Skip to content

SAML redirect loses session data storing "next" url and RelayState cannot be used instead #481

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
danjacob-anders opened this issue Aug 14, 2023 · 5 comments · Fixed by #705
Closed

SAML redirect loses session data storing "next" url and RelayState cannot be used instead #481

danjacob-anders opened this issue Aug 14, 2023 · 5 comments · Fixed by #705

Comments

@danjacob-anders
Copy link

danjacob-anders commented Aug 14, 2023
edited
Loading

Expected behaviour

When using social core login with e.g. Django, the "next" parameter should be stored in the strategy session data. Upon authentication with the IdP, the SAML backend should then be able to retrieve the "next" parameter from the session and redirect the user to the desired destination.

If the session data is unavailable, then the redirect url can be obtained from the GET or POST params. In the case of SAML, RelayState should be available to use for such purposes.

Actual behaviour

  1. The session data is empty on redirect back to the client. This may be due to SameSite issues, however this is unclear. Other authentication backends e.g. Google do not lose session data, so this is only happening with SAML backend.
  2. If the session data is unavailable, we should be able to use RelayState to pass the "next" url instead. This can then be used to retrieve the required URL from the POST returned from the IdP.

Unfortunately RelayState appears to be hijacked by social_core to set the IdP name, and there does not appear to be a simple way to override this behaviour:

    def auth_url(self):
        """Get the URL to which we must redirect in order to
        authenticate the user"""
        try:
            idp_name = self.strategy.request_data()["idp"]
        except KeyError:
            raise AuthMissingParameter(self, "idp")
        auth = self._create_saml_auth(idp=self.get_idp(idp_name))
        # Below, return_to sets the RelayState, which can contain
        # arbitrary data.  We use it to store the specific SAML IdP
        # name, since we multiple IdPs share the same auth_complete
        # URL.
        return auth.login(return_to=idp_name)

    def auth_complete(self, *args, **kwargs):
        """
        The user has been redirected back from the IdP and we should
        now log them in, if everything checks out.
        """
        # RelayState can only have idp_name, or it breaks here
        idp_name = self.strategy.request_data()['RelayState']
        idp = self.get_idp(idp_name)
        auth = self._create_saml_auth(idp)
        # ...complete authentication

The reasoning appears to be to be able to support multiple providers; however it also breaks what appears to be basic SAML functionality, i.e. being able to use RelayState for arbitrary needs such as a dynamically generated redirect URL. In our case, we only require a single SAML provider at this stage.

This is outlined in more detail here:

https://stackoverflow.com/questions/70599909/django-social-auth-not-redirecting-to-provided-next-query-param-for-saml-login

Is there a way to be able to reliably pass a "next" parameter using SAML either through the session or request parameters?
nijel added a commit to nijel/weblate that referenced this issue Apr 1, 2025
@nijel
fix(auth): keep next parameter over SAML auth
07ae40d 
It suffers the same issues as OpenID, so reuse the code.

See python-social-auth/social-app-django#481
@nijel nijel mentioned this issue Apr 1, 2025
Merged
@nijel
Copy link
Member

nijel commented Apr 1, 2025

When using social core login with e.g. Django, the "next" parameter should be stored in the strategy session data.

do_auth and do_complete implement this from the very beginning.

The session data is empty on redirect back to the client. This may be due to SameSite issues, however this is unclear.

Yes, this is because SameSite setting on the cookie. It won't be sent on POST from the other site, and thus the session cannot be restored.

The easiest workaround for this is to disable SameSite on the session cookie by SESSION_COOKIE_SAMESITE='None', but it has a possible security impact.

The very same thing happens with OpenID-based backends.

At Weblate we deal with this by including (signed) session ID in the return URL and restoring the session based on that in our wrappers around do_auth and do_complete:

nijel added a commit to WeblateOrg/weblate that referenced this issue Apr 1, 2025
@nijel
fix(auth): keep next parameter over SAML auth
1a1e3c8 
It suffers the same issues as OpenID, so reuse the code.

See python-social-auth/social-app-django#481
@nijel
Copy link
Member

nijel commented May 21, 2025

And Weblate approach is not really usable with SAML, see WeblateOrg/weblate#14924.

@nijel nijel mentioned this issue May 21, 2025
Open
nijel added a commit to nijel/social-core that referenced this issue May 21, 2025
@nijel
feat: implement session restore when cookies are not reliable
7ecc97a 
When cookies are created with SameSite policy, they won't be available
during the authentication flow which uses POST such as OpenID or SAML.
This adds support in Strategy to get session ID and restore it later in
the login flow.

See python-social-auth/social-app-django#481
@nijel nijel mentioned this issue May 21, 2025
Merged
nijel added a commit to nijel/social-app-django that referenced this issue May 21, 2025
@nijel
feat: support for session storing and restoring
06fc5ad 
This is a Django implementation for changes introduced in
python-social-auth/social-core#1159.

Fixes python-social-auth#481
@nijel nijel mentioned this issue May 21, 2025
Merged
@nijel
Copy link
Member

nijel commented May 21, 2025

python-social-auth/social-core#1159 and #705 is my attempt to address this.

nijel added a commit to nijel/social-core that referenced this issue May 21, 2025
@nijel
feat: implement session restore when cookies are not reliable
010f025 
When cookies are created with SameSite policy, they won't be available
during the authentication flow which uses POST such as OpenID or SAML.
This adds support in Strategy to get session ID and restore it later in
the login flow.

See python-social-auth/social-app-django#481
nijel added a commit to nijel/social-app-django that referenced this issue May 21, 2025
@nijel
feat: support for session storing and restoring
e6c2aa1 
This is a Django implementation for changes introduced in
python-social-auth/social-core#1159.

Fixes python-social-auth#481
@Etiene
Copy link

Etiene commented May 22, 2025

I'm experiencing the same issue with apple backend! I'm currently trying an approach with the session id like the one you mentioned, @nijel, but apple then complains about the return url not being the same as the one configured in service ID.

@nijel
Copy link
Member

nijel commented May 22, 2025

Apple is OAuth2, it should not suffer this issue.

nijel added a commit to python-social-auth/social-core that referenced this issue May 26, 2025
@nijel
feat: implement session restore when cookies are not reliable
d9b4c1c 
When cookies are created with SameSite policy, they won't be available
during the authentication flow which uses POST such as OpenID or SAML.
This adds support in Strategy to get session ID and restore it later in
the login flow.

See python-social-auth/social-app-django#481
nijel added a commit that referenced this issue May 26, 2025
@nijel
feat: support for session storing and restoring
b3299c0 
This is a Django implementation for changes introduced in
python-social-auth/social-core#1159.

Fixes #481
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: support for session storing and restoring nijel/social-app-django
3 participants
@nijel @Etiene @danjacob-anders