Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Discussion about handling 500 error on an invalid assertion
See original GitHub issueOne thing we hit was that our VM time got off from the idp, and thus the “NotBefore” option in the assertion caused pysaml2 to throw an exception like so:
base Internal Server Error: /saml2/acs/
Traceback (most recent call last):
File "/usr/lib/python2.6/site-packages/django/core/handlers/base.py", line 112, in get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/usr/lib/python2.6/site-packages/django/views/decorators/http.py", line 41, in inner
return func(request, *args, **kwargs)
File "/usr/lib/python2.6/site-packages/django/views/decorators/csrf.py", line 57, in wrapped_view
return view_func(*args, **kwargs)
File "/usr/lib/python2.6/site-packages/djangosaml2/views.py", line 214, in assertion_consumer_service
outstanding_queries)
File "/usr/lib/python2.6/site-packages/saml2/client_base.py", line 584, in parse_authn_request_response
binding, **kwargs)
File "/usr/lib/python2.6/site-packages/saml2/entity.py", line 1163, in _parse_response
response = response.verify(keys)
File "/usr/lib/python2.6/site-packages/saml2/response.py", line 1007, in verify
if self.parse_assertion(keys):
File "/usr/lib/python2.6/site-packages/saml2/response.py", line 921, in parse_assertion
if not self._assertion(assertion, False):
File "/usr/lib/python2.6/site-packages/saml2/response.py", line 795, in _assertion
if not self.condition_ok():
File "/usr/lib/python2.6/site-packages/saml2/response.py", line 590, in condition_ok
validate_before(conditions.not_before, self.timeslack)
File "/usr/lib/python2.6/site-packages/saml2/validate.py", line 106, in validate_before
now))
ToEarly: Can't use it yet 1472570331 <= 1472556539
This is using the latest released version of pysaml2.
My concern about this is that just throwing a 500 error is not very descriptive during a login process, and while you can override the default django 500 error view that seems like a workaround.
What seems like the best option is to catch exceptions from the call to pysaml2’s assertion_consumer_service, and then display a failed login view and probably allow the override of that view or something.
Thoughts?
Issue Analytics
- State:
- Created 7 years ago
- Comments:10 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Yea, I respectfully disagree 😃 A 500 error is an internal application error and this is a validation thing. I think a correct response would be something like a 400.
The apology page is what I’d like to make, but I think a login apology page is different than a normal generic “something went wrong” page. However, your comment about giving away too much information is a good one. We’ll discuss and any new code that comes out of it we’ll send you as a PR.
Alright, since now we already do make use of a custom
djangosaml2/login_error.htmltemplate, I’ve extended the coverage to apply to these cases (wrong timestamp/clock skew) as well.