBrowsers**](V0alpha2Api.md#InitializeSelfServiceSamlFlowForBrowsers) | **Get** /self-service/methods/saml/auth | Initialize Registration Flow for APIs, Services, Apps, ...
+[**InitializeSelfServiceSamlFlowForBrowsers**](V0alpha2Api.md#InitializeSelfServiceSamlFlowForBrowsers) | **Get** /self-service/methods/saml/auth | Initiates and performs the SAML authentication request to the identity provider
 [**InitializeSelfServiceSettingsFlowForBrowsers**](V0alpha2Api.md#InitializeSelfServiceSettingsFlowForBrowsers) | **Get** /self-service/settings/browser | Initialize Settings Flow for Browsers
 [**InitializeSelfServiceSettingsFlowWithoutBrowser**](V0alpha2Api.md#InitializeSelfServiceSettingsFlowWithoutBrowser) | **Get** /self-service/settings/api | Initialize Settings Flow for APIs, Services, Apps, ...
 [**InitializeSelfServiceVerificationFlowForBrowsers**](V0alpha2Api.md#InitializeSelfServiceVerificationFlowForBrowsers) | **Get** /self-service/verification/browser | Initialize Verification Flow for Browser Clients

diff --git a/selfservice/flow/saml/handler.go b/selfservice/flow/saml/handler.go
@@ -13,14 +13,17 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
+	dsig "github.com/russellhaering/goxmldsig"
 
 	"github.com/crewjam/saml/samlsp"
 	"github.com/julienschmidt/httprouter"
 
+	"github.com/ory/kratos/continuity"
 	"github.com/ory/kratos/driver/config"
 	"github.com/ory/kratos/selfservice/errorx"
 
 	samlidp "github.com/crewjam/saml"
+
 	samlstrategy "github.com/ory/kratos/selfservice/strategy/saml"
 
 	"github.com/ory/kratos/session"
@@ -38,7 +41,7 @@ const (
 var ErrNoSession = errors.New("saml: session not present")
 var samlMiddleware *samlsp.Middleware
 
-var ContinuityKey = "ory_kratos_continuity"
+type ory_kratos_continuity struct{}
 
 type (
 	handlerDependencies interface {
@@ -96,12 +99,12 @@ func (h *Handler) serveMetadata(w http.ResponseWriter, r *http.Request, ps httpr
 //
 // If you already have a session, it will redirect you to the main page.
 //
-//     Schemes: http, https
+//	Schemes: http, https
 //
-//     Responses:
-//       200: selfServiceRegistrationFlow
-//       400: jsonError
-//       500: jsonError
+//	Responses:
+//	  200: selfServiceRegistrationFlow
+//	  400: jsonError
+//	  500: jsonError
 func (h *Handler) loginWithIdp(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	// Middleware is a singleton so we have to verify that it exists
 	if samlMiddleware == nil {
@@ -114,12 +117,12 @@ func (h *Handler) loginWithIdp(w http.ResponseWriter, r *http.Request, ps httpro
 	conf := h.d.Config(r.Context())
 
 	// We have to get the SessionID from the cookie to inject it into the context to ensure continuity
-	cookie, err := r.Cookie("ory_kratos_continuity")
+	cookie, err := r.Cookie(continuity.CookieName)
 	if err != nil {
 		h.d.SelfServiceErrorManager().Forward(r.Context(), w, r, err)
 	}
 	body, _ := ioutil.ReadAll(r.Body)
-	r2 := r.Clone(context.WithValue(r.Context(), ContinuityKey, cookie.Value))
+	r2 := r.Clone(context.WithValue(r.Context(), ory_kratos_continuity{}, cookie.Value))
 	r2.Body = ioutil.NopCloser(bytes.NewReader(body))
 	*r = *r2
 
@@ -254,11 +257,11 @@ func (h *Handler) instantiateMiddleware(config config.Config) error {
 		// We have to replace the ContinuityCookie by using RelayState. We will pass the SessionID (uuid) of Kratos through RelayState
 		RelayStateFunc: func(w http.ResponseWriter, r *http.Request) string {
 			ctx := r.Context()
-			cipheredCookie, ok := ctx.Value(ContinuityKey).(string)
+			cipheredCookie, ok := ctx.Value(ory_kratos_continuity{}).(string)
 			if !ok {
 				_, err := w.Write([]byte("No SessionID in current context"))
 				if err != nil {
-					errors.New("Error while writing the SessionID problem")
+					h.d.SelfServiceErrorManager().Forward(r.Context(), w, r, err)
 				}
 				return ""
 			}
@@ -269,6 +272,9 @@ func (h *Handler) instantiateMiddleware(config config.Config) error {
 		return err
 	}
 
+	// It's better to use SHA256 than SHA1
+	samlMiddleWare.ServiceProvider.SignatureMethod = dsig.RSASHA256SignatureMethod
+
 	var publicUrlString = config.SelfPublicURL().String()
 
 	// Sometimes there is an issue with double slash into the url so we prevent it

diff --git a/selfservice/strategy/saml/provider_saml.go b/selfservice/strategy/saml/provider_saml.go
@@ -5,9 +5,10 @@ import (
 	"context"
 
 	"github.com/crewjam/saml/samlsp"
+	"github.com/pkg/errors"
+
 	"github.com/ory/kratos/driver/config"
 	"github.com/ory/x/jsonx"
-	"github.com/pkg/errors"
 )
 
 type ProviderSAML struct {

diff --git a/selfservice/strategy/saml/strategy/strategy_login.go b/selfservice/strategy/saml/strategy/strategy_login.go
@@ -6,6 +6,8 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/pkg/errors"
+
 	"github.com/ory/herodot"
 	"github.com/ory/kratos/continuity"
 	"github.com/ory/kratos/identity"
@@ -18,13 +20,12 @@ import (
 	"github.com/ory/kratos/text"
 	"github.com/ory/kratos/ui/node"
 	"github.com/ory/kratos/x"
-	"github.com/pkg/errors"
 )
 
 // Implement the interface
 var _ login.Strategy = new(Strategy)
 
-//Call at the creation of Kratos, when Kratos implement all authentication routes
+// Call at the creation of Kratos, when Kratos implement all authentication routes
 func (s *Strategy) RegisterLoginRoutes(r *x.RouterPublic) {
 	s.setRoutes(r)
 }
@@ -53,7 +54,7 @@ type SubmitSelfServiceLoginFlowWithSAMLMethodBody struct {
 	Traits json.RawMessage `json:"traits"`
 }
 
-//Login and give a session to the user
+// Login and give a session to the user
 func (s *Strategy) processLogin(w http.ResponseWriter, r *http.Request, a *login.Flow, provider samlsp.Provider, c *identity.Credentials, i *identity.Identity, claims *samlsp.Claims) (*registration.Flow, error) {
 
 	var o CredentialsConfig

diff --git a/selfservice/strategy/saml/strategy/strategy_registration.go b/selfservice/strategy/saml/strategy/strategy_registration.go
@@ -7,10 +7,11 @@ import (
 	"net/http"
 
 	"github.com/google/go-jsonnet"
+	"github.com/pkg/errors"
+
 	"github.com/ory/kratos/driver/config"
 	"github.com/ory/kratos/identity"
 	"github.com/ory/x/decoderx"
-	"github.com/pkg/errors"
 
 	"github.com/ory/kratos/selfservice/flow"
 	"github.com/ory/kratos/selfservice/flow/registration"
@@ -30,7 +31,7 @@ import (
 // Implement the interface
 var _ registration.Strategy = new(Strategy)
 
-//Call at the creation of Kratos, when Kratos implement all authentication routes
+// Call at the creation of Kratos, when Kratos implement all authentication routes
 func (s *Strategy) RegisterRegistrationRoutes(r *x.RouterPublic) {
 	s.setRoutes(r)
 }

diff --git a/selfservice/strategy/saml/strategy/types.go b/selfservice/strategy/saml/strategy/types.go
@@ -19,7 +19,7 @@ type CredentialsConfig struct {
 	Providers []ProviderCredentialsConfig `json:"providers"`
 }
 
-//Create an uniq identifier for user in database. Its look like "id + the id of the saml provider"
+// Create an uniq identifier for user in database. Its look like "id + the id of the saml provider"
 func NewCredentialsForSAML(subject string, provider string) (*identity.Credentials, error) {
 	var b bytes.Buffer
 	if err := json.NewEncoder(&b).Encode(CredentialsConfig{