Prevent panic caused by IDP-initiated login (crewjam#183)

* - Check if IDP-initiated login is allowed and if so assume that the RelayState is a deep-link. - Guard against an IDP-initiated request that may not have the request ID in the claims. - Attempt to retrieve a state value using the RelayState first before checking if IDP-initiated flow is allowed. * Only address the panic in IDP-initiated login (#1) This change undoes some of the changes made in 4908b26, to just address the panic for IDP-initiated logins. I'll file an issue in the `crewjam/saml` repo about the other issue blocking IDP-initiated logins, which is how to support relay states from the IDP.
lightstep · Oct 29, 2019 · 72834b5 · 72834b5
1 parent b20013a
commit 72834b5
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/samlsp/middleware.go b/samlsp/middleware.go
@@ -186,11 +186,13 @@ func (m *Middleware) getPossibleRequestIDs(r *http.Request) []string {
 			m.ServiceProvider.Logger.Printf("... invalid token %s", err)
 			continue
 		}
+		// If IDP initiated requests are allowed, then we can expect an empty response ID.
 		claims := token.Claims.(jwt.MapClaims)
-		rv = append(rv, claims["id"].(string))
+		if id, ok := claims["id"]; ok {
+			rv = append(rv, id.(string))
+		}
 	}
 
-	// If IDP initiated requests are allowed, then we can expect an empty response ID.
 	if m.AllowIDPInitiated {
 		rv = append(rv, "")
 	}