Add unique error messages for different "Invalid Signature" cases. #146
Labels
Comments
|
Agreed. This has made SAML integrations incredibly painful for me. Is this error intentionally opaque? I understand that you do not want to reveal such low level information to end users, but application developers should be masking all errors with a generic error page. I'd make a PR for it myself, but it doesn't look like any PRs have been merged since December of last year... |
|
saml.js contains 6 unique cases which all result in the same Would it simply work to extend the strings to be more unique: |
markstos
changed the title
|
Thanks for fixing this! |
|
@markstos Thank's a lot, this is useful ! |
cjbarth
added a commit
to cjbarth/passport-saml
that referenced
this issue
Sep 10, 2018
…-string-signing * commit '966b97a54e7a4b25316716c20e1f524b64cf8a22': internal: provide unique failure messages for invalid signatures. Fixes node-saml#146 package.json: bump version to 0.33.0 docs: mention that disableRequestAuthnContext helps with AD FS
cjbarth
added a commit
to cjbarth/passport-saml
that referenced
this issue
Sep 10, 2018
…url-params * commit '966b97a54e7a4b25316716c20e1f524b64cf8a22': internal: provide unique failure messages for invalid signatures. Fixes node-saml#146 package.json: bump version to 0.33.0 docs: mention that disableRequestAuthnContext helps with AD FS
cjbarth
added a commit
to cjbarth/passport-saml
that referenced
this issue
Sep 10, 2018
* master: (51 commits) start to use the debug module. v0.34.0: release internal: provide unique failure messages for invalid signatures. Fixes node-saml#146 package.json: bump version to 0.33.0 docs: mention that disableRequestAuthnContext helps with AD FS New Feature: allow customizing the name of the strategy. bump version to v0.32.1 README: link to where our Changes are documented. Audience validation README: fix typo `s/ADSF/ADFS/` jshint: fix jshint violation. v0.31.0 release README: update link description for ADFS docs. Upd: Mention ADFS 2016 with NameIDFormatError. (node-saml#242) Support multiple and dynamic signing certificates (node-saml#218) v0.30.0 Ignore .tern-port files Use crypto.randomBytes for ID generation (node-saml#235) BugFix: Fail gracefully when SAML Response is invalid. Fixes node-saml#238 docs: Improve docs for privateKey format. Ref node-saml#230 ... # Conflicts: # README.md # test/samlTests.js # test/tests.js
cjbarth
added a commit
to cjbarth/passport-saml
that referenced
this issue
Sep 10, 2018
* master: (51 commits) start to use the debug module. v0.34.0: release internal: provide unique failure messages for invalid signatures. Fixes node-saml#146 package.json: bump version to 0.33.0 docs: mention that disableRequestAuthnContext helps with AD FS New Feature: allow customizing the name of the strategy. bump version to v0.32.1 README: link to where our Changes are documented. Audience validation README: fix typo `s/ADSF/ADFS/` jshint: fix jshint violation. v0.31.0 release README: update link description for ADFS docs. Upd: Mention ADFS 2016 with NameIDFormatError. (node-saml#242) Support multiple and dynamic signing certificates (node-saml#218) v0.30.0 Ignore .tern-port files Use crypto.randomBytes for ID generation (node-saml#235) BugFix: Fail gracefully when SAML Response is invalid. Fixes node-saml#238 docs: Improve docs for privateKey format. Ref node-saml#230 ... # Conflicts: # README.md # test/samlTests.js
cjbarth
added a commit
to cjbarth/passport-saml
that referenced
this issue
Sep 11, 2018
…-authn-context * commit '966b97a54e7a4b25316716c20e1f524b64cf8a22': internal: provide unique failure messages for invalid signatures. Fixes node-saml#146 package.json: bump version to 0.33.0 docs: mention that disableRequestAuthnContext helps with AD FS
cjbarth
added a commit
to cjbarth/passport-saml
that referenced
this issue
Sep 12, 2018
…int-check * commit '966b97a54e7a4b25316716c20e1f524b64cf8a22': internal: provide unique failure messages for invalid signatures. Fixes node-saml#146
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
Would it be possible to improve the "Invalid signature" errors ? In real life, it seems we have this error in many case, and it's a pain to debug. More so with the fact that it's often the end user that see this error, and not me (since i use passport-saml in my code, but it's the end user that does the request when he connects to my app through saml).
One who be really easy to change, it's the one when there is multiple assertions.
And for the others, it would be nice to be just a bit more precise, so we know in which usecase we are (this should be quick). And also to display e.g. "signature 'aPoeK...' not compatible with certificate 'vVm8...'", so user can verify that he didn't sign with the wrong certif or whatever (but this would be longer to do).
The text was updated successfully, but these errors were encountered: