Fund: `ProviderConfig._load_federation_metadata` loads expired certificates

The ADFS Server 2012 R2 configuration looks like this:

Please note that the first certificate is active whereas the second one is expired.

The Federation metadata lists both certificates under fed:SecurityTokenServiceType.

Following code loads all certificates including the expired one.

django-auth-adfs/django_auth_adfs/config.py

Lines 295 to 304 in 378f141

    
           # Extract token signing certificates 
        
           xml_tree = ElementTree.fromstring(response.content) 
        
           cert_nodes = xml_tree.findall( 
        
               "./{urn:oasis:names:tc:SAML:2.0:metadata}RoleDescriptor" 
        
               "[@{http://www.w3.org/2001/XMLSchema-instance}type='fed:SecurityTokenServiceType']" 
        
               "/{urn:oasis:names:tc:SAML:2.0:metadata}KeyDescriptor[@use='signing']" 
        
               "/{http://www.w3.org/2000/09/xmldsig#}KeyInfo" 
        
               "/{http://www.w3.org/2000/09/xmldsig#}X509Data" 
        
               "/{http://www.w3.org/2000/09/xmldsig#}X509Certificate") 
        
           signing_certificates = [node.text for node in cert_nodes]

This causes the callback to fail with "Signature verification failed" error.

snok/django-auth-adfs

ProviderConfig._load_federation_metadata loads expired certificates

How does funding with Polar work?

Backer

Contributor

Maintainer

	# Extract token signing certificates
	xml_tree = ElementTree.fromstring(response.content)
	cert_nodes = xml_tree.findall(
	"./{urn:oasis:names:tc:SAML:2.0:metadata}RoleDescriptor"
	"[@{http://www.w3.org/2001/XMLSchema-instance}type='fed:SecurityTokenServiceType']"
	"/{urn:oasis:names:tc:SAML:2.0:metadata}KeyDescriptor[@use='signing']"
	"/{http://www.w3.org/2000/09/xmldsig#}KeyInfo"
	"/{http://www.w3.org/2000/09/xmldsig#}X509Data"
	"/{http://www.w3.org/2000/09/xmldsig#}X509Certificate")
	signing_certificates = [node.text for node in cert_nodes]

snok/django-auth-adfs

ProviderConfig._load_federation_metadata loads expired certificates

How does funding with Polar work?

Backer

Why does "Fund on completion" require GitHub login?

When is the invoice due for "Fund on completion"?

What happens if the issue is never completed?

Do I get any extra benefits by funding?

Do I get progress updates?

Contributor

Do I get a reward?

Is rewards guaranteed?

Maintainer

How can I get funding like this for my open source initiatives?