No-op status code check - Githubissues

mbg / wai-saml2

WAI middleware implementing SAML2

MIT License

5 stars 6 forks source link

No-op status code check #32

Closed Philonous closed 1 year ago

Philonous commented 1 year ago

validateResponse checks that the response status is Success, however, there is only one status code defined: Success, so the check is a no-op.

Presence of any other status code is handled as a parse failure instead of a validation failure.

While this isn't directly a problem, I think it would be more consistent to parse status codes and let the validation check for success.

Reference to StatusCode element with well-known status codes: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf#page=39

mbg commented 1 year ago

I think this point has come up previously (although I can't find the relevant comment right now), but the gist of it is that the current state of things isn't really a deliberate design decision and just a missing implementation of other status codes. So the check should indeed be during validation and not during parsing.