search

IdentityPython / SATOSA

Proxy translating between different authentication protocols (SAML2, OpenID Connect and OAuth2)
https://idpy.org
Apache License 2.0
200 stars 123 forks source link

Changing STATE_ENCRYPTION_KEY causes LZMAError when retrieving cookies #391

Closed fbosio closed 3 years ago

fbosio commented 3 years ago

Authentication in a SAML service provider with a specific STATE_ENCRYPTION_KEY creates cookies that cannot be retrieved if SATOSA is restarted after a STATE_ENCRYPTION_KEY change.

Code Version

7.0.3

Expected Behavior

It should ignore cookies and create a new, clean, empty state

Current Behavior

It raises an LZMAError that causes a SATOSAUnknownError

Possible Solution

Replace https://github.com/IdentityPython/SATOSA/blob/b9d4ef7eaf0e53f200a9ccfb2fc999581243f0d9/src/satosa/base.py#L204 with

        except (SATOSAStateError, LZMAError) as e:

Remember to import the class.

from lzma import LZMAError

Steps to Reproduce

  1. Configure a SATOSA SAML frontend with an HTTP-POST binding endpoint.
  2. Create a SAML service provider and point its sso_url to the POST endpoint of the frontend.
  3. Run both apps.
  4. Login with the SAML service provider.
  5. Stop apps.
  6. Change STATE_ENCRYPTION_KEY in proxy_conf.yaml by anything else.
  7. Run both apps.
  8. Login again.
c00kiemon5ter commented 3 years ago

closed by 8a096d52fc146a2cd0d8d2ef70c46d999389ce81

I have pushed a fix for this, but this should be expanded more to allow for rotating state-encryption keys. I had been wanting to do this for some time and at the same time improve how we encrypt data.

I will close this and try to describe the direction this should take in a separate issue.

fbosio commented 3 years ago

Cool, thanks!