Cache NameID format from the request to fix missing transient support in IdP

[jtalir]

Cache NameID format in the LightRequest to specific ProxyService and if transient is requested and IdP provides persistant, fill transient in the LightResponse regardless of the IdP response. NameID format is underspecified in eIDAS and has no meaning and no use. There is an initiative to keep the value unspecified only but until then transient must be supported as well.

Name ID Format Matrix

Request	Response	Result	Note
unspecified	unspecified	ok	-
unspecified	persistent	error	-
unspecified	transient	error	-
persistent	unspecified	error?	We cannot ensure a valid persistent id.
persistent	persistent	ok	-
persistent	transient	error	We cannot ensure a valid persistent id.
transient	unspecified	error → ok	We generate a random transient id instead of the persistent id.
transient	persistent	error → ok	We generate a random transient id instead of the persistent id.
transient	transient	ok	-

Settings

• PROXY_SERVICE_TRANSIENT_NAME_ID_FALLBACK (bool, default false) - If set to true and transient name id is requested in the request but unspecified/persistent name id is provided in the response, new random transient name id is created.
• PROXY_SERVICE_AUXILIARY_STORAGE (required if the fallback is enabled) - Light storage holding auxiliary data - now only Name ID format of the request. It may be a new Apache Ignite cache or we can reuse any of the two existing caches used by the proxy service.

Implementation

If the fallback is disabled, nothing happens. Otherwise:

• ProxyServiceRequestView.post:
  • Creates self.auxiliary_storage.
  • Stores {"name_id_format": self.light_request.name_id_format} with id specific-aux-{self.light_request.id}
• IdentityProviderResponseView.post:
  • Creates self.auxiliary_storage.
  • Retrieves specific-aux-{self.light_response.in_response_to_id} from cache (with deletion).
  • If cached name id format is transient but self.light_response.subject_name_id_format isn't, it is replaced with new random transient id.

[jiri-janousek]

@tpazderka, could you do a design review?

[tpazderka]

LGTM

Just a note to generating a new transient NameID -> It should be unique (and same) for a given combination of provider/user, so a hash of some sort is probably a good option (provider ID, provided NameID, some salt?)

[jtalir]

Transient NameID is temporary, so it doesn't need to be "same" in this context. I'd say that one-off UUID will fullfil all the requirements. We should consider that this value is not used in eIDAS context and this is just a workaround.

[jiri-janousek]

@jtalir, request=unspecified & response=persistent|transient also fails. Should we fix that as well? By rewriting the type but keeping the value intact?

[jiri-janousek]

It should have been already fixed in the latest eIDAS Node. I'll verify it.