[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mod_auth_saml: DEFAULTQS being ignored



Alexander Runge <runge@xxxxxxxxx> said:
> Hi all,
> 
> I have compiled the latest version 1.22 of mod_auth_saml for an
> apache instance on SLES11.
> I can already authenticate against an Idp. Now I would like to get rid
> of the Idp selection page. I thought using the DEFAULTQS directive
> should do the trick.
> However, it appears this directive is completely ignored.
> No matter what I use as the DEFAULTQS I'm still redirected
> to the Idp selection page.
> 
> Feel free to test, here's the URL:
> https://fiori-00017-1001272-emea.sapdemocloud.com/
> 
> And this is the relevant part of my apache config:
> 
>    <Location /protected>
>         Require valid-user
>         AuthType "saml"
>         ZXIDConf 
> "URL=https://fiori-00017-1001272-emea.sapdemocloud.com/protected/saml";
>         ZXIDConf "ANON_OK=/pers/"
>         ZXIDConf "REDIR_TO_CONTENT=1"
>       </Location>
> 
> 
>       <Location /sap>
>         Require valid-user
>         AuthType "saml"
>         ZXIDConf 
> "URL=https://fiori-00017-1001272-emea.sapdemocloud.com/protected/saml";
>         ZXIDConf 
> "DEFAULTQS=https://fiori-00017-1001272-emea.sapdemocloud.com/protected/saml?e=&d=accounts.sap.com&l0=+Login+&fc=1&fn=prstnt&fr=%2Fsap%2Fbc%2Fui5_ui5%2Fui2%2Fushell%2Fshells%2Fabap%2FFioriLaunchpad.html&fq=&fy=&fa=&fm=&fp=0&ff=0";
>       </Location>

Please see in zxid-faq.pd section 97.3.2 "Skipping IdP Selection:
Hardwiring the IdP". Careful reading shows that DEFAULTQS should
start with l0 (lowercase ell and zero) followed by entity ID
of the desired IdP. Your DEFAULTQS seems to lack this prefix, or
conversely where you have l0=+Login+, you should have l0IDPEID=1

What is the IdP entityID you are trying to use. To me it seems
https://fiori-00017-1001272-emea.sapdemocloud.com/protected/saml
is your SP entity ID. I do not see the IdP entityID anywhere.

Be sure to pay attention to URI escaping as well, as explained in
the FAQ item.

> If I enter the QS directly into the browser it works like a charm.

Why it works, I am unable to explain. Perhaps the URL you pasted
was slightly different from what you used in DEFAULTQS?

Hope this helps.

Cheers,
--Sampo

> Here's the debug log:
> 
> 
> 4965.7ff9a2995700 mod_auth_saml.c:341 chkuid            mas d ===== 
> START 1.22 req=0x7ff9a3b193d8 
> uri(/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html) 
> args((null)) pid=4965 cwd(/)
> 
> 4965.7ff9a2995700 mod_auth_saml.c:497 chkuid            mas d chkuid: No 
> active session() op(-)
> 
> 4965.7ff9a2995700 mod_auth_saml.c:508 chkuid            mas d chkuid: 
> other page: no_ses 
> uri(/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html) 
> templ((null)) tf(idpsel.html) k((null))
> 
> 4965.7ff9a2995700 zxidsimp.c:1485 zxid_simple_no_ses_cf         mas d 
> chkuid: op(E) cf=0x7ff9a3030b08 cgi=0x7fff50153e20 ses=0x7fff50153cb0 
> auto=6ea8 wd(-)
> 
> 4965.7ff9a2995700  zxidecp.c:141 zxid_lecp_check        mas d chkuid: 
> Neither ECP nor LECP request 0
> 
> 4965.7ff9a2995700 zxidsimp.c:1524 zxid_simple_no_ses_cf         mas d 
> chkuid: LECP check: ss(?)
> 
> 4965.7ff9a2995700 zxidsimp.c:1536 zxid_simple_no_ses_cf         mas d 
> chkuid: NOT CDC 0
> 
> 4965.7ff9a2995700  zxidsso.c:158 
> zxid_sso_set_relay_state_to_return_to_this_url         mas d chkuid: 
> Previous rs(-)
> 
> 4965.7ff9a2995700   zxutil.c:951 zxid_deflate_safe_b64_raw      mas d 
> chkuid: z 
> input(/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html) len=58
> 
> 4965.7ff9a2995700  zxidsso.c:168 
> zxid_sso_set_relay_state_to_return_to_this_url         mas d chkuid: 
> rs(0y9OLNBPStYvzTSNB2IgbaRfWpyRmpOjDyaL9ROTgCrcMvOLMn0SS_OSMwoSU_QySnJzAA==) 
> from(/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html) 
> uri_path(/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html) qs(-)
> 
> 4965.7ff9a2995700 zxidsimp.c:844 zxid_simple_show_idp_sel       mas d 
> chkuid: cf=0x7ff9a3030b08 cgi=0x7fff50153e20 templ(?)
> 
> 4965.7ff9a2995700 zxidsimp.c:630 zxid_idp_select_zxstr_cf_cgi   mas d 
> chkuid: HERE tf(idpsel.html) k((null)) t(<title>SP SSO: Choose 
> IdP</title><link type="text/css" rel=stylesheet href="idpsel.css"><body 
> bgcolor=white><h1 class=zxtop>SP Federated SSO (user NOT logged in, no 
> session)</h1><form method=get action="!!URL"><div 
> class=zxerr>!!ERR</div><div class=zxmsg>!!MSG</div><div 
> class=zxdbg>!!DBG</div><h3>Login Using New IdP</h3><i>A new IdP is one 
> whose metadata we do not have yet. We need to know the IdP URL (aka 
> Entity ID) in order to fetch the metadata using the well known location 
> method. You will need to ask the adminstrator of the IdP to tell you 
> what the EntityID is.</i><p>IdP URL <input name=e size=60><input 
> type=submit name=l0 value=" Login "><br>Entity ID of this SP (click on 
> the link to fetch the SP metadata): <a 
> href="!!EID">!!EID</a><p>!!IDP_LIST<h3>Technical options</h3><input 
> type=hidden name=fc value=1><input type=hidden name=fn value=prstnt><!-- 
> built-in defaults, see IDP_SEL_TEMPL in zxidconf.h and zxid-conf.pd for 
> explanation --><input type=hidden name=fr value="!!FR"><input 
> type=hidden name=fq value=""><input type=hidden name=fy value=""><input 
> type=hidden name=fa value=""><input type=hidden name=fm value=""><input 
> type=hidden name=fp value=0><input type=hidden name=ff 
> value=0></form><div class=zxbot>!!VERSION (builtin)</div>) 
> cgi=0x7fff50153e20
> 
> open (vopen_fd_from_path): No such file or directory
> 
> 4965.7ff9a2995700   zxutil.c:122 vopen_fd_from_path     mas E chkuid: 
> templ: File(idpsel.html) not found errno=2 err(No such file or 
> directory). flags=0x0 0, euid=30 egid=8 cwd(/)
> 
> 4965.7ff9a2995700 zxidsimp.c:392 zxid_template_page_cf  mas d chkuid: 
> Template at path(idpsel.html) not found. Using default template.
> 
> 4965.7ff9a2995700 zxidmeta.c:846 zxid_my_ent_id_cstr    mas d chkuid: 
> my_entity_id(https://fiori-00017-1001272-emea.sapdemocloud.com/protected/saml?o=B)
> 
> 4965.7ff9a2995700 zxidmeta.c:846 zxid_my_ent_id_cstr    mas d chkuid: 
> my_entity_id(https://fiori-00017-1001272-emea.sapdemocloud.com/protected/saml?o=B)
> 
> 4965.7ff9a2995700   zxutil.c:128 vopen_fd_from_path     mas d chkuid: 
> get_ent_by_sha1_name: Opened(/var/zxid/cot/aIHZ78Ex8smJDvnZ3rPkp3Kw1vs) 
> flags=0x0
> 
> 4965.7ff9a2995700     zxns.c:187 zx_xmlns_decl          mas d chkuid: 
> New prefix(ns3) known URL(urn:oasis:names:tc:SAML:2.0:metadata)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <Transform> tok(0x3c0d04) as 1. child of <Transforms> 
> tok(0x3c0a7b) (0,0)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <Transform> tok(0x3c0d04) as 2. child of <Transforms> 
> tok(0x3c0a7b) (0,0)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <Transforms> tok(0x3c0a7b) as 1. child of <Reference> 
> tok(0x3c0982) (0,0)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <DigestMethod> tok(0x3c045d) as 2. child of <Reference> 
> tok(0x3c0982) (0,1)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <DigestValue> tok(0x3c0a33) as 3. child of <Reference> 
> tok(0x3c0982) (1,2)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <CanonicalizationMethod> tok(0x3c05fc) as 1. child of 
> <SignedInfo> tok(0x3c09b0) (0,0)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <SignatureMethod> tok(0x3c02e4) as 2. child of <SignedInfo> 
> tok(0x3c09b0) (0,1)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <Reference> tok(0x3c0982) as 3. child of <SignedInfo> 
> tok(0x3c09b0) (1,2)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <X509Certificate> tok(0x3c0154) as 1. child of <X509Data> 
> tok(0x3c02c4) (0,3)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <Modulus> tok(0x3c01b0) as 1. child of <RSAKeyValue> 
> tok(0x3c10bb) (0,0)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <Exponent> tok(0x3c0f26) as 2. child of <RSAKeyValue> 
> tok(0x3c10bb) (0,1)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <RSAKeyValue> tok(0x3c10bb) as 1. child of <KeyValue> 
> tok(0x3c108b) (0,1)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <X509Data> tok(0x3c02c4) as 1. child of <KeyInfo> 
> tok(0x3c1071) (0,3)
> 
> 4965.7ff9a2995700 zxlibdec.c:228 zx_chk_el_ord          mas E chkuid: 
> WRONG: Known <KeyValue> tok(0x3c108b) in wrong place as 2. child of 
> <KeyInfo> tok(0x3c1071) (3,8)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <SignedInfo> tok(0x3c09b0) as 1. child of <Signature> 
> tok(0x3c02de) (0,0)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <SignatureValue> tok(0x3c02fc) as 2. child of <Signature> 
> tok(0x3c02de) (0,1)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <KeyInfo> tok(0x3c1071) as 3. child of <Signature> 
> tok(0x3c02de) (1,2)
> 
> 4965.7ff9a2995700     zxns.c:187 zx_xmlns_decl          mas d chkuid: 
> New prefix() known URL(http://www.w3.org/2000/09/xmldsig#)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <X509Certificate> tok(0x3c0154) as 1. child of <X509Data> 
> tok(0x3c02c4) (0,3)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <KeyName> tok(0x3c0b12) as 1. child of <KeyInfo> 
> tok(0x3c1071) (0,0)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <X509Data> tok(0x3c02c4) as 2. child of <KeyInfo> 
> tok(0x3c1071) (0,3)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <KeyInfo> tok(0x3c1071) as 1. child of <KeyDescriptor> 
> tok(0x240ae6) (0,0)
> 
> 4965.7ff9a2995700     zxns.c:187 zx_xmlns_decl          mas d chkuid: 
> New prefix() known URL(http://www.w3.org/2000/09/xmldsig#)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <X509Certificate> tok(0x3c0154) as 1. child of <X509Data> 
> tok(0x3c02c4) (0,3)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <KeyName> tok(0x3c0b12) as 1. child of <KeyInfo> 
> tok(0x3c1071) (0,0)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <X509Data> tok(0x3c02c4) as 2. child of <KeyInfo> 
> tok(0x3c1071) (0,3)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <KeyInfo> tok(0x3c1071) as 1. child of <KeyDescriptor> 
> tok(0x240ae6) (0,0)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <KeyDescriptor> tok(0x240ae6) as 1. child of 
> <IDPSSODescriptor> tok(0x240d44) (0,2)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <KeyDescriptor> tok(0x240ae6) as 2. child of 
> <IDPSSODescriptor> tok(0x240d44) (2,2)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <SingleLogoutService> tok(0x2408f6) as 3. child of 
> <IDPSSODescriptor> tok(0x240d44) (2,6)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <SingleLogoutService> tok(0x2408f6) as 4. child of 
> <IDPSSODescriptor> tok(0x240d44) (6,6)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <SingleSignOnService> tok(0x240978) as 5. child of 
> <IDPSSODescriptor> tok(0x240d44) (6,9)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <SingleSignOnService> tok(0x240978) as 6. child of 
> <IDPSSODescriptor> tok(0x240d44) (9,9)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <Signature> tok(0x3c02de) as 1. child of <EntityDescriptor> 
> tok(0x24056f) (0,0)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <IDPSSODescriptor> tok(0x240d44) as 2. child of 
> <EntityDescriptor> tok(0x24056f) (0,3)
> 
> 4965.7ff9a2995700 zxlibdec.c:215 zx_chk_el_ord          mas d chkuid: 
> Right: Known <EntityDescriptor> tok(0x24056f) as 1. child of <root> 
> tok(0x000054) (0,14)
> 
> 4965.7ff9a2995700 zxidmeta.c:302 zxid_get_ent_file      mas d chkuid: 
> GOT META sha1_name(aIHZ78Ex8smJDvnZ3rPkp3Kw1vs) eid(?)
> 
> 4965.7ff9a2995700 zxidsimp.c:469 zxid_idp_list_cf_cgi   mas d chkuid: 
> Starting IdP list processing... 0x7ff9a3b1ed10
> 
> 4965.7ff9a2995700 zxidsimp.c:553 zxid_idp_list_cf_cgi   mas d chkuid: 
> IdP list(<select name=d>
> 
> <option class=zxidplistopt value="accounts.sap.com">  (accounts.sap.com)
> 
> </select><input type=submit id=zxidplistlogin class=zxidplistbut 
> name="l0" value=" Login "><br>
> 
> )
> 
> 4965.7ff9a2995700   zxutil.c:1063 zxid_unbase64_inflate         mas d 
> chkuid: 
> in(0y9OLNBPStYvzTSNB2IgbaRfWpyRmpOjDyaL9ROTgCrcMvOLMn0SS_OSMwoSU_QySnJzAA==) 
> len=72 pessimistic_len=54
> 
> 4965.7ff9a2995700 mod_auth_saml.c:341 chkuid            mas d ===== 
> START 1.22 req=0x7ff9a3b04c58 
> uri(/sap/bc/ui5_ui5/ui2/ushell/shells/abap/idpsel.css) args((null)) 
> pid=4965 cwd(/)
> 
> 4965.7ff9a2995700 mod_auth_saml.c:497 chkuid            mas d chkuid: No 
> active session() op(-)
> 
> 4965.7ff9a2995700 mod_auth_saml.c:508 chkuid            mas d chkuid: 
> other page: no_ses 
> uri(/sap/bc/ui5_ui5/ui2/ushell/shells/abap/idpsel.css) templ((null)) 
> tf(idpsel.html) k((null))
> 
> 4965.7ff9a2995700 zxidsimp.c:1485 zxid_simple_no_ses_cf         mas d 
> chkuid: op(E) cf=0x7ff9a3030b08 cgi=0x7fff50153e20 ses=0x7fff50153cb0 
> auto=6ea8 wd(-)
> 
> 4965.7ff9a2995700  zxidecp.c:141 zxid_lecp_check        mas d chkuid: 
> Neither ECP nor LECP request 0
> 
> 4965.7ff9a2995700 zxidsimp.c:1524 zxid_simple_no_ses_cf         mas d 
> chkuid: LECP check: ss(?)
