Issue #129 resolution: support other external middleware #184
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Changed samlsp/middleware.go to move the request handling part of the RequireAccount method out into a separate public method attached to the middleware type which can be used as a stand alone HTTP RequestHandler. That way the Handler can be used with other middleware chains which provide their own http.Handler wrapper methods.
|
Hi, +1 to this, plan to merge? Trying to set things up with GIN framework for spring has been hard. Would this PR help this... #185 |
bjm88
approved these changes
Mar 11, 2019
bjm88
approved these changes
Apr 19, 2019
|
great! can we get merged to master/release? |
|
thanks, folks! |
|
thank you! Is there anything else necessary to have this master version used in go get/go.mod or it will be the default? |
|
It is the master branch, |
|
cool, it would be good if someone can update the read.ME related to this for SPs in initial section "Getting Started as a Service Provider" to show how to use another external web framework like GIN which is very popular. Thanks! |
|
so I spent some time really digging into this....I think a few issues if anyone still willing to update this library or stumble upon it and perhaps avoid until updated. Unfortunately the go community is lacking big time a good SAML library that is clean and separated from any http, web, or go.http specifics. We really just need an isolated SAML library that can generate xml metadata, initiate SAMLRequests, and consume and validate SAMLResponses. This would allow any application to integrate it how it needed to. I found even after this fix many other issues hooking up to our existing application with GIN framework. This is a nice library that wanted to make it totally easy to try out SAML, but think if it had more separation of concerns it could be much more broadly used. Perhaps simple refactoring and documentation updates could achieve that. Issues for SP setup:
|
|
Ben, sorry for the delay. I had all the same issues. This patch was specifically to allow me to use this in a multi-tenant environment. It solved the problem pretty much the way you described but certainly doesn't make the integration between your middleware and this client a one-liner. Additionally, I don't believe what you are suggesting is very practical due to the way SAML authentication works. Any SAML library is going to need to manage the HTTP communication between SP and IDP. Expecting that burden to fall on the application would be far worse. The nature of SAML kind of requires any SAML implementation to manage that. This patch does allow you to bypass the built-in middleware processing, provide a request and a response to the SP instance, and go from there. I don't know enough about GIN because it was too heavy for my needs. I needed a lean mean fast thin tier for managing OAuth, SAML, and our own internal authentication which is why I selected vestigo. It's simple and doesn't have loads of features I'll never use. Now, I'm not trying to sell vestigo. Gin is a great framework to be sure. I did take a cursory look at how to integrate it with GIN. It can be done, much in the same way I did mine. If I provide you some source code so you can see the approach, I'm hoping that you know GIN well enough to translate. Here is what I did: 1: On application startup At this point, all certificates, keys, and SAML properties have been retrieved and configured and are ready for use. I added these routes: Here is the mysaml.GetSPMetadataReq methods (but the /metadata URL many IDPs don't even use): I provided to the IDP, our URL where users should be redirected after authenticating. It is: Case #1 is easy enough to spot in the form of a missing JWE (we use fully encrypted JWT). I'm guessing you would be using GIN's session management. This addresses your point #2 above. If that happens then I do this: Case #2 is handled after successful authentication by the IDP. That is easy enough to spot by calling this: From that point forward the user looks just like any other user from any other tenant. I have no idea why you are asking to manage calling the IDP in point #3 above. That certainly isn't a separation of concerns and based on what I know about the SAML protocol, I am almost certain you would want no part of it. In fact, handing that over to the app developer would make what you are trying to accomplish harder, not easier. |
