WSO2 POST to /auth/saml/callback does not set Origin

[ryanhofdotgov]

After successful authentication at WSO2 and POST back to /auth/saml/callback on the backend, WSO2 seems to trigger a condition that causes the browser to set Origin to null:

POST /auth/saml/callback HTTP/1.1
Host: api:3000
Connection: keep-alive
Content-Length: 6998
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

This affects the CORS setting and might be caused by the privacy contexts listed here:
https://wiki.mozilla.org/Security/Origin#Privacy-Sensitive_Contexts

[afeld]

Does that cause a problem? Didn't run into (or notice) this problem when working on #458.

[ryanhofdotgov]

If you have CORS_ALLOWED=* in your dev environment you probably won't see a problem, but if it is something like:

CORS_ALLOWED=http://web.eapp.local.test:8080;https://id.eapp.local.test:8443

then you are going to run into trouble if the browser doing the POST from the id.eapp.local.test context is not setting Origin.

My intuition is that once this issue gets deep-dived, the approach to single-sign on might have to be re-visited in order to get CORS set up properly – perhaps switching to one of the other SAML profiles or WSO2-supported protocols.