snok/django-auth-adfs

`ProviderConfig._load_federation_metadata` loads expired certificates

erfaan opened this issue · 1 comments

erfaan commented

The ADFS Server 2012 R2 configuration looks like this:
Screenshot 2024-05-21 at 5 10 21 PM

Please note that the first certificate is active whereas the second one is expired.

The Federation metadata lists both certificates under fed:SecurityTokenServiceType.

Following code loads all certificates including the expired one.

django-auth-adfs/django_auth_adfs/config.py

Lines 295 to 304 in 378f141

# Extract token signing certificates
xml_tree = ElementTree.fromstring(response.content)
cert_nodes = xml_tree.findall(
"./{urn:oasis:names:tc:SAML:2.0:metadata}RoleDescriptor"
"[@{http://www.w3.org/2001/XMLSchema-instance}type='fed:SecurityTokenServiceType']"
"/{urn:oasis:names:tc:SAML:2.0:metadata}KeyDescriptor[@use='signing']"
"/{http://www.w3.org/2000/09/xmldsig#}KeyInfo"
"/{http://www.w3.org/2000/09/xmldsig#}X509Data"
"/{http://www.w3.org/2000/09/xmldsig#}X509Certificate")
signing_certificates = [node.text for node in cert_nodes]

This causes the callback to fail with "Signature verification failed" error.

Upvote & Fund

  • We're using Polar.sh so you can upvote and help fund this issue.
  • We receive the funding once the issue is completed & confirmed by you.
  • Thank you in advance for helping prioritize & fund our backlog.
Fund with Polar
tim-schilling commented

Thank you for opening an issue, would you be able to create a PR to fix this?