mattcobb
added a commit
to lightstep/saml
that referenced
this pull request
Nov 30, 2021
* bugfix: New sometimes selected the wrong EntityDescriptor when parsing a metadata file with multiple EntityDescriptor's underneath a EntitiesDescriptor tag * Add syntax highlight * expose CookieMaxAge in samlsp Options * Enable persistent name id format (crewjam#107) * Enable persistent name id format * add ability to set the domain for the cookies (crewjam#95) * Fixed script hash to remove JS console errors when redirecting (crewjam#117) @RichardKnop PR#94 * saml{sp,idp}: add httpOnly and secure flag (conditionally) to cookies (crewjam#116) * Use dep package manager (crewjam#114) * use dep package manager * updated travis * Fix example code so that it compiles (crewjam#118) * expose ForceAuthn (crewjam#119) * fix validUntil in SPSSODescriptor fixes crewjam#123 * samlsp.Middleware.SecureCookie option (crewjam#128) * remove cruft * update README * fix some minor lint / style errors * samlsp: use current time for the JWT rather than the IssueInstant from the assertion (crewjam#130) fixes crewjam#122 jwt-go not support leeway parameter * travis cleanup: remove older go versions (crewjam#132) * samlsp: remove X-Saml headers in favor of attaching Claims to request context (crewjam#131) * samlsp: move the setting and reading of cookies into an interface (crewjam#133) We’ve had a bunch of changes requesting the ability to customize how cookies are set and it is getting a little messy. This change moves the code to setting and reading cookies into two interfaces which you can extend/customize. * add field to IdpAuthnRequest so you can externally control the “current” time (crewjam#136) The default is obviously the current time, but for various reasons you may wish to evaluate the response at a different reference time, for example processing a response that has been deferred. We can’t use the global TimeNow() thunk, which is designed for testing, because it isn’t safe to modify concurrently. * idp: handle assertions where no ACS url is specified (crewjam#139) * add test cases for SAML comment injection (crewjam#140) ref: CVE-2017-11427 ref: CVE-2017-11428 ref: CVE-2017-11429 ref: CVE-2017-11430 ref: CVE-2018-0489 ref: CVE-2018-7340 ref: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations * Update PGP key in README.md * make MaxIssueDelay configurable at runtime (mini-hack) * Remove the default xmlns from the expected output because the encoder does not reset the default. Should resolve the test for issue 152. (crewjam#158) * Added Travis badge (crewjam#159) * Fixed some typos in the README.md file. (crewjam#160) * dep ensure [ch16254] (crewjam#156) * add the ability to use custom cookie names and domain * fix missing time on IDP-initiated IdpAuthnRequest (crewjam#147) * added godoc badge to README.md (crewjam#143) * made selected binding configureable (crewjam#144) * Fix AES decryption (crewjam#142) Fix AES decryption by decrypting the EncryptedKey from the response, and passing the decrypted key to the data encryption. * idp: Allow intermediates to be encoded in signature (crewjam#127) * idp: Make signature method configurable (crewjam#126) * Removed %s format for claims audience not matching Provider EntityID for crewjam#154 (crewjam#161) * add support for a logout URL binding * add stale integration ref: https://probot.github.io/apps/stale/ * add support for other external middleware (crewjam#184) Changed samlsp/middleware.go to move the request handling part of the RequireAccount method out into a separate public method attached to the middleware type which can be used as a stand alone HTTP RequestHandler. That way the Handler can be used with other middleware chains which provide their own http.Handler wrapper methods. * crewjam#192: Support multiple IdP signing certificates * crewjam#192: Account for Go/check changes. * Handle root URL's with trailing slash * crewjam#194: Properly default EncryptionMethod/DigestMethod when not present. * Allow AudienceRestriction to be missing re crewjam#198 * Don't include the port with the domain when setting the cookie (crewjam#202) * update value of UnspecifiedNameIDFormat and EmailAddressNameIDFormat (crewjam#217) * Don't require Destination attribute in response when response is not signed (crewjam#213) * Destination is checked only if this is a signed SAML request, as that is the only case in which a Destination attribute is required. * Check Destination when present, even if response unsigned * Replaces testshib.org with samltest.id in the README (crewjam#211) Fixes crewjam#201 * Set the default domain for cookies properly (crewjam#187) Fixes crewjam#186. * Separate response validation from the Middleware so that ServiceProvider can be used standalone to validate requests. Also fix IDPInitiated requestids bug since Standalone validation may not have possibleRequestIds. * Adding support for eduPersonScopedAffiliation * Add in actual attribute evaluation for eduPersonScopedAffiliation. * Fix typo for idp example path in readme (crewjam#170) * omit validUntil if empty (crewjam#190) * Prevent panic caused by IDP-initiated login (crewjam#183) * - Check if IDP-initiated login is allowed and if so assume that the RelayState is a deep-link. - Guard against an IDP-initiated request that may not have the request ID in the claims. - Attempt to retrieve a state value using the RelayState first before checking if IDP-initiated flow is allowed. * Only address the panic in IDP-initiated login (#1) This change undoes some of the changes made in 4908b26, to just address the panic for IDP-initiated logins. I'll file an issue in the `crewjam/saml` repo about the other issue blocking IDP-initiated logins, which is how to support relay states from the IDP. * SP: Add capability to provide intermediate certs (crewjam#178) * remove bad import * remove log junk * fix compile error * Gopkg -> go.mod * tests: convert from go-check to testify * lint with golangci-lint * lint with golangci-lint * fix go.mod * fix travis configuration * fix travis configuration * Use RS256 rather than HS256 Using HS256 with the RSA private key (serialised as ASN.1 according to PKCS1) as the secret is unconventional and perhaps dangerous. The string of bytes isn't entirely random given that it starts with the version number. The encoded RSA key will be larger than the block size of the underlying hash and so to create a secret, the RSA key will be hashed. A more important problem is that we should be able to validate a jwt issued by the middleware with just the RSA public key. By moving to RS256, we can validate jwts without sharing the private key. Fix randomBytes: should ensure that the entire buffer is full. * Add Single Logout data structure * Set session NameID based on email * update test expectations * removed mandatory check for validating embedded certificate for rsa * Rename validateRSAKey to validateRSAKeyIfPresent Now that the validation is optional, the previous name did not accurately reflected the intention. * Removes unused dependencies Ran go mod tidy to remove golangci-lint as that isn't actally needed for this project. Its inclusion result in a huge number of dependencies to be imported. * travis: pin golangci-lint version * Bump github.com/beevik/etree from 1.0.1 to 1.1.0 Bumps [github.com/beevik/etree](https://github.com/beevik/etree) from 1.0.1 to 1.1.0. - [Release notes](https://github.com/beevik/etree/releases) - [Changelog](https://github.com/beevik/etree/blob/master/RELEASE_NOTES.md) - [Commits](beevik/etree@v1.0.1...v1.1.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> * update test expectations * Return status code if not success * Make cert optional for ServiceProvider.Metadata() * Add test case from OneLogin This adds a test case provided by @fredipevcin in [https://github.com/crewjam/saml/pull/25](PR25) that makes sure we can parse cases where the assertion is signed rather than the whole message. This has been supported for a while, but it is nice to ensure that the compatibility at issue continues to work. * Remove 'Failing' from certificate missing check * (Add tests for) Destination is checked only if this is a signed SAML request, as that is the only case in which a Destination attribute is required. * update readme to reflect our inability to produce encrypted assertions re crewjam#179 * fix bad merge * golangci: require comments, add a few missing ones * golangci: require comments, add a few missing ones * update test expectations * schema: don't include empty Format attributes in samlp:NameIDPolicyElement fixes crewjam#177 * make ValidDuration configurable for IDP. (crewjam#235) * refactor samlsp package to be more modular (crewjam#230) This change splits the Middleware component into three interfaces (in addition to the saml.ServiceProvider): * RequestTracker which handles tracking pending authn requests. * Session which handles issuing session cookies. * OnError which handles reporting errors to both the user and any logging. The default implementations of RequestTracker and Session use http cookie to encode JWTs, but further delegate the encoding/verification of the JWTs to codec interfaces which allow further customization, again with default implementations. This should make the *samlsp* package easier to extend to fit more use cases. Fixes crewjam#231 * Add optional callback for signature verification (crewjam#237) Fixes crewjam#234 * AllowIDPInitiated=true allows both IDP-initiated and normal (crewjam#240) * Bump github.com/kr/pretty from 0.1.0 to 0.2.0 (crewjam#243) Bumps [github.com/kr/pretty](https://github.com/kr/pretty) from 0.1.0 to 0.2.0. - [Release notes](https://github.com/kr/pretty/releases) - [Commits](kr/pretty@v0.1.0...v0.2.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> * add HTTPOnly bool to CookieSessionProvider (crewjam#248) * feat(slo): add logout response request validation (crewjam#247) * fix(slo): fix SessionIndex attribute in LogoutRequest (crewjam#245) * clean up README about breaking changes * feat(slo): add Bytes() and Deflate() functions for LogoutRequest (crewjam#251) Bytes() is needed in for returning a byte array for POST Binding. Deflate() is needed for compressing using gzip algorithm a LogoutRequest byte array. * fix(sp): no check for InResponseTo for if IDPInitiated is true (crewjam#259) * Add EntityID (crewjam#258) * feat: add Post / Redirect methods for LogoutRequest (crewjam#260) * Update README.md (crewjam#261) * Bump github.com/stretchr/testify from 1.4.0 to 1.5.0 (crewjam#263) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.4.0 to 1.5.0. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.4.0...v1.5.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> * Bump github.com/stretchr/testify from 1.5.0 to 1.5.1 (crewjam#264) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.5.0 to 1.5.1. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.5.0...v1.5.1) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> * Include a path when clearing the cookie (crewjam#278) Some browsers will refuse to remove a cookie that doesn't include the path * SessionNotOnOrAfter is serialized to XML if set (crewjam#292) It is currently possible to set SessionNotOnOrAfter directly on the Go structure, but it is not serialized to or deserialized from XML. * Fixes handling signed response with encrypted assertions (crewjam#273) When the response is signed, the verification must happen before the assertion is decrypted since the encrypted XML is used in the signature digest. The response signature is sufficient unless the assertion is also signed in which case both must be valid. * Bump github.com/kr/pretty from 0.2.0 to 0.2.1 (crewjam#294) Bumps [github.com/kr/pretty](https://github.com/kr/pretty) from 0.2.0 to 0.2.1. - [Release notes](https://github.com/kr/pretty/releases) - [Commits](kr/pretty@v0.2.0...v0.2.1) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> * Bump github.com/stretchr/testify from 1.5.1 to 1.6.1 (crewjam#288) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.5.1 to 1.6.1. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.5.1...v1.6.1) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> * Add support for signed authnRequest (crewjam#296) * Fixes handling signed response with encrypted assertions When the response is signed, the verification must happen before the assertion is decrypted since the encrypted XML is used in the signature digest. The response signature is sufficient unless the assertion is also signed in which case both must be valid. * Add support for signed authnRequests * Update metadata.go (crewjam#297) Renamed LocalizedName & LocalizedURI Lang attributes -> `xml:"http://www.w3.org/XML/1998/namespace lang,attr"` fixes crewjam#295 * Allows configuring SameSite for session cookie (crewjam#276) Fixes crewjam#275 * fix lint errors & update test expectations * update README re: security issues * fix test expectation for go 1.15 * remove output cruft from xmlenc test * [SECURITY] bump version of goxmldsig [CVE-2020-15216] There was a signature validation bypass in goxmldsig, which saml uses to authenticate assertions. This change increments the dependent version of goxmldsig to a version that is no longer affected. For more information: GHSA-q547-gmf8-8jr7 * Merge pull request from GHSA-4hq8-gmxx-h6w9 This change validates that the XML input we receive is safe to parse before passing it to the standard library's XML parsing functions or the etree DOM parsing functions. This validation mitigates critical vulnerabilities in `encoding/xml` - CVE-2020-29509, CVE-2020-29510, and CVE-2020-29511. TODO: is there going to be a go.mod version assigned to this on release? * fix version of xml-roundtrip-validator in go.mod * add SignLogoutResponse SignLogoutRequest MakeLogoutResponse * add SessionIndex to claims Attributes * Include a domain when clearing the cookie * identity_provider: extend session with CustomAttributes (crewjam#310) * add xUserId and xAccountId for session * add CustomAttributes for idp session content * fix: logout response element Response -> LogoutResponse (crewjam#305) * Spread the use of option SameSite to tracking cookies (crewjam#302) * fix formatting * travis -> github actions * fix typo in README * update test expectations * Stop validating InResponseTo when AllowIDPInitiated is set With this change we no longer validate InResponseTo when AllowIDPInitiated is set. Here's why: The SAML specification does not provide clear guidance for handling InResponseTo for IDP-initiated requests where there is no request to be in response to. The specification says: InResponseTo [Optional] The ID of a SAML protocol message in response to which an attesting entity can present the assertion. For example, this attribute might be used to correlate the assertion to a SAML request that resulted in its presentation. The initial thought was that we should specify a single empty string in possibleRequestIDs for IDP-initiated requests so that we would ensure that an InResponseTo was *not* provided in those cases where it wasn't expected. Even that turns out to be frustrating for users. And in practice some IDPs (e.g. Rippling) set a specific non-empty value for InResponseTo in IDP-initiated requests. Finally, it is unclear that there is significant security value in checking InResponseTo when we allow IDP initiated assertions. This issue has been reported quite a few times, including: Fixes crewjam#291 crewjam#286 crewjam#300 crewjam#301 crewjam#286 * set cookie domain when clearing request tracker cookie (crewjam#321) * samlsp: make middleware endpoints public (crewjam#323) * samlsp: remove deprecated fields (crewjam#324) * remove deprecated fields * update readme * add test that we can marshal an AuthnStatement without SessionNotOnOrAfter being set re crewjam#312 * samlsp: fix validating response with no issuer element (crewjam#328) * in tests, replace long strings with files we read from testdata/ * replace testify (which is more or less unmaintained) with gotest.tools * remove redundant []byte conversions * explicitly copy loop iterator variables This silences a warning from golangci-lint * fix spelling of test data file * add maintainer action to update dependencies * adjust maintainer action to update dependencies * Update go.mod * upgrade github.com/crewjam/httperr from v0.0.0-20190612203328-a946449404da to v0.2.0 * upgrade github.com/dchest/uniuri from v0.0.0-20160212164326-8902c56451e9 to v0.0.0-20200228104902-7aecb25e1fe5 * upgrade github.com/mattermost/xml-roundtrip-validator from v0.0.0-20201213122252-bcd7e1b9601e to v0.0.0-20201219040909-8fd2afad43d1 * upgrade github.com/zenazn/goji from v0.9.1-0.20160507202103-64eb34159fe5 to v1.0.1 * upgrade golang.org/x/crypto from v0.0.0-20200622213623-75b288015ac9 to v0.0.0-20201221181555-eec23a3978ad * Fix AuthN Request signing for HTTP-Redirect binding (crewjam#339) * Fix signing for HTTP-Redirect binding The currently implemented behavior for signing AuthN Requests where an enveloped signature is added in the XML Document, is appropriate only when the HTTP-POST binding is used. Signing for authentication requests when the HTTP-Redirect binding is in use, is described in http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf section 3.4.4.1 and involves generating a signature of the deflated form of the AuthN request along with some other URL parameters, mainly because of URL length considerations. This commit implements proper AuthNRequest signing support according to the specification. * Add comment for function * linter is picky :) * SplitHostPort on DeleteSession (crewjam#335) * Add explicit tests for XSW (crewjam#338) XML Signature Wrapping attacks are unfortunately still very common in SAML implementations. crewjam/saml is not vulnerable to any XSW attacks as goxmldsig and this library's use of goxmldsig are safe. This commit adds a number of tests against common XSW attacks, so that these can serve as verification of the current safe state, prevent future regressions in crewjam/saml and detect possible future regressions in goxmldsig The numbering of the permutations of the XSW attack follows that of https://github.com/CompassSecurity/SAMLRaider and a visual depiction is available in https://github.com/CompassSecurity/SAMLRaider/blob/5b9eace70e88d0af17b86c26c2cad1178b08c7d0/src/main/resources/xswlist.png * Custom relayState generator (crewjam#337) * Update go.mod (crewjam#331) * upgrade github.com/mattermost/xml-roundtrip-validator from v0.0.0-20201219040909-8fd2afad43d1 to v0.1.0 * upgrade golang.org/x/crypto from v0.0.0-20201221181555-eec23a3978ad to v0.0.0-20210317152858-513c2a44f670 Co-authored-by: Github Actions <noreply@github.com> * Bump github.com/google/go-cmp from 0.5.4 to 0.5.5 (crewjam#336) * Bump github.com/google/go-cmp from 0.5.4 to 0.5.5 Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.4 to 0.5.5. - [Release notes](https://github.com/google/go-cmp/releases) - [Commits](google/go-cmp@v0.5.4...v0.5.5) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Co-authored-by: Ross Kinder <ross@kndr.org> * update README (crewjam#340) fixes crewjam#333 * Update go.mod (crewjam#342) * upgrade golang.org/x/crypto from v0.0.0-20210317152858-513c2a44f670 to v0.0.0-20210322153248-0c34fe9e7dc2 Co-authored-by: Github Actions <noreply@github.com> * Update go.mod (crewjam#343) Co-authored-by: crewjam <crewjam@users.noreply.github.com> * Change dgrijalva/jwt-go imported module to form3tech-oss/jwt-go. (crewjam#344) * Change dgrijalva/jwt-go imported module to form3tech-oss/jwt-go. dgrijalva/jwt-go is abandoned (dgrijalva/jwt-go#457) with an outstanding security vulnerability (dgrijalva/jwt-go#422). form3tech-oss/jwt-go is a fork that has fixed the vulnerability. * Upgrade to GitHub-native Dependabot (crewjam#346) Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> * Make SP check more certs in IDP metadata (crewjam#353) From https://www.oasis-open.org/committees/download.php/56785/sstc-saml-metadata-errata-2.0-wd-05.pdf ``` [E62]A use value of "signing" means that the contained key information is applicable to both signing and TLS/SSL operations performed by the entity when acting in the enclosing role. A use value of "encryption" means that the contained key information is suitable for use in wrapping encryption keys for use by the entity when acting in the enclosing role. If the use attribute is omitted, then the contained key information is applicable to both of the above uses. ``` We need to include certificates both when they have a "use" attribute of "signing" as well as when the "use" attribute is missing. Fixes crewjam#352 SAML input from @simmel. * bring monorepo lightstep/saml changes into lightstep forked saml repo #LS-26157 * Fix merge problems * Fix valid until tests * req.now may not be initialized in MakeResponse() so use Now() * use TimeNow() * req.now not guaranteed to be defined. Use TimeNow() in IdpAuthnRequest() and MakeAssertion() * Remove old code from comments, remove commented out Skip(broken) * use upstream's new validateDestination, but modify it to use urlsMatchModuloPortNumbers(). Add clock kew to notOnOrAfter Co-authored-by: Donald Hoelle <donald@restlessbandit.com> Co-authored-by: Umayr Shahid <umayr.shahid@gmail.com> Co-authored-by: Dustin Decker <sevoma@gmail.com> Co-authored-by: Ross Kinder <ross@kndr.org> Co-authored-by: Bryce Fisher <bryce.fisher@live.com> Co-authored-by: Sevki <s@sevki.org> Co-authored-by: Paul Tötterman <ptman@users.noreply.github.com> Co-authored-by: Lucas <subandroid@users.noreply.github.com> Co-authored-by: Beyang Liu <beyang@sourcegraph.com> Co-authored-by: Nao YONASHIRO <owan.orisano@gmail.com> Co-authored-by: Darrel Herbst <dherbst@gmail.com> Co-authored-by: Neha Malviya <neha0912@gmail.com> Co-authored-by: Josh Silvas <joshua.silvas@rackspace.com> Co-authored-by: ☃ Elliot Shepherd <elliot@identitii.com> Co-authored-by: Christoph Hack <tux21b@users.noreply.github.com> Co-authored-by: Volkan Gürel <volkangurel@users.noreply.github.com> Co-authored-by: Andrew Pilloud <apilloud@users.noreply.github.com> Co-authored-by: jb <jdbrokaw@gmail.com> Co-authored-by: Stephen Kress <stephen.kress@rstudio.com> Co-authored-by: Geoff Bourne <geoff.bourne@rackspace.com> Co-authored-by: Robin Wood <robin@digi.ninja> Co-authored-by: Noval Agung Prayogo <novalagung@users.noreply.github.com> Co-authored-by: Chris Vermilion <christopher.vermilion@gmail.com> Co-authored-by: Joe Siltberg <joe@joesiltberg.se> Co-authored-by: Daniel Cormier <dcormier@users.noreply.github.com> Co-authored-by: Tom Bruno <24335+tebruno99@users.noreply.github.com> Co-authored-by: Shane Jeffery <sjeffery@treetopllc.com> Co-authored-by: ferhat elmas <elmas.ferhat@gmail.com> Co-authored-by: Christopher Goulet <christophergoulet@outlook.com> Co-authored-by: Praneet Loke <1466314+praneetloke@users.noreply.github.com> Co-authored-by: Benjamin Schubert <brm.schubert@gmail.com> Co-authored-by: Stevie Johnstone <stevie@jazznetworks.com> Co-authored-by: Ryan Zhang <ryan.zhang@docker.com> Co-authored-by: Grace Noah <gracenoahgh@gmail.com> Co-authored-by: Jon Gyllensward <jon.gyllensward@grafana.com> Co-authored-by: gotjosh <josue@grafana.com> Co-authored-by: Leonard Gram <leo@xlson.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Co-authored-by: Michael Rauh <michael.rauh@ecsec.de> Co-authored-by: Matthew Steffen <msteffen@pachyderm.io> Co-authored-by: Bryce Fisher <bfisher-sub@novetta.com> Co-authored-by: Jan Szumiec <jan.szumiec@gmail.com> Co-authored-by: aspeteRakete <fdubrownik@gmail.com> Co-authored-by: Joe Siltberg <git@joesiltberg.se> Co-authored-by: David Goeke <github@waygate.org> Co-authored-by: Daniel Hochman <danielhochman@users.noreply.github.com> Co-authored-by: Mathieu Mailhos <mathieumailhos@gmail.com> Co-authored-by: miketonks <miketonks99@gmail.com> Co-authored-by: (0x794E6).toString(36) <andypeng2010@gmail.com> Co-authored-by: Andreas Fritzler <afritzler@users.noreply.github.com> Co-authored-by: Ron Kuris <swcafe@gmail.com> Co-authored-by: Andy Lindeman <andy@lindeman.io> Co-authored-by: Ricardo Andrade <ricardofandrade@users.noreply.github.com> Co-authored-by: bstrueb <bstrueb@gmail.com> Co-authored-by: Ross Kinder <ross@grooveid.com> Co-authored-by: neilli-sable <omprand.serbei@gmail.com> Co-authored-by: Alex Yan <yanhao1991@gmail.com> Co-authored-by: Alan Shreve <alan@inconshreveable.com> Co-authored-by: AlekseyZolotuhin <5293057+sly-roar@users.noreply.github.com> Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com> Co-authored-by: Github Actions <noreply@github.com> Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com> Co-authored-by: yuki2006 <yagfair@gmail.com> Co-authored-by: Harold Alcala <harold.dev@gmail.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: crewjam <crewjam@users.noreply.github.com> Co-authored-by: Bay Grabowski <baygrabowski@gmail.com> Co-authored-by: Patrik Lundin <patrik@sigterm.se>
atezet
pushed a commit
to atezet/saml
that referenced
this pull request
Jul 9, 2022
Changed samlsp/middleware.go to move the request handling part of the RequireAccount method out into a separate public method attached to the middleware type which can be used as a stand alone HTTP RequestHandler. That way the Handler can be used with other middleware chains which provide their own http.Handler wrapper methods.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changed samlsp/middleware.go to move the request handling part of the RequireAccount method out into a separate public method attached to the middleware type which can be used as a stand alone HTTP RequestHandler. That way the Handler can be used with other middleware chains which provide their own http.Handler wrapper methods.