Closed jtalir closed 4 years ago
@tpazderka, could you do a design review?
LGTM
Just a note to generating a new transient NameID -> It should be unique (and same) for a given combination of provider/user, so a hash of some sort is probably a good option (provider ID, provided NameID, some salt?)
Transient NameID is temporary, so it doesn't need to be "same" in this context. I'd say that one-off UUID will fullfil all the requirements. We should consider that this value is not used in eIDAS context and this is just a workaround.
@jtalir, request=unspecified & response=persistent|transient also fails. Should we fix that as well? By rewriting the type but keeping the value intact?
It should have been already fixed in the latest eIDAS Node. I'll verify it.
Cache NameID format in the LightRequest to specific ProxyService and if transient is requested and IdP provides persistant, fill transient in the LightResponse regardless of the IdP response. NameID format is underspecified in eIDAS and has no meaning and no use. There is an initiative to keep the value unspecified only but until then transient must be supported as well.
Name ID Format Matrix
Settings
PROXY_SERVICE_TRANSIENT_NAME_ID_FALLBACK
(bool, default false) - If set to true andtransient
name id is requested in the request butunspecified/persistent
name id is provided in the response, new random transient name id is created.PROXY_SERVICE_AUXILIARY_STORAGE
(required if the fallback is enabled) - Light storage holding auxiliary data - now only Name ID format of the request. It may be a new Apache Ignite cache or we can reuse any of the two existing caches used by the proxy service.Implementation
If the fallback is disabled, nothing happens. Otherwise:
ProxyServiceRequestView.post
:self.auxiliary_storage
.{"name_id_format": self.light_request.name_id_format}
with idspecific-aux-{self.light_request.id}
IdentityProviderResponseView.post
:self.auxiliary_storage
.specific-aux-{self.light_response.in_response_to_id}
from cache (with deletion).transient
butself.light_response.subject_name_id_format
isn't, it is replaced with new random transient id.