This repository was archived by the owner on Jul 1, 2024. It is now read-only.
This repository was archived by the owner on Jul 1, 2024. It is now read-only.
Code is posting form back to url specified in configuration, not to the url you are on #37
Description
We have a SAML flow that starts with a landing URL that sets some specific session metadata and then re-routes you to the real login form. This is causing issues, specifically with the code in the method: GenericFormsBasedAuthenticator._retrieve_login_form_from_endpoint(endpoint, verify=True)
response = self._requests_session.get(endpoint, verify=True)
....
form_action = urljoin(endpoint,
login_form_html_node.attrib.get('action', ''))
The above code assumes that the page you visited initially is the same URL you are currently on, which is not always true. Regardless, the HTML spec is pretty specific: https://www.w3.org/TR/html52/sec-forms.html#form-submission-algorithm
- If action is the empty string, let action be the document’s URL of the form document.
Naively I just replaced the endpoint with response.url and it worked as expected. but I haven't pored through the rest of the code to see if this would affect another place (like, session management?)