From e29e1a009073fc2e80a6d518256c2ab95012bb85 Mon Sep 17 00:00:00 2001
From: Actalab <dedourges.alexandre@gmail.com>
Date: Tue, 2 Jun 2026 12:09:53 +0200
Subject: [PATCH] Fix / SAML nonce cookie

---
 lib/ex_saml/auth_handler.ex | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/lib/ex_saml/auth_handler.ex b/lib/ex_saml/auth_handler.ex
index d128476..6f339aa 100644
--- a/lib/ex_saml/auth_handler.ex
+++ b/lib/ex_saml/auth_handler.ex
@@ -41,8 +41,7 @@ defmodule ExSaml.AuthHandler do
       %{
         relay_state: relay_state,
         session_id: session_id,
-        saml_nonce:
-          fetch_cookies(conn, encrypted: ~w(saml_nonce)).cookies["saml_nonce"] || UUID.uuid4(),
+        saml_nonce: resolve_saml_nonce(conn),
         idp_id: idp_id,
         user_token: get_session(conn, :user_token),
         redirect_uri: get_session(conn, :redirect_uri),
@@ -99,8 +98,7 @@ defmodule ExSaml.AuthHandler do
           %{
             relay_state: relay_state,
             session_id: session_id,
-            saml_nonce:
-              fetch_cookies(conn, encrypted: ~w(saml_nonce)).cookies["saml_nonce"] || UUID.uuid4(),
+            saml_nonce: resolve_saml_nonce(conn),
             idp_id: idp_id,
             target_url: target_url,
             user_token: get_session(conn, :user_token),
@@ -180,4 +178,14 @@ defmodule ExSaml.AuthHandler do
     #     Logger.error("#{inspect error}")
     #     conn |> send_resp(500, "request_failed")
   end
+
+  # Prefer a caller-assigned nonce so the SP can persist auxiliary state
+  # (e.g. redirect_uri) under the same key the IdP response will resolve to
+  # — `put_resp_cookie` does not populate `req_cookies`, so on the first
+  # round-trip the cookie fallback can't see what we just set.
+  defp resolve_saml_nonce(conn) do
+    conn.assigns[:saml_nonce] ||
+      fetch_cookies(conn, encrypted: ~w(saml_nonce)).cookies["saml_nonce"] ||
+      UUID.uuid4()
+  end
 end