[openid-specs-rande] SAML to OIDC mapping specification
Paul Millar
paul.millar at desy.de
Thu Mar 11 10:17:52 UTC 2021
Hi all,
On 10/03/2021 14:10, Mischa Salle wrote:
> On Wed, Mar 10, 2021 at 01:50:32PM +0100, Niels van Dijk wrote:
>> On 10-03-2021 13:29, Etienne Dysli Metref wrote:
>>> On 09.03.21 13:07, Ivan Kanakarakis wrote:
[...]
>>>> then why don't we define both forms as equivalent (aliases)
[...]
>>> Absolutely! :D This gives every side their favourite naming convention.
[...]
>> I totally dissagree: we will pay dearly for having an ambiguous
>> specification and will pay the price in support cost, additional complexity,
>> implementors making errors, etc.
[...]
>
> I fully agree with Niels. We should absolutely not allow both in one
> spec. It will be confusing, expensive to maintain and expensive on a
> performance level.
+1
Another aspect (hinted at by Niels) is that this would allow a token to
have inconsistent information. If the same assertion appears twice (as
camelCase and as snake_case), the values could be different. The
behaviour, under such circumstances, could be undefined and therefore
implementation-specific.
Such inconsistencies can even result in security vulnerabilities.
Consider "HTTP request smuggling"[1] as a cautionary tale. This is a
class of vulnerabilities that stems from HTTP providing two ways of
describing how the entity is encoded. When the request is inconsistent
the behaviour is undefined and implementation-specific, and (under
certain circumstances) may be used to "smuggle" a request past a
reverse-proxy and target a back-end system.
HTH,
Paul.
[1] https://en.wikipedia.org/wiki/HTTP_request_smuggling
More information about the openid-specs-rande
mailing list