SAML 2.0 up-party redirect binding only validate the certificate that…

… can verify the signature. This has previously been changed for post bindings. Accept to process claim values up to 10,000 characters. Internal created claim and formats up to 4,000 characters.
ITfoxtec · Nov 10, 2023 · ffb5366 · ffb5366
1 parent 9a28831
commit ffb5366
Show file tree

Hide file tree

Showing 12 changed files with 21 additions and 18 deletions.
diff --git a/src/FoxIDs.Control/FoxIDs.Control.csproj b/src/FoxIDs.Control/FoxIDs.Control.csproj
@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net7.0</TargetFramework>
-		<Version>1.1.4.0</Version>
+		<Version>1.1.5.0</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>

diff --git a/src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj b/src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj
@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net7.0</TargetFramework>
-		<Version>1.1.4.0</Version>
+		<Version>1.1.5.0</Version>
 		<RootNamespace>FoxIDs.Client</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>

diff --git a/src/FoxIDs.ControlShared/FoxIDs.ControlShared.csproj b/src/FoxIDs.ControlShared/FoxIDs.ControlShared.csproj
@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net7.0</TargetFramework>
-		<Version>1.1.4.0</Version>
+		<Version>1.1.5.0</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>

diff --git a/src/FoxIDs.Shared/FoxIDs.Shared.csproj b/src/FoxIDs.Shared/FoxIDs.Shared.csproj
@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net7.0</TargetFramework>
-		<Version>1.1.4.0</Version>
+		<Version>1.1.5.0</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>

diff --git a/src/FoxIDs.Shared/Models/Tracks/ClaimAndValues.cs b/src/FoxIDs.Shared/Models/Tracks/ClaimAndValues.cs
@@ -21,9 +21,9 @@ public class ClaimAndValues : IValidatableObject
         public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
         {
             var results = new List<ValidationResult>();
-            if (Claim.Length > Constants.Models.Claim.ValueLength)
+            if (Claim.Length > Constants.Models.Claim.ProcessValueLength)
             {
-                results.Add(new ValidationResult($"Claim '{Claim}' value is too long, maximum length of '{Constants.Models.Claim.ValueLength}'."));
+                results.Add(new ValidationResult($"Claim '{Claim}' value is too long, maximum length of '{Constants.Models.Claim.ProcessValueLength}'."));
             }
             return results;
         }

diff --git a/src/FoxIDs.SharedBase/Constants.cs b/src/FoxIDs.SharedBase/Constants.cs
@@ -293,7 +293,10 @@ public static class Claim
                 /// <summary>
                 /// JWT and SAML claim value max length.
                 /// </summary>
-                public const int ValueLength = 8000;
+                public const int ValueLength = 4000;
+                public const int ProcessValueLength = 10000;
+
+                public const int IdTokenLimitedHintValueLength = 8000;
 
                 public const int MapIdLength = 90;
                 public const int MapMin = 0;

diff --git a/src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj b/src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj
@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net7.0</TargetFramework>
-		<Version>1.1.4.0</Version>
+		<Version>1.1.5.0</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>
@@ -11,7 +11,7 @@
 
 	<ItemGroup>
 		<PackageReference Include="ITfoxtec.Identity" Version="2.5.34" />
-		<PackageReference Include="ITfoxtec.Identity.Saml2" Version="4.10.3" />
+		<PackageReference Include="ITfoxtec.Identity.Saml2" Version="4.10.4" />
 		<PackageReference Include="Microsoft.AspNetCore.Components.DataAnnotations.Validation" Version="3.2.0-rc1.20223.4" />
 		<PackageReference Include="System.Net.Http.Json" Version="7.0.1" />
 	</ItemGroup>

diff --git a/src/FoxIDs/FoxIDs.csproj b/src/FoxIDs/FoxIDs.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 	<PropertyGroup>
 		<TargetFramework>net7.0</TargetFramework>
-		<Version>1.1.4.0</Version>
+		<Version>1.1.5.0</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>ITfoxtec</Company>
@@ -31,7 +31,7 @@
 		<PackageReference Include="Azure.Identity" Version="1.10.3" />
 		<PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.5.1" />
 		<PackageReference Include="GoogleAuthenticator" Version="3.1.1" />
-		<PackageReference Include="ITfoxtec.Identity.Saml2.MvcCore" Version="4.10.3" />
+		<PackageReference Include="ITfoxtec.Identity.Saml2.MvcCore" Version="4.10.4" />
 		<PackageReference Include="BuildBundlerMinifier" Version="3.2.449" />
 		<PackageReference Include="Microsoft.AspNetCore.DataProtection.StackExchangeRedis" Version="7.0.12" />
 		<PackageReference Include="Microsoft.AspNetCore.Cryptography.KeyDerivation" Version="7.0.12" />

