-
Notifications
You must be signed in to change notification settings - Fork 175
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG]: keyInfo usage #375
Comments
Thanks for flagging this. This was also picked up by another user and discussed in #399. The user pointed out that there is a viable workaround in this comment. tldr: consider doing the following to declare
4.x introduced a breaking change where we now adhere to section 3.2.2 of W3C's XML Signature Syntax and Processing (Second Edition)1, ie, if a certificate is present in the KeyInfo element of an XML document, we will use that for validation. Footnotes |
|
By that logic you should also resolve the https://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-pr-x509TokenProfile-01.htm |
Feel free to submit a PR. |
Is your feature request related to a problem? Please describe...
I have just updated to 4 version and confused by validateSignatureValue function.
I have duplicated
<KeyInfo>
inside SamlRequest and SamlMetadata. Similar to Okta example http://saml.oktadev.com/.That's mean that loadSignature functions will initialize this.keyInfo by request key, and validateSignatureValue will use it preferable over metadata certificate without any option to choose another behavior.
Describe teh solution you'd like...
Another order of keys.
Describe the alternatives you've considered...
Configurable keyInfo
The text was updated successfully, but these errors were encountered: