Not sure if there is a better location to report this bug, but please let me know if there is.
I’ve been implementing a SAML service provider and found this issue with how Auth0 performs signature verification on an AuthnRequest using the HTTP-Redirect binding. It may be an issue with other message types but this is the only one I’ve tested.
Description of the issue:
Auth0 requires (for purposes of signature verification) that any alpha hexadecimal character be encoded as uppercase in the URL. I.e., %2F instead of %2f. If you send it encoded values using the lowercase encoding, then signature verification will fail.
The SAML specification section 3.4.4.1 states: “Further, note that URL-encoding is not canonical; that is, there are multiple legal encodings for a given value. The relying party MUST therefore perform the verification step using the original URL-encoded values it received on the query string. It is not sufficient to re-encode the parameters after they have been processed by software because the resulting encoding may not match the signer’s encoding.”
It would seem that Auth0 is URL decoding and then re-encoding the request parameters before validation the signature, which goes against the SAML spec.
How to reproduce:
Set up a Auth0 as a SAML2 identity provider. Send it a signed AuthnRequest using the HTTP-Redirect binding that URL encodes alpha hexadecimal characters as lower-case. The signature validation will fail. Sending the same request with upper-case URL encoded alpha hexadecimal characters will succeed.
I have a requirement to interface with another identity provider that also has this bug except it requires lower-case encoding so I can’t support both. Please don’t make me put a switch in my code that changes the URL encoding format lol.