WsFederationMessage.GetToken() is appending "
" to SAML (Formatting is breaking signature check - Sign in fails) #1258
Comments
|
I found the issue by putting a breakpoint in WsFederationHandler (line 213). The above token winds up with newline sequences appended on every line as such: However if I look directly at the above wsFederationMessage, I can see the incoming wresult. If I do the following while in the debugger (after that line) I no longer get the signature error. So it would seem there is some code that is appending the newline escapes and causing the issue. It's kind of a show stopper for us - we cannot use V3. Thanks, |
|
And finally, if you change the code for GetToken as follows, you no longer get the appended newline chars etc. Not sure this is the proper approach performance-wise. But it does eliminate the extra chars: |
smiket
changed the title
brentschmaltz
added
Bug
|
@smiket thanks for the detailed work. Sorry for the hassle. |
|
@smiket is this still a blocker? |
|
@brentschmaltz is there any update on this issue? I am experiencing the exact same issue as @smiket, and I'd like to know your recommended course of action? If the updated release is right around the corner, I think we could wait a week or two. |
|
@everettcomstock the release with undated WsFed is unlikely in a couple of weeks. |
|
@brentschmaltz , here is a heavily redacted example... I can PM you a real message if necessary:
|
|
Hi @brentschmaltz, I have not tried it since originally reporting the issue. It looks like Everett has identical problem. Happy to try any updates you may have, thanks for keeping it on your radar 👍 |
|
Are you saying that our method adds "
" to the SamlToken? |
|
Yeah, it adds those characters. See my 3rd comment where I suggest a fix. I forked and tried that locally and it worked for me. |
|
@brentschmaltz ... just for clarity, yes it is adding those characters in our application too. It seems like Stephen has identified the precise point where the issue is occurring. If we can help in any way, please don't hesitate to reach out. Thanks! |
|
@smiket @everettcomstock we will fix this. |
|
@brentschmaltz , yes.. 5.5.0 and Windows / Azure |
|
@everettcomstock we are planning on fixing this in our 6.x release. |
|
@brentschmaltz, thanks for the update. We'll add a card on our board for the 6.x release. |
|
@smiket the most likely reason that " " is added is because a "\n" character is found in the xml that arrives. Can you share a copy of the wasignin message that was received so that i can be sure? |
|
I have also similar issue when update wsfederation library to 3.1.5. I am tried but not sure how to override get token method. |
|
@krishnajampana would you be able to share the wasignin message that exhibits the issue? |
ds:X509Data
we are getting the token similar above due to that we have the signature validation failed exception. |
ds:X509Data(
);
|
|
@krishnajampana if I understand you, in the SignedInfo element in the signed saml, shows up with a "
" in the string returned from WsFederationMessage.GetToken(). |
|
Hi @brentschmaltz thanks for keeping up on this one. If the signature validation works in prior versions, would it make sense to compare the older method that does work and use that code (from here):
Just trying to be helpful - I know there's lots of permutations to consider. I'd have a hard time sharing a SAML payload, but as I recall it was formatted with newlines etc. Still, the same SAML validated in the older code. |
|
@smiket the difference i believe may be related to this small line of code here: That line was removed because it caused other issues, signature failures when the whitespace was significant. The idea is that when the 'token' is obtained from reading the string, the '\n' is not translated by the xmlReader. |
yes @brentschmaltz we are getting "
" from WsFederationMessage.GetToken() method. Could you please help me how to resolve it. |
|
Hi @brentschmaltz thanks for keeping this open. Is there any update on this issue? |
|
@northof490 i would like to propose a change where the user has the ability to 'ignore' whitespace outside of elements. This allows a user to have control. |
|
@brentschmaltz would you just add a flag to WsFederationOptions? If you have anything you need tested in a pre-release just let me know. Thanks again! |
|
@brentschmaltz in theory I think your proposition would work for us too. |
|
@everettcomstock @northof490 we will ping you when we have something to test. Most likely the week of Sept 7th. |
|
@brentschmaltz any progress? |
|
@northof490 @everettcomstock @smiket @krishnajampana there is a workaround here: In startup.cs replace the SamlSecurityTokenHandler with one the retries the validation if SecurityTokenInvalidSignatureException is thrown. The same code would work Saml2 tokens. |
|
Thank you @brentschmaltz! |
|
Since there is a workaround, i am moving this to the next milestone. |
henrik-me
added
P2
|
closing as there is a workaround. Please reopen if you disagree. Thanks! |
WS Federation was working for me prior to upgrading to .NET Core 3. I have a typical setup shown below, followed by exception that began after the upgrade. Not sure if there is any changes I should make to affect / resolve this.
Also it would be nice if I could step into the code (could not load module / find symbols). I may be missing something there - let me know if there is a way for me to step through and troubleshoot further.
I'm using Microsoft.AspNetCore.Authentication.WsFederation 3.0.0, which depends on / brings in Microsoft.IdentityModel.Protocols.WsFederation (>= 5.5.0).
The text was updated successfully, but these errors were encountered: