My org implements Federated login via Microsoft Entra which expects a SAMLRequest parameter in addition to a few others to be submitted to the idPUrl via a POST request.
The current implementation in https://github.com/XcodesOrg/XcodesLoginKit/blob/main/Sources/XcodesLoginKit/AppleSessionService.swift#L198-L223 will always build a GET style URL and open it in the browser which then results in a malformed request warning from MS Entra.
I have tested two solutions for the issue locally that both work but i am unhappy with both for different reasons. -> Opening this issue hoping someone has a even better idea.
Solution 1:
Host a local Web Server within XcodesLoginKit that serves a self submitting POST form and open that URL in the browser instead if httpMethod == "POST".
Works by letting us send the actual request POST from a users browser, rest of the flow proceeds as before.
->
Requires either a http server dependency or some manual TCP socket magic. Doable but increases the project scope by a lot in my eyes.
Solution 2:
Check for SAMLRequest parameter + httpMethod == "POST" in idpURL getter implementation and rewrite to GET based request.
Works because the Entra endpoint also accepts GET based SAMLRequests but has the caveat of having to base64decode -> deflate -> base64encode -> urlencode the SAMLRequest parameter into the required format for GET based requests.
->
Requires a code path that is specific to a single Federation provider, also might break other implementations if not guarded for correctly. Feels More hacky to me.
Both of these approaches do work but i am not really happy with the tradeoffs for either. Hoping someone else has a better idea 😅
If not i am also happy to upstream either solution.
My org implements Federated login via Microsoft Entra which expects a
SAMLRequestparameter in addition to a few others to be submitted to theidPUrlvia aPOSTrequest.The current implementation in https://github.com/XcodesOrg/XcodesLoginKit/blob/main/Sources/XcodesLoginKit/AppleSessionService.swift#L198-L223 will always build a
GETstyle URL and open it in the browser which then results in a malformed request warning from MS Entra.I have tested two solutions for the issue locally that both work but i am unhappy with both for different reasons. -> Opening this issue hoping someone has a even better idea.
Solution 1:
Host a local Web Server within XcodesLoginKit that serves a self submitting
POSTform and open that URL in the browser instead ifhttpMethod == "POST".Works by letting us send the actual request
POSTfrom a users browser, rest of the flow proceeds as before.->
Requires either a http server dependency or some manual TCP socket magic. Doable but increases the project scope by a lot in my eyes.
Solution 2:
Check for
SAMLRequestparameter +httpMethod == "POST"inidpURLgetter implementation and rewrite toGETbased request.Works because the Entra endpoint also accepts
GETbasedSAMLRequests but has the caveat of having tobase64decode -> deflate -> base64encode -> urlencodetheSAMLRequestparameter into the required format forGETbased requests.->
Requires a code path that is specific to a single Federation provider, also might break other implementations if not guarded for correctly. Feels More hacky to me.
Both of these approaches do work but i am not really happy with the tradeoffs for either. Hoping someone else has a better idea 😅
If not i am also happy to upstream either solution.