Move authnRequestSession to symfony sessions#1982
Open
kayjoosten wants to merge 7 commits intofeature/issue-1971-correlation-id-loggingfrom
Open
Move authnRequestSession to symfony sessions#1982kayjoosten wants to merge 7 commits intofeature/issue-1971-correlation-id-loggingfrom
kayjoosten wants to merge 7 commits intofeature/issue-1971-correlation-id-loggingfrom
Conversation
kayjoosten
changed the title
kayjoosten
force-pushed
the
feature/authn-request-session-symfony
branch
4 times, most recently
from
e92841d to
a0096cf
Compare
* feat: add NameID lookup API (#1931) Two new endpoints on the internal API: - POST /info/users/nameid — forward lookup (sho + uid + sp_entityid → nameid) - POST /info/users/id — reverse lookup (nameid → sho + uid + sp_entityid) Both require ROLE_API_USER_NAMEID_LOOKUP and are feature-flag gated. * test: add unit, functional and integration tests for NameID lookup API * Comments * refactor: merge api.users_nameid and api.users_id into single feature flag api.users_nameid_lookup * Remove camelCase in parametets
kayjoosten
force-pushed
the
feature/issue-1971-correlation-id-logging
branch
2 times, most recently
from
73b3503 to
7e17a65
Compare
* Add coin:azure_domain_hint to append whr= on HTTP-Redirect AuthnRequests (#1864) When coin:azure_domain_hint is set on an IdP, EngineBlock appends a whr=<domain> query parameter to the HTTP-Redirect URL it sends as the AuthnRequest to that IdP. This allows Microsoft Azure / EntraID to skip the account picker for users whose realm is already known. - Add azureDomainHint field + getter to Coins (IdP coins) - Add azureDomainHint constructor param to IdentityProvider entity - Map metadata:coin:azure_domain_hint in PushMetadataAssembler - Append whr= in Bindings::send() HTTP-Redirect branch when IdP has the coin - Integration test: azure_domain_hint coin round-trips through PushMetadataAssembler - Legacy test: Bindings appends / omits whr= based on coin presence - Behat scenario: AzureDomainHint.feature covers the full SSO flow * fix: use correct URL separator when appending whr= to redirect URL * fix: check whr= absence at IdP redirect URL in negative Behat scenario Added IDP "<name>" prefers HTTP Redirect binding step and used it in the negative scenario so the URL assertion fires at the actual IdP redirect URL rather than at an intermediate EngineBlock page. * fix: add string type hint to setAzureDomainHintForIdp parameter * fix: add missing string type hint and improve docblocks and test assertions * chore: remove useless comments
Introduces three new components to address issue #1971: - CorrelationId: shared mutable DI service (get/set) that acts as a per-request holder for the active correlation ID - CorrelationIdRepository: Symfony service backed by the session with three operations: mint(requestId) — generate a random ID for an SP request (idempotent) link(target, src) — copy the ID to an IdP request ID resolve(requestId) — push the stored ID into CorrelationId Safely no-ops when no session is available (CLI, unit tests). - CorrelationIdProcessor: Monolog processor that stamps correlation_id on every log record from the shared CorrelationId service DI wiring: services.yml registers CorrelationId and CorrelationIdRepository (with @request_stack); logging.yml registers the Monolog processor.
Each HTTP leg resolves the correlation ID at the top of its handler so
every log entry emitted during that leg carries the correct ID:
Leg 1 SSO — mint() + resolve() in SingleSignOn (WAYF path)
mint() + link() + resolve() in ProxyServer (direct path)
Leg 2 ContinueToIdp — resolve() so debug log lines carry the ID;
ProxyServer also calls link() to associate the IdP
request ID with the SP request ID
Leg 3 ACS — resolve() via InResponseTo (IdP request ID)
Leg 4 Consent — resolve() via SP request ID in ProvideConsent and
ProcessConsent
DiContainer exposes getCorrelationIdRepository() as the bridge from
legacy Corto code to the Symfony service.
Includes a Behat feature covering the WAYF path, the direct (no-WAYF)
path, and concurrent flows; and a unit test for
AuthnRequestSessionRepository.
kayjoosten
force-pushed
the
feature/authn-request-session-symfony
branch
from
a0096cf to
9a4aa7c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.