From 72834b567519a944347735b6373af08303bd98d5 Mon Sep 17 00:00:00 2001
From: Praneet Loke <1466314+praneetloke@users.noreply.github.com>
Date: Tue, 29 Oct 2019 07:26:47 -0700
Subject: [PATCH] Prevent panic caused by IDP-initiated login (#183)

* - Check if IDP-initiated login is allowed and if so assume that the RelayState is a deep-link.
- Guard against an IDP-initiated request that may not have the request ID in the claims.
- Attempt to retrieve a state value using the RelayState first before checking if IDP-initiated flow is allowed.

* Only address the panic in IDP-initiated login (#1)

This change undoes some of the changes made in 4908b2671cdbd0cc707f66eadcc570c438d8919e, to just address the panic for IDP-initiated logins.

I'll file an issue in the `crewjam/saml` repo about the other issue blocking IDP-initiated logins, which is how to support relay states from the IDP.
---
 samlsp/middleware.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/samlsp/middleware.go b/samlsp/middleware.go
index af878934..54261666 100644
--- a/samlsp/middleware.go
+++ b/samlsp/middleware.go
@@ -186,11 +186,13 @@ func (m *Middleware) getPossibleRequestIDs(r *http.Request) []string {
 			m.ServiceProvider.Logger.Printf("... invalid token %s", err)
 			continue
 		}
+		// If IDP initiated requests are allowed, then we can expect an empty response ID.
 		claims := token.Claims.(jwt.MapClaims)
-		rv = append(rv, claims["id"].(string))
+		if id, ok := claims["id"]; ok {
+			rv = append(rv, id.(string))
+		}
 	}
 
-	// If IDP initiated requests are allowed, then we can expect an empty response ID.
 	if m.AllowIDPInitiated {
 		rv = append(rv, "")
 	}