[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: JSON dictionary in the Relay State parameter
From:       "Cantor, Scott via users" <users () shibboleth ! net>
Date:       2024-03-27 12:39:34
Message-ID: DD5E606B-ABAD-4BFE-A59D-50932DB0531E () osu ! edu
[Download RAW message or body]

> They might be "clear and simple," except they flatly contradict you on this point. \
> Own it—I say this because I am sick of being patronized and condescended to on \
> this list. See below for a direct quote from the Errata.

And I'm tired of being accused of this when all I did was answer a question for free.

What you think is "rude" is me being as concise and brief as possible because *I am \
not paid to help people here* and I don't have time for it, I have 3 full time jobs \
at this point. If you'd prefer "overly polite, long-winded, and wrong",  that's not \
me.

> This caution applies to both identity and service provider implementations.

Unfortunately, that's simply not the case in general. The only sense in which it \
could be seen to be applicable is for IdP-initiated SSO in a case where the IdP is \
making up its own value, which is not a suggested or interoperable practice. For the \
normal flow, there's nothing the IdP can do with the value from the SP, no \
sanitization is possible by that point. I can see how an implementer would mistake \
that, but only by ignoring the plain language from the original spec:

"and it MUST place the exact data it received with the request into the corresponding \
RelayState parameter in the response"

Unfortunate, but mistakes happen, even when trying to fix other mistakes or \
omissions. That particular errata is a good example of "well intentioned, bad idea". \
There were lots of thiings left out of the standard that were really implementation \
guidelines, and afterwards there were a lot of people clamoring for that, but nobody \
willing to do any. So a lot of small issues got handled with errata by adding more \
guidance to the spec, often hastily and not always well-written. It's very hard to \
express technical writing as a "diff" of an original.

-- Scott


-- 
For Consortium Member technical support, see \
https://shibboleth.atlassian.net/wiki/x/ZYEpPw To unsubscribe from this list send an \
email to users-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]