Skip to content

php-saml requires X-Forwarded-Port for port determination, though X-Forwarded-Proto is set #633

Description

@MetroMarv

Hello everyone,

I've stumbled upon this bug when using the tool Kimai, which uses your lib for SAML authentication and I got a problem when setting up the app behind a Caddy proxy and figured out that I had to configure Caddy to also set the X-Forwarded-Port header to make the SAML auth working (GH Discussion).

In the Caddy docs it says:

For these X-Forwarded-* headers, by default, the proxy will ignore their values from incoming requests, to prevent spoofing.

Which includes the X-Forwarded-Port header. I then asked ChatGpt what the alternative is and it said that usually apps/libs should rely on the X-Forwarded-Proto header instead of X-Forwarded-Port header to reduce the risks for spoofing. I have to admit that I don't know if ChatGPT is right here, but it sounds good. Maybe you'll know better than I do.

So I'd suggest a change your logic here. So that the OneLogin_Saml2_Utils::getSelfPort() method considers the X-Forwarded-Proto header if the X-Forwarded-Port header is not set.

I'll prepare a PR for that in a couple of minutes.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions