[BUG] Callback URL switches from https to http
newmanw opened this issue · comments
To Reproduce
When using path attribute to config saml the callback url generated is http, not https. These seems to be a regression with a previous version.
passport.use(
new SamlStrategy(
{
path: "/login/callback", // if req is https, the generated url passed to saml server will be http
entryPoint:
"https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php",
issuer: "passport-saml",
cert: "fake cert", // cert must be provided
},
Expected behavior
Use same protocol as request
Environment
- Node.js version: 18+
passport-saml
version: 4.0.4- Express: 4.18.2
This is duplicate of:
Issue was addressed at PR which was released at version 5.0.0 (link points to comment that discusses about which way it could be fixed):
Also related issue (about path
parameter):
Eitherway passport-saml (actually node-saml at the heart of passport-saml) is not in the business of building URLs anymore as maintainer of the project states at the comment #909 (comment)
FWIW: If you experienced this issue today it means that you updated from passport-saml 2.x or earlier to 4.0.4 (because issue that you reported surfaced at version 3.x).
Beaware that passport-saml versions < 3.2.2 (and certain 4.x versions) had this authentication bypass vulnerability:
Which was actually vulnerability at one of the dependencies: