Expected Behavior The ability to have access to AuthnRequest Id and Response InResponseTo when saving and loading AbstractSaml2AuthenticationRequests via Saml2AuthenticationRequestRepository

Current Behavior When saving and loading the request via Saml2AuthenticationRequestRepository the user receives AbstractSaml2AuthenticationRequest and HTTP request and response. There is no easy way to access the AuthnRequest Id and the Response InResponseTo when saving and loading requests.

Context When using spring session, the requests cannot be loaded using the default HttpSessionSaml2AuthenticationRequestRepository because the cookie using SameSite = Lax as described in https://github.com/spring-projects/spring-security/issues/10828. We are looking to create a custom Saml2AuthenticationRequestRepository that can store and load the Requests based on the ID instead of using the session.

The workaround we are using for now is to create custom assertionValidator and responseValidator which filter out the errors for InResponseTo validation. 

openSamlAuthenticationProvider.setResponseValidator { token ->
            val result = OpenSaml4AuthenticationProvider.createDefaultResponseValidator().convert(token)
            val newResult = Saml2ResponseValidatorResult.success()
            result?.errors?.forEach { error ->
                if (error.errorCode != org.springframework.security.saml2.core.Saml2ErrorCodes.INVALID_IN_RESPONSE_TO) {
                    newResult.concat(error)
                }
            }
            newResult
        }

For retrieving the AuthnRequest ID we could also use similar code to OpenSaml4AuthenticationProvider#getAuthnRequestId but it would require our own implementation because it is currently private.

Its also possible this is more appropriate to be a stack overflow question on how to get the ID and InResponseTo from a HttpServletRequest

Comment From: jzheaux

Hi, @scottshidlovsky. Thanks for the detailed explanation.

For retrieving the AuthnRequest ID we could also use similar code to OpenSaml4AuthenticationProvider#getAuthnRequestId but it would require our own implementation because it is currently private.

This is currently the preferred way. Likely, your implementation would be much simpler since it would be focused on your specific use case:

That said, I think it's reasonable to add the id given that this brings it into alignment with Saml2LogoutRequest#getId. Can you provide a PR that:

  1. Exposes the id in AbstractSaml2AuthenticationRequest
  2. Updates OpenSamlAuthenticationRequestResolver to set the id.
  3. Updates Saml2PostAuthenticationRequestMixin and Saml2RedirectAuthenticationRequestMixin to correctly serialize and deserialize payloads with an id and without (for backward compatibility)