Skip to content

fix(saml): exempt ACS endpoint from CSRF Origin enforcement#666

Merged
lakhansamani merged 1 commit into
mainfrom
fix/saml-acs-csrf-exempt
Jul 10, 2026
Merged

fix(saml): exempt ACS endpoint from CSRF Origin enforcement#666
lakhansamani merged 1 commit into
mainfrom
fix/saml-acs-csrf-exempt

Conversation

@lakhansamani

Copy link
Copy Markdown
Contributor

What

Found while live-verifying the new with-org-saml example against a dockerized Keycloak IdP: the CSRF middleware has no exemption for POST /oauth/saml/:org_slug/acs, so the IdP's auto-submitting form POST (SAML POST binding, IdP origin, form-urlencoded) gets 403 csrf_validation_failedthe shipped SAML SP feature is unusable for real browser flows (headless scripts only worked by faking allow-listed Origin headers).

Fix

Exempt /oauth/saml/*/acs (prefix + suffix scoped) from Origin enforcement — the same rationale as the existing /oauth_callback/ exemption: the ACS handler defends itself with XML signature validation, InResponseTo binding, and the assertion replay cache; CSRF Origin checks cannot apply to a flow whose legitimate POST is always cross-origin.

Testing

  • New TestCSRFExemptsSAMLACS: cross-origin IdP form POST reaches the ACS handler; other /oauth/saml/ POST routes (e.g. /login) remain CSRF-protected — exemption doesn't leak.
  • go build, gofmt clean.

Related: the MAI follow-ups memory lists "SAML handler-level tests" as a deferred item — this is the first regression from that gap.

The SAML POST binding delivers the assertion via an auto-submitting
form from the IdP's own origin — a legitimate cross-origin POST the
Origin allow-list always rejected with 403, making the shipped SAML SP
unusable for real browser flows (found while building the with-org-saml
example, verified live). ACS defends itself with XML signature
validation, InResponseTo binding, and the replay cache — same rationale
as the /oauth_callback/ exemption. Exemption is suffix-scoped to /acs;
a regression test proves other /oauth/saml/ POSTs stay protected.
@lakhansamani lakhansamani merged commit a406d92 into main Jul 10, 2026
4 checks passed
@lakhansamani lakhansamani deleted the fix/saml-acs-csrf-exempt branch July 10, 2026 11:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant