New login flow

[rnbwdsh]

KUSSS changed their login flow to use oauth. So now we have to POST (same credentials, j_username, j_password) + new param (_eventId_proceed=login) to https://shibboleth.im.jku.at/idp/profile/SAML2/Redirect/SSO?execution=e1s1

The result then contains a html form with POST target to KUSSS (auto-submitted via JS, but nojs option available) which returns a _shibsession cookie and after 302 forwarding also our required kusss JSESSIONID.

The part of the code that probably needs to be changed is https://github.com/marunjar/anewjkuapp/blob/master/app/src/main/java/org/voidsink/anewjkuapp/kusss/KusssHandler.java#L199

[fuero]

SAML2, not OAuth2. Simply sending a POST Request to the IDP isn't enough - wouldn't be for OAuth2/OIDC either. Getting the user to login via an embedded browser and using the resulting session cookies should work.

The proper SAML way for handling this is would be with something like this: https://github.com/itzg/saml-auth-proxy This need to be supported by JKU though.

[rnbwdsh]

Wrote a short python POC to verify if the flow works as expected:

import requests
import bs4

NAME = "k1155575"
PASS = "<censored>"

sess = requests.session()
res = sess.get("https://www.kusss.jku.at/kusss/login.action?log=1")  # trigger forward
res2 = sess.post(res.url, {'j_username': NAME, 'j_password': PASS, "_eventId_proceed": "login"})  # shiboleth url

site2 = bs4.BeautifulSoup(res2.text)
data = {i["name"]: i["value"] for i in site2.find_all("input") if i.has_attr("name")}  # 'RelayState', 'SAMLResponse'
res3 = sess.post(site2.find("form")["action"], data)

assert "Markus" in res3.text
print(res3.history[0].cookies.get_dict())

The resulting cookie is: {'_shibsession_64656661756c7468747470733a2f2f7777772e6b757373732e6a6b752e61742f73686962626f6c657468': '_906c96ac4f5a589884b67273censored'}

I'll try to build it into the app now.

[rnbwdsh]

I created a PR that partially solves the problem, but doesn't yet persist the _shibsession*, as I can't find where the cookies are set later.