support SAML HTTP redirect binding

[easeway]

Solve issue: #1042

[easeway]

@ericchiang Please take a look...

[ericchiang]

Need to change the response handler too.

Almost feel like this should surface as a different interface value https://godoc.org/github.com/coreos/dex/connector#SAMLConnector

[ericchiang]

We should just return an actual redirect here, not render a page. E.g.

http.Redirect(w, r, ...)

[easeway]

Yes.

[ericchiang]

this should probably be something like

binding: redirect # defaults to post

in case we want to support more bindings in the future.

[easeway]

gotcha

[ericchiang]

Need to rename POSTData or break it into a separate method.

[easeway]

I think it's better to pass http.ResponseWriter and http.Request into provider to reduce provider specific code in server/handlers.go. Eventually we can eliminate this switch conn := conn.Connector.(type)

My proposal is to define a common Connector interface including a method:

HandleLogin(w http.ResponseWriter, r *http.Request)

And leave to the Connector implementation for all provider specific logic.

In the mean time, I will do the following change:

Rename PostData to AuthnRequest(scopes, authId, w http.ResponseWriter, r *http.Request) and perform the logic there.

[ericchiang]

I'm actually against that. The server package controls things like html error responses and I'd rather all of that logic continue to live there. Not have any connectors refer to the net/http package directly.

[ericchiang]

This block shouldn't keep going if err != nil

[easeway]

here e == nil and err != nil is handled in one place below.

I use e == nil because the sequence will go through 3 steps: NewWriter, Write and Flush. Each may fail and should bail out immediately. So use if e == nil { do...} will make the code simpler, and handle the error in one place.

[ericchiang]

use url.URL and an actual url.Values object https://golang.org/pkg/net/url/#Values

[easeway]

OK. I will construct a URL.

[ericchiang]

This method now returns completely different kind of values depending on how it's configured. The URL creation and HTML creation should be done in the same place.

[easeway]

I will update the interface according to your comments below.

[easeway]

@ericchiang PR updated. Please take a look when you have time.

[ericchiang]

nit: this is just query.Set("SAMLRequest", value)

[easeway]

yes

[ericchiang]

That worked out nicely. Thanks for the refactors.

When the provider redirects back to dex, that'll now be different though, right? E.g. this logic needs to change https://github.com/coreos/dex/blob/master/server/handlers.go#L327

[ericchiang]

nit: this should probably be httpPost and httpRedirect, right? Since the other ones are SOAP based.

[easeway]

Do you mean the const name should be "SAMLHTTPPOST" or the value should be "httpPost"? I'm using the same value from config option. I'm OK if we decide to use "http-post", "http-redirect" in values of config option "binding". But I'd like to use the same value internally in code.

[ericchiang]

I meant the "post" and "redirect" values.

Actually, I think the way it currently is is fine. Let's keep it as is.

[easeway]

The handler doesn't need any change. When specifying "binding: redirect", it only specifies how dex opens login page on identity provider. The way identity provider calls back to dex can use a different http method, which is defined by the trusted service callback mechanism in identity provider (the pre-registered trusted service provider definition).

If identity provider respect AssertionConsumerServiceURL in AuthnRequest, it will use ProtocolBinding to send back response. Currently in dex, the ProtocolBinding is always POST.

I have verified the implement against vSphere 6.5

[ericchiang]

@easeway ah I see that you can actually mix bindings.

It's good that vSphere works with this setup, but what about providers that don't support the POST binding for the SAMLResponse? Do we need explicit requestBinding and responseBinding values?

[easeway]

@ericchiang For providers don't support POST binding in response, we need to do further fixes. We should make it configurable, that when constructing AuthnRequest, we can specify ProtocolBinding from the configuration. Then we will have to fix the handler too.

What about making a separate PR for that?

[easeway]

@ericchiang I created a separate PR #1048 to support response redirect binding. However vSphere doesn't support redirect binding on response, so I can't verify that, and that's why I make it a separate PR.

Would you approve this PR if you think the change is good here?

[ericchiang]

Would you approve this PR if you think the change is good here?

No we should just move to #1048. Since it's all the same feature I'd rather we design the full thing instead of doing it piecemeal.

[easeway]

@ericchiang All right. I will collapse the changes in #1048 into this PR and close #1048. And I make sure the features except response redirect binding is verified.

[easeway]

@ericchiang Updated. I separate the config for requestBinding and responseBinding and updated the handler. Please take a look.

[ericchiang]

Thanks, this is getting close!

Going to try to test this patch against another SAML provider that implements the HTTP redirect binding.

[ericchiang]

I'd avoid any normalization. Keeps the configuration explicit.

[easeway]

OK. I will remove this ToLower line.

[ericchiang]

probably just use a globally defined map + a lookup

[easeway]

only two string const comparisons. I'm trying to avoid a global var. Anyway, I will add a global map.

[ericchiang]

the response binding should probably default to whatever the request binding is, right?

[easeway]

not sure. In most cases, responseBinding will be POST. Even requestBinding is redirect. Would it be simpler to define fixed default values in config?

[ericchiang]

Would it be simpler to define fixed default values in config?

Works for me.

[ericchiang]

Do we not set this if it's a POST?

[easeway]

It's already set to POST in a few lines above when constructing the authnRequest.

[ericchiang]

nit: just call this "compressRequest" and "decompressRequest"

[easeway]

Yes

[ericchiang]

So in this case I could request responseBinding: post, get an HTTP redirect response, and we'd still process it even though we've explicitly stated that we don't.

I think we need to enforce that only the binding that the connector is configured with is actually used.

[easeway]

You are right. I will fix this.

[easeway]

The problem is at this layer, it doesn't have the knowledge about bindings. Anyway, let me figure it out...

[ericchiang]

With this logic I could use "state" to look up the authID and never actually inspect the "RelayState" even though it's required for this response. This seems wrong.

[easeway]

handleConnectorCallback is shared by multiple providers. OAuth2 uses "state" while SAML uses "RelayState". So if it's SAML, there's no "state", and we should use "RelayState".

[ericchiang]

The SAML connector can still use the value set by "state" here. We need to enforce:

var usedRelayState bool
authID = r.URL.Query().Get("state")
if authID == "" {
    usedRelayState = true
    authID = r.URL.Query.Get("RelayState")
}

Then verify this value later.

case connector.CallbackConnector:
    if usedRelayState {
        return nil, fmt.Errorf("no state parameter provided")
    }
case connector.SAMLConnector:
    if !userRelayState {
        return nil, fmt.Errorf("invalid url query value 'state' provided")
    }

[easeway]

understand!

[ericchiang]

nit: just set defaults in openConnector

[easeway]

OK

[ericchiang]

I need to grab an open source SAML provider and try to write up some instructions for how to test this before merging. We want to make sure we can debug future changes to this binding.

[ericchiang]

For all my efforts I'm having trouble finding a SAML provider to test this with. @easeway any suggestions?

[easeway]

I've verified with vSphere with both POST and redirect binding for request, and POST binding for response. I believe okta works with POST binding for both request and response (as in original code). So we are good with bindings for requests. Unfortunately, I didn't find a provider which supports redirect binding for response. I can continue looking for a provider which allows a services to be registered with a redirect binding for response.