Closed (fixed)
Project:
SAML Authentication
Version:
8.x-3.x-dev
Component:
Code
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
1 Jun 2020 at 13:01 UTC
Updated:
19 Dec 2024 at 21:27 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #2
pghaemim commentedhaving the same issue here. The xml metadata we get at /saml/metadata route is generated by the required package onelogin/php-saml and can't be disabled here.
Here I have a patch that extracts the validUntil attribute from the returned XML and add an Expires header to the CachableResponse.
Comment #3
larowlanthis should be setExpires not SetExpires
There's some whitespace here that can be removed
This needs a comment and a spare line between @return and @params - also, technically it doesn't return bool, there is no code-path that doesn't return a \DateTime
There's some phpcs spacing issues here, need a space after the comman, and after the catch
Comment #4
pghaemim commentedThanks @larowlan for the review. uploaded the patch with your review changes applied.
Comment #5
joelpittetI totally agree with this issue summary, being able to disable it would be awesome, our IDP just stripped it out of the metadata on our behalf on Friday so I'm looking for this:) It's too bad but yeah onelogin doesn't have that option to disable it.
I'll apply this patch soon, one question, what is with the +6 hours line from now, is that arbitrary?
Comment #6
roderik+1 looks good but would want to put something as a comment with the "+6 hours" before I commit this. Even if that is "arbitrary".
(Not officially RTBC'ing because not tried, only viewed this issue.)
Comment #7
pghaemim commentedThanks for reviewing and applying the patch. The +6 hours is a totally arbitrary number less than the default +2 days validUntil.
Comment #8
roderikFirst of all, thanks to all of you for raising and implementing this. I am learning more about SAML as I go along, through issues that are raised here.
Having said that... I am now reviewing the code in more detail, and...
While this is true, we do perform the call to
Settings::getSPMetadata()that generates the metadata, and it has a$validUntilparameter, so we are / can easily be the source of that expiration value. I'd rather we know the value by explicitly passing it, than know it by parsing the XML document that we just generated ourselves. Meaning: I'm hesitant to commit the current getValidUntil() method.If we go that other way, we need a setting for the expiry time. This expands the scope of this issue, but it's useful. (It can solve the @todo at the very top of the patch - and the suggested "best" way in this issue's description, as much as possible, by setting expiry to e.g. 1 second.)
This means we'd have some work to do:
$cacheDurationparameter. (At this moment I don't understand why OneLogin would define its default Metadata::TIME_CACHED to be larger than Metadata::TIME_VALID. But regardless: if we let Drupal cache the response with a "Valid until" date, I think it follows that the$cacheDurationshould be smaller than it is now.)I'll first go take a look at some other things (attribute mapping, finally), but will circle back to this... after X-mas ish.
Comment #9
roderikLeaving the patch here for review, for a while: I think it makes sense to have two configuration settings:
Meanwhile, I'll think about whether this should have tests. (Well, it should; the config screen and metadata route are not crippled by spaghettification or the need for a working IdP.) Or whether I'm going to just prioritize tagging a stable version, finally - and include this in it.
Comment #11
roderikAhem.
Well, the good news is, the metadata is one thing in this module which has we do already have tests for. So I don't need to feel guilty about not making them.
For the rest... after I looked it again, I
So the included patch is what will be committed.
Comment #12
roderik...by which I mean, this included patch.
Comment #14
roderikComment #16
mark_fullmerNote that as of May 2024, per https://github.com/SAML-Toolkits/php-saml/pull/569 , php-saml now includes a parameter to exclude validUntil.