diff --git a/src/FoxIDs/Logic/Oidc/OidcRpInitiatedLogoutDownLogic.cs b/src/FoxIDs/Logic/Oidc/OidcRpInitiatedLogoutDownLogic.cs
@@ -61,7 +61,7 @@ public async Task<IActionResult> EndSessionRequestAsync(string partyId)
 
             try
             {
-                if (party.Client.ResponseMode == IdentityConstants.ResponseModes.Query && rpInitiatedLogoutRequest.IdTokenHint?.Count() > Constants.Models.Claim.ValueLength)
+                if (party.Client.ResponseMode == IdentityConstants.ResponseModes.Query && rpInitiatedLogoutRequest.IdTokenHint?.Count() > Constants.Models.Claim.IdTokenLimitedHintValueLength)
                 {
                     throw new Exception("The ID Token hint length is close to the maximum allowed limit and may be truncated. If this happens the ID Token become invalid and is not accepted.");
                 }

diff --git a/src/FoxIDs/Logic/Saml/SamlAuthnUpLogic.cs b/src/FoxIDs/Logic/Saml/SamlAuthnUpLogic.cs
@@ -317,9 +317,9 @@ private IEnumerable<Claim> ValidateClaims(SamlUpParty party, IEnumerable<Claim>
                     throw new SamlRequestException($"Claim '{claim.Type.Substring(0, Constants.Models.Claim.SamlTypeLength)}' is too long, maximum length of '{Constants.Models.Claim.SamlTypeLength}'.") { RouteBinding = RouteBinding, Status = Saml2StatusCodes.Responder };
                 }
 
-                if (claim.Value?.Length > Constants.Models.Claim.ValueLength)
+                if (claim.Value?.Length > Constants.Models.Claim.ProcessValueLength)
                 {
-                    throw new SamlRequestException($"Claim '{claim.Type}' value is too long, maximum length of '{Constants.Models.Claim.ValueLength}'.") { RouteBinding = RouteBinding, Status = Saml2StatusCodes.Responder };
+                    throw new SamlRequestException($"Claim '{claim.Type}' value is too long, maximum length of '{Constants.Models.Claim.ProcessValueLength}'.") { RouteBinding = RouteBinding, Status = Saml2StatusCodes.Responder };
                 }
             }
             return claims;

diff --git a/src/FoxIDs/Logic/Tracks/ClaimValidationLogic.cs b/src/FoxIDs/Logic/Tracks/ClaimValidationLogic.cs
@@ -31,9 +31,9 @@ public List<Claim> ValidateUpPartyClaims(List<string> upPartyClaims, List<Claim>
                     throw new OAuthRequestException($"Claim '{claim.Type.Substring(0, Constants.Models.Claim.JwtTypeLength)}' is too long, maximum length of '{Constants.Models.Claim.JwtTypeLength}'.") { RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidToken };
                 }
 
-                if (claim.Value?.Length > Constants.Models.Claim.ValueLength)
+                if (claim.Value?.Length > Constants.Models.Claim.ProcessValueLength)
                 {
-                    throw new OAuthRequestException($"Claim '{claim.Type}' value is too long, maximum length of '{Constants.Models.Claim.ValueLength}'.") { RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidToken };
+                    throw new OAuthRequestException($"Claim '{claim.Type}' value is too long, maximum length of '{Constants.Models.Claim.ProcessValueLength}'.") { RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidToken };
                 }
             }
             return claims;

diff --git a/src/FoxIDs/Logic/Tracks/ClaimsDownLogic.cs b/src/FoxIDs/Logic/Tracks/ClaimsDownLogic.cs
@@ -190,9 +190,9 @@ private List<Claim> TruncateJwtClaimValues(IEnumerable<Claim> jwtClaims)
             var truncateClaims = new List<Claim>();
             foreach (var claim in jwtClaims)
             {
-                if (claim.Value?.Length > Constants.Models.Claim.ValueLength)
+                if (claim.Value?.Length > Constants.Models.Claim.ProcessValueLength)
                 {
-                    truncateClaims.AddClaim(claim.Type, claim.Value.Substring(0, Constants.Models.Claim.ValueLength), claim.ValueType, claim.Issuer);
+                    truncateClaims.AddClaim(claim.Type, claim.Value.Substring(0, Constants.Models.Claim.ProcessValueLength), claim.ValueType, claim.Issuer);
                 }
                 else
                 {
-Original file line number
+Diff line change
@@ Expand Up @@
                 try
                 {
-                    if (party.Client.ResponseMode == IdentityConstants.ResponseModes.Query && rpInitiatedLogoutRequest.IdTokenHint?.Count() > Constants.Models.Claim.ValueLength)
+                    if (party.Client.ResponseMode == IdentityConstants.ResponseModes.Query && rpInitiatedLogoutRequest.IdTokenHint?.Count() > Constants.Models.Claim.IdTokenLimitedHintValueLength)
                     {
                         throw new Exception("The ID Token hint length is close to the maximum allowed limit and may be truncated. If this happens the ID Token become invalid and is not accepted.");
                     }
@@ Expand Down @@