From 6f7d427e7affc59125c9c4f5fea591e986e16611 Mon Sep 17 00:00:00 2001 From: Emi Simpson Date: Mon, 7 Jun 2021 14:34:15 -0400 Subject: [PATCH 1/2] Correct timestamp format This makes two changes to the timestamp format used in assertions. First, it removes the millisecond component, per issue #23, and secondly, it removes the timezone component, which is explicitly disallowed by the SAML spec (section 1.3.3) --- flask_saml2/idp/sphandler.py | 2 +- flask_saml2/sp/idphandler.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/flask_saml2/idp/sphandler.py b/flask_saml2/idp/sphandler.py index fee4300..5e61d2a 100644 --- a/flask_saml2/idp/sphandler.py +++ b/flask_saml2/idp/sphandler.py @@ -290,7 +290,7 @@ def format_datetime(self, value: datetime.datetime) -> str: formatting, and don't support the format produced by :meth:`datetime.datetime.isoformat`. """ - return value.isoformat() + return value.replace(tzinfo=None).isoformat(timespec='seconds') def __str__(self): if self.display_name: diff --git a/flask_saml2/sp/idphandler.py b/flask_saml2/sp/idphandler.py index 50788ad..4ca536a 100644 --- a/flask_saml2/sp/idphandler.py +++ b/flask_saml2/sp/idphandler.py @@ -266,7 +266,7 @@ def format_datetime(self, value: datetime.datetime) -> str: formatting, and don't support the format produced by :meth:`datetime.datetime.isoformat`. """ - return value.isoformat() + return value.replace(tzinfo=None).isoformat(timespec='seconds') def __str__(self): if self.display_name: From 1a18774a80093a746b105bf092be8faaddb802c6 Mon Sep 17 00:00:00 2001 From: Emi Simpson Date: Mon, 7 Jun 2021 15:46:26 -0400 Subject: [PATCH 2/2] Include a Z in the timestamp field Following discussion here: https://github.com/simplesamlphp/xml-common/pull/8 --- flask_saml2/sp/idphandler.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flask_saml2/sp/idphandler.py b/flask_saml2/sp/idphandler.py index 4ca536a..c93d2c8 100644 --- a/flask_saml2/sp/idphandler.py +++ b/flask_saml2/sp/idphandler.py @@ -266,7 +266,7 @@ def format_datetime(self, value: datetime.datetime) -> str: formatting, and don't support the format produced by :meth:`datetime.datetime.isoformat`. """ - return value.replace(tzinfo=None).isoformat(timespec='seconds') + return value.replace(tzinfo=None).isoformat(timespec='seconds') + 'Z' def __str__(self): if self.display_name: