Skip to content

fix(saml): validate responses against AuthnRequest#1794

Merged
nijel merged 1 commit into
python-social-auth:masterfrom
nijel:saml
Jun 20, 2026
Merged

fix(saml): validate responses against AuthnRequest#1794
nijel merged 1 commit into
python-social-auth:masterfrom
nijel:saml

Conversation

@nijel

@nijel nijel commented Jun 17, 2026

Copy link
Copy Markdown
Member
  • Store generated AuthnRequest IDs per IdP and pass them into python3-saml response validation.
  • Reject authenticated account-association callbacks without a matching InResponseTo while preserving anonymous IdP-initiated SSO.
  • Revalidate restored-session callbacks after session restore so request IDs stored in the restored session are enforced.
  • Add regression tests for missing, mismatched, matching, anonymous, and restored-session SAML response paths.

@nijel nijel self-assigned this Jun 17, 2026
@codecov

codecov Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 93.59331% with 23 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.23%. Comparing base (673df79) to head (7986180).
⚠️ Report is 2 commits behind head on master.

Files with missing lines Patch % Lines
social_core/tests/backends/test_saml.py 94.26% 11 Missing and 5 partials ⚠️
social_core/backends/saml.py 91.25% 4 Missing and 3 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #1794      +/-   ##
==========================================
+ Coverage   83.96%   84.23%   +0.26%     
==========================================
  Files         341      341              
  Lines       12155    12499     +344     
  Branches      579      597      +18     
==========================================
+ Hits        10206    10528     +322     
- Misses       1742     1756      +14     
- Partials      207      215       +8
Flag Coverage Δ
unittests 84.23% <93.59%> (+0.26%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 17, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 98f353d0d5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread social_core/backends/saml.py Outdated
@nijel nijel force-pushed the saml branch 2 times, most recently from 7c2d567 to 153b6af Compare June 17, 2026 11:46
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 17, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 153b6afa45

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread social_core/backends/saml.py Outdated
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 17, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c790f27ef2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread social_core/backends/saml.py
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 17, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c31de88349

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread social_core/backends/saml.py
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 17, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 711789c45b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread social_core/backends/saml.py Outdated
@nijel
fix(saml): validate responses against AuthnRequest
7986180 
- Store generated AuthnRequest IDs per IdP and pass them into python3-saml response validation.

- Reject authenticated account-association callbacks without a matching InResponseTo while preserving anonymous IdP-initiated SSO.

- Revalidate restored-session callbacks after session restore so request IDs stored in the restored session are enforced.

- Add regression tests for missing, mismatched, matching, anonymous, and restored-session SAML response paths.
@nijel nijel merged commit 5c72f71 into python-social-auth:master Jun 20, 2026
18 checks passed
@nijel nijel deleted the saml branch June 20, 2026 17:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

@nijel nijel

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nijel