Add cookie name

Andrew Heberle · Andrew Heberle · commit 1ec618083a44 · 2025-06-12T13:17:42.000+08:00
diff --git a/README.md b/README.md
@@ -46,6 +46,7 @@ AUTH_IDP_METADATA=https://idp.example.net/metadata \
       --listen string                     Listen address (default "127.0.0.1:9091")
       --sp-cert string                    Service Provider Certificate
       --sp-claim-mapping stringToString   Mapping of claims to headers (default [remote-user=urn:oasis:names:tc:SAML:attribute:subject-id,remote-email=mail,remote-name=displayName,remote-groups=role])
+      --sp-cookie                         Cookie Name set by Service Provider (default "token")
       --sp-key string                     Service Provider Key
       --sp-url string                     Service Provider URL (default "http://localhost:9091")
 ```
@@ -60,10 +61,16 @@ For this reason, the token only contains minimal data with the rest contained se
 
 By default this store is a basic in-memory store, which means it cannot be shared among multiple instances of this service and also will be lost on restart. The loss of this data on restart is not particularly problematic as the only result will be that the SP will not be able to validate the user is signed in and force the login flow to the IdP.
 
+If using muliple nodes however, using the in-memory store will cause unexpected re-authentiations if requests are handled by different instances.
+
 When using multiple instances, it is possible to use a PostgreSQL database to store this content.
 
 ### Using the same database for multiple deployments
 
 All instances of the same Service Provider should share the same configuration options, including the database store, however if seperate service providers are configured using the same database there is the chance incorrect claims may be returned.
 
 To allow sharing of the same database between seperate Service Providers, the `db-prefix` option will ensure this data is stored in seperate tables.
+
+### Cookie Name
+
+The login "token" is stored as a JWT in a cookie named "token" by default. It is important to ensure that seperate SP's use distinct cookie names to ensure JWT's are correctly validated and not overwritten.
diff --git a/internal/pkg/cmd/cmd.go b/internal/pkg/cmd/cmd.go
@@ -28,6 +28,7 @@ type rootCommand struct {
 	debug  bool
 
 	// sp flags
+	spCookie       string
 	spCert         string
 	spKey          string
 	spUrl          string
@@ -61,6 +62,7 @@ func (c *rootCommand) Init(cd *simplecobra.Commandeer) error {
 	cmd.Flags().BoolVar(&c.debug, "debug", false, "Enable debug logging")
 
 	// sp command line flags
+	cmd.Flags().StringVar(&c.spCookie, "sp-cookie", "token", "Cookie Name set by Service Provider")
 	cmd.Flags().StringVar(&c.spCert, "sp-cert", "", "Service Provider Certificate")
 	cmd.Flags().StringVar(&c.spKey, "sp-key", "", "Service Provider Key")
 	cmd.MarkFlagsRequiredTogether("sp-cert", "sp-key")
@@ -107,6 +109,7 @@ type serviceProvider struct {
 	ServiceProviderClaimMapping map[string]string `mapstructure:"sp-claim-mapping"`
 	ServiceProviderCertificate  string            `mapstructure:"sp-cert"`
 	ServiceProviderKey          string            `mapstructure:"sp-key"`
+	ServiceProviderCookieName   string            `mapstructure:"sp-cookie"`
 	IdPMetadata                 string            `mapstructure:"idp-metadata"`
 	IdPIssuer                   string            `mapstructure:"idp-issuer"`
 	IdPSSOEndpoint              string            `mapstructure:"idp-sso-endpoint"`
@@ -127,6 +130,7 @@ func (c *rootCommand) Run(ctx context.Context, cd *simplecobra.Commandeer, args
 		// use global values as a fallback if some values are not set
 		spConfig.ServiceProviderCertificate = fallback(spConfig.ServiceProviderCertificate, c.spCert)
 		spConfig.ServiceProviderKey = fallback(spConfig.ServiceProviderKey, c.spKey)
+		spConfig.ServiceProviderCookieName = fallback(spConfig.ServiceProviderCookieName, c.spCookie)
 
 		// show config in debug mode
 		c.logger.Debug("setting up service provider",
@@ -146,6 +150,7 @@ func (c *rootCommand) Run(ctx context.Context, cd *simplecobra.Commandeer, args
 		// set up service provider options
 		opts := []sp.ServiceProviderOption{
 			sp.WithClaimMapping(spConfig.ServiceProviderClaimMapping),
+			sp.WithCookieName(spConfig.ServiceProviderCookieName),
 		}
 
 		// handle metadata
@@ -302,6 +307,7 @@ func (c *rootCommand) serviceProviders() []serviceProvider {
 				ServiceProviderClaimMapping: c.spClaimMapping,
 				ServiceProviderCertificate:  c.spCert,
 				ServiceProviderKey:          c.spKey,
+				ServiceProviderCookieName:   c.spCookie,
 				IdPMetadata:                 c.idpMetadata,
 				IdPIssuer:                   c.idpIssuer,
 				IdPSSOEndpoint:              c.idpSSOEndpoint,
@@ -320,6 +326,7 @@ func (c *rootCommand) serviceProviders() []serviceProvider {
 				ServiceProviderClaimMapping: c.spClaimMapping,
 				ServiceProviderCertificate:  c.spCert,
 				ServiceProviderKey:          c.spKey,
+				ServiceProviderCookieName:   c.spCookie,
 				IdPMetadata:                 c.idpMetadata,
 				IdPIssuer:                   c.idpIssuer,
 				IdPSSOEndpoint:              c.idpSSOEndpoint,
diff --git a/pkg/sp/options.go b/pkg/sp/options.go
@@ -67,6 +67,12 @@ func WithMetadataRefreshInterval(d time.Duration) ServiceProviderOption {
 	}
 }
 
+func WithCookieName(name string) ServiceProviderOption {
+	return func(s *ServiceProvider) {
+		s.cookieName = name
+	}
+}
+
 func WithName(name string) ServiceProviderOption {
 	return func(s *ServiceProvider) {
 		s.name = name
diff --git a/pkg/sp/sp.go b/pkg/sp/sp.go
@@ -29,6 +29,7 @@ type ServiceProvider struct {
 	store                      AttributeStore
 	opts                       samlsp.Options
 	name                       string
+	cookieName                 string
 	onerror                    func(w http.ResponseWriter, r *http.Request, err error)
 }
 
@@ -77,6 +78,7 @@ func NewServiceProvider(cert, key string, root *url.URL, options ...ServiceProvi
 		EntityID:          root.String(),
 		Key:               keyPair.PrivateKey.(*rsa.PrivateKey),
 		Certificate:       keyPair.Leaf,
+		CookieName:        serviceProvider.cookieName,
 		IDPMetadata:       serviceProvider.idpMetadata,
 		AllowIDPInitiated: true,
 		SignRequest:       true,
diff --git a/pkg/sp/tracker.go b/pkg/sp/tracker.go
@@ -15,7 +15,7 @@ import (
 func DefaultRequestTracker(opts samlsp.Options, serviceProvider *saml.ServiceProvider) CookieRequestTracker {
 	return CookieRequestTracker{
 		ServiceProvider: serviceProvider,
-		NamePrefix:      "saml_",
+		NamePrefix:      fmt.Sprintf("saml_%s_", opts.CookieName),
 		Codec:           samlsp.DefaultTrackedRequestCodec(opts),
 		MaxAge:          saml.MaxIssueDelay,
 		RelayStateFunc:  opts.RelayStateFunc,

Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,12 @@ func WithMetadataRefreshInterval(d time.Duration) ServiceProviderOption {`
`67`	`67`	`}`
`68`	`68`	`}`
`69`	`69`
	`70`	`+func WithCookieName(name string) ServiceProviderOption {`
	`71`	`+ return func(s *ServiceProvider) {`
	`72`	`+ s.cookieName = name`
	`73`	`+ }`
	`74`	`+}`
	`75`	`+`
`70`	`76`	`func WithName(name string) ServiceProviderOption {`
`71`	`77`	`return func(s *ServiceProvider) {`
`72`	`78`	`s.name = name`