> 
> 4965.7ff9a2995700 zxidsimp.c:1536 zxid_simple_no_ses_cf         mas d 
> chkuid: NOT CDC 0
> 
> 4965.7ff9a2995700  zxidsso.c:158 
> zxid_sso_set_relay_state_to_return_to_this_url         mas d chkuid: 
> Previous rs(-)
> 
> 4965.7ff9a2995700   zxutil.c:951 zxid_deflate_safe_b64_raw      mas d 
> chkuid: z input(/sap/bc/ui5_ui5/ui2/ushell/shells/abap/idpsel.css) len=49
> 
> 4965.7ff9a2995700  zxidsso.c:168 
> zxid_sso_set_relay_state_to_return_to_this_url         mas d chkuid: 
> rs(0y9OLNBPStYvzTSNB2IgbaRfWpyRmpOjDyaL9ROTgCoyUwqKU3P0kouLAQ==) 
> from(/sap/bc/ui5_ui5/ui2/ushell/shells/abap/idpsel.css) 
> uri_path(/sap/bc/ui5_ui5/ui2/ushell/shells/abap/idpsel.css) qs(-)
> 
> 4965.7ff9a2995700 zxidsimp.c:844 zxid_simple_show_idp_sel       mas d 
> chkuid: cf=0x7ff9a3030b08 cgi=0x7fff50153e20 templ(?)
> 
> 4965.7ff9a2995700 zxidsimp.c:630 zxid_idp_select_zxstr_cf_cgi   mas d 
> chkuid: HERE tf(idpsel.html) k((null)) t(<title>SP SSO: Choose 
> IdP</title><link type="text/css" rel=stylesheet href="idpsel.css"><body 
> bgcolor=white><h1 class=zxtop>SP Federated SSO (user NOT logged in, no 
> session)</h1><form method=get action="!!URL"><div 
> class=zxerr>!!ERR</div><div class=zxmsg>!!MSG</div><div 
> class=zxdbg>!!DBG</div><h3>Login Using New IdP</h3><i>A new IdP is one 
> whose metadata we do not have yet. We need to know the IdP URL (aka 
> Entity ID) in order to fetch the metadata using the well known location 
> method. You will need to ask the adminstrator of the IdP to tell you 
> what the EntityID is.</i><p>IdP URL <input name=e size=60><input 
> type=submit name=l0 value=" Login "><br>Entity ID of this SP (click on 
> the link to fetch the SP metadata): <a 
> href="!!EID">!!EID</a><p>!!IDP_LIST<h3>Technical options</h3><input 
> type=hidden name=fc value=1><input type=hidden name=fn value=prstnt><!-- 
> built-in defaults, see IDP_SEL_TEMPL in zxidconf.h and zxid-conf.pd for 
> explanation --><input type=hidden name=fr value="!!FR"><input 
> type=hidden name=fq value=""><input type=hidden name=fy value=""><input 
> type=hidden name=fa value=""><input type=hidden name=fm value=""><input 
> type=hidden name=fp value=0><input type=hidden name=ff 
> value=0></form><div class=zxbot>!!VERSION (builtin)</div>) 
> cgi=0x7fff50153e20
> 
> open (vopen_fd_from_path): No such file or directory
> 
> 4965.7ff9a2995700   zxutil.c:122 vopen_fd_from_path     mas E chkuid: 
> templ: File(idpsel.html) not found errno=2 err(No such file or 
> directory). flags=0x0 0, euid=30 egid=8 cwd(/)
> 
> 4965.7ff9a2995700 zxidsimp.c:392 zxid_template_page_cf  mas d chkuid: 
> Template at path(idpsel.html) not found. Using default template.
> 
> 4965.7ff9a2995700 zxidmeta.c:846 zxid_my_ent_id_cstr    mas d chkuid: 
> my_entity_id(https://fiori-00017-1001272-emea.sapdemocloud.com/protected/saml?o=B)
> 
> 4965.7ff9a2995700 zxidmeta.c:846 zxid_my_ent_id_cstr    mas d chkuid: 
> my_entity_id(https://fiori-00017-1001272-emea.sapdemocloud.com/protected/saml?o=B)
> 
> 4965.7ff9a2995700 zxidsimp.c:469 zxid_idp_list_cf_cgi   mas d chkuid: 
> Starting IdP list processing... 0x7ff9a3b1ed10
> 
> 4965.7ff9a2995700 zxidsimp.c:553 zxid_idp_list_cf_cgi   mas d chkuid: 
> IdP list(<select name=d>
> 
> <option class=zxidplistopt value="accounts.sap.com">  (accounts.sap.com)
> 
> </select><input type=submit id=zxidplistlogin class=zxidplistbut 
> name="l0" value=" Login "><br>
> 
> )
> 
> 4965.7ff9a2995700   zxutil.c:1063 zxid_unbase64_inflate         mas d 
> chkuid: in(0y9OLNBPStYvzTSNB2IgbaRfWpyRmpOjDyaL9ROTgCoyUwqKU3P0kouLAQ==) 
> len=60 pessimistic_len=45