Add support for POST AuthnRequest initialisation requests

[mauromol]

Right now, with:

spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login/?idp=https://localhost:8080

I'm telling spid_sp_test to make a GET request to http://localhost:8000/spid/login/?idp=https://localhost:8080 in order to simulate the user browser and get the AuthnRequest aimed to be forwarded to the IdP.

In my environment this request should be made in POST instead. After all, the https://github.com/italia/spid-sp-access-button is offered in two different flavours, GET and POST. So I'm requesting whether this scenario could also be supported in spid-sp-test.

The most straightforward solution that comes into my mind: add two parameters like these:

spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url http://localhost:8000/spid/login 
             --authn-method=POST --authn-body="idp=https%3A%2F%2Flocalhost%3A8080&foo=bar"

That is: add a command line parameter to specify the request type (POST/GET... possibly even PUT?) and another parameter to specify the request body as a string (in this case I'm using a application/x-www-form-urlencoded body, but I could write a JSON string or whatever...).
As a plus, perhaps having also a --authn-body-file=path/to/some/file that reads the body contents from a file instead of from the CLI would be nice to have.

[peppelinux]

I think that this feature can be done asap,
thank you @mauromol, I'll give you updates here

[peppelinux]

@mauromol it's something that could done in while, just a purpose here

--authn-body= would be an additional parameter, I understand that having those arguments embedded in the url (as it would be GET) could sound strange but, do you think that it could be this way?

If yes, I'd add only --authn-method

spid_sp_test --metadata-url http://localhost:8000/spid/metadata --authn-url "https://localhost:8000/spid/login/?idp=https%3A%2F%2Flocalhost%3A8080&foo=bar" --authn-method=POST

[mauromol]

In theory, a POST request may have both a body AND query string parameters. It's an unusual scenario, but it's possible. Even when we talk about application/x-www-form-urlencoded body contents, depending on how the server processes the request, it may expect some parameters to be passed necessarily as query string parameters, some other as being part of the body.
So, in general I would say that a distinct parameter for the body would be needed.

Also, if you plan to support e.g. JSON payloads for such POST requests, you of course need to specify the body. And perhaps a third parameter (like --authn-request-content-type) allowing to specify the content type (application/json in this case, or such).
So, probably the --authn-body should better be called --authn-request-body and --authn-method as --authn-request-method (or rather --authn-init-*, not to confuse with the SAML AuthnRequest entity), to better describe the nature of those parameters, but I leave the decision up to you.

[peppelinux]

Done here
96fe8c2