-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revoking token does not work for public clients #891
Comments
Looping in @f3ndot for context on this. Thank you both! |
You very well may be correct @ostinelli. From the RFC 6749, Sec 4.2 (emphasis added):
So you're correct in that:
What we have here @tute is a conflation of design with what
There are two ways forward:
With Option 2, more research would have to be done with the RFCs on what a public/confidential means. Standing questions:
Answering these questions would inform the design of where this new column of truth should live. For example if an application can only define one acceptable grant type:
|
It's also worth noting this is a security vulnerability akin to CVE-2016-6582 but restricted only the the |
@f3ndot, thank you for looking into this. Maybe I'm missing a piece here, but to my understanding we still need to keep information on the application a token refers to ( |
@ostinelli It somewhat depends how you've written your business logic, but in general a token is tied to both a resource the user owns ( You get access from a token to a user's account via that But hey, maybe I'm wrong too! I'm not a super expert on the spec 😉 |
cough excuse me. I clearly need more ☕️ You are correct. Option 1 has less fidelity as you don't know which application that token belongs to, if using a public grant type. However, you cannot cryptographically guarantee that it belongs to that publicly auth'd application hence why it should be considered informational vs a truth. This is why I don't entirely mind that it is set to It may be too tempting for developers who don't fully understand OAuth 2.0's intent behind public and confidential grant types to rely on |
You definitely have more grasp than me on the subject :) My consideration mainly was: when a user authorizes an application, we clearly need to allow a developer know which user is authorized to access which application by a token. My understanding is that this is done with the I might just have missed a point though :) |
Hi @f3ndot @ostinelli . Where we are on this issue? |
We reverted to 3.x back then and patched it to our needs. I might come back to this and look what the situation is nowadays. |
Hi @ostinelli . It would be great if you could take a look at this issue. |
Hi, as per my previous message we reverted back and still are using 3.x. Haven't had the time to check the new code yet... |
@nbulaj This is still an active issue. Conveniently, because we now have an There is a tripping hazard where developers would not know that when I'll put up a PR for this issue today |
OAuth applications that obtain an access token using the "implicit" grant flow will have their ID set on the token record. Unfortunately this causes the revocation controller code to think it's as confidential application. Because of this, Doorkeeper enforces oauth client authentication and the revocation call fails. Fixes doorkeeper-gem#891
I've come across this issue just this week, and was looking to see if it was already reported. It looks like it's under control now with a clear direction to fix. Once the fix has been merged and potentially back ported to 4.x.x (?) should a CVE be opened for the issue so automated auditors could recommend the upgrade? |
Take a look at #1119 (comment) |
OAuth applications that obtain an access token using the "implicit" grant flow will have their ID set on the token record. Unfortunately this causes the revocation controller code to think it's as confidential application. Because of this, Doorkeeper enforces oauth client authentication and the revocation call fails. Fixes doorkeeper-gem#891 Add NEWS entry Add specs for both public and confidential apps in revocation
Whether or not we can backport to 4.x (although I'd love that), this should trigger another CVE. I'll request one now |
CVE requested via the Distributed Weakness Filing Project |
CVE-2018-1000211 assigned. |
OAuth applications that obtain an access token using the "implicit" grant flow will have their ID set on the token record. Unfortunately this causes the revocation controller code to think it's as confidential application. Because of this, Doorkeeper enforces oauth client authentication and the revocation call fails. Fixes doorkeeper-gem#891 Add specs for both public and confidential apps in revocation
WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211) There is no breaking change in this release, however to take advantage of the security fix you must: 1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration 2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit) 3. Update their `confidential` column to `false` for those public apps This is a backported security release. For more information: * doorkeeper-gem/doorkeeper#1119 * doorkeeper-gem/doorkeeper#891
…st install message: WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211) There is no breaking change in this release, however to take advantage of the security fix you must: 1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration 2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit) 3. Update their `confidential` column to `false` for those public apps This is a backported security release. For more information: * doorkeeper-gem/doorkeeper#1119 * doorkeeper-gem/doorkeeper#891 This adds the mentioned migration, but does not bother to set confidential to false for public applications. As far as I can tell, this just means that despite upgrading doorkeeper, it will still not be possible for public applications to revoke tokens, so we're no worse off than we were before. I believe that in doorkeeper 5, there will be a UI that allows application developers to decide if their application is "confidential" or not. I think it's ok for us to just wait for that day, and leave this effort on our various 3rd party developers.
…st install message: WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211) There is no breaking change in this release, however to take advantage of the security fix you must: 1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration 2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit) 3. Update their `confidential` column to `false` for those public apps This is a backported security release. For more information: * doorkeeper-gem/doorkeeper#1119 * doorkeeper-gem/doorkeeper#891 This adds the mentioned migration, but does not bother to set confidential to false for public applications. As far as I can tell, this just means that despite upgrading doorkeeper, it will still not be possible for public applications to revoke tokens, so we're no worse off than we were before. I believe that in doorkeeper 5, there will be a UI that allows application developers to decide if their application is "confidential" or not. I think it's ok for us to just wait for that day, and leave this effort on our various 3rd party developers.
…st install message: WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211) There is no breaking change in this release, however to take advantage of the security fix you must: 1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration 2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit) 3. Update their `confidential` column to `false` for those public apps This is a backported security release. For more information: * doorkeeper-gem/doorkeeper#1119 * doorkeeper-gem/doorkeeper#891 This adds the mentioned migration, but does not bother to set confidential to false for public applications. As far as I can tell, this just means that despite upgrading doorkeeper, it will still not be possible for public applications to revoke tokens, so we're no worse off than we were before. I believe that in doorkeeper 5, there will be a UI that allows application developers to decide if their application is "confidential" or not. I think it's ok for us to just wait for that day, and leave this effort on our various 3rd party developers.
…st install message: WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211) There is no breaking change in this release, however to take advantage of the security fix you must: 1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration 2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit) 3. Update their `confidential` column to `false` for those public apps This is a backported security release. For more information: * doorkeeper-gem/doorkeeper#1119 * doorkeeper-gem/doorkeeper#891 This adds the mentioned migration, but does not bother to set confidential to false for public applications. As far as I can tell, this just means that despite upgrading doorkeeper, it will still not be possible for public applications to revoke tokens, so we're no worse off than we were before. I believe that in doorkeeper 5, there will be a UI that allows application developers to decide if their application is "confidential" or not. I think it's ok for us to just wait for that day, and leave this effort on our various 3rd party developers.
* [Security] Bump doorkeeper from 4.2.6 to 4.4.0 Bumps [doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) from 4.2.6 to 4.4.0. **This update includes security fixes.** - [Release notes](https://github.com/doorkeeper-gem/doorkeeper/releases) - [Changelog](https://github.com/doorkeeper-gem/doorkeeper/blob/master/NEWS.md) - [Commits](doorkeeper-gem/doorkeeper@v4.2.6...v4.4.0) Signed-off-by: dependabot[bot] <support@dependabot.com> * add confidential column to oauth_applications WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211) There is no breaking change in this release, however to take advantage of the security fix you must: 1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration 2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit) 3. Update their `confidential` column to `false` for those public apps This is a backported security release. For more information: * doorkeeper-gem/doorkeeper#1119 * doorkeeper-gem/doorkeeper#891 * add note on what this migration default value means some of our apps (first_party password / session grants and implicit) will require the non-default value of confidential = false * switch to non-confidential oauth application ensure the spec testing devise session to token via password grant (#101) uses a non-confidential application * add data migration for oauth confidential attribute set confidential to false for implicit, native apps as well as any first party apps that use the password grant without supplying the client secret (PFE / python client). * move comment to be more informative * only change apps we know use non-confidential password flow avoid changing other apps that may be using client_id & client_secrets to authenticate, only update the first party apps we know about.
Post-install message from doorkeeper: WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211) There is no breaking change in this release, however to take advantage of the security fix you must: 1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration 2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit) 3. Update their `confidential` column to `false` for those public apps This is a backported security release. For more information: * doorkeeper-gem/doorkeeper#1119 * doorkeeper-gem/doorkeeper#891
Hello,
I'm using grant
implicit
to allow authorizing an application from mobile applications, by initiating the flow as follows:https://example.com/oauth2/authorize?response_type=token&client_id={CLIENT_ID}&redirect_uri={REDIRECT_URI}&scope={REQUESTED_SCOPES}&state={STATE}
After a successful oauth flow, the generated token is saved in the
oauth_access_tokens
table jointly with the application referenced by the originalclient_id
value:#<Doorkeeper::AccessToken id: 396, resource_owner_id: 2, application_id: 1, token: "49d9a5c6232d6880e9b8df1c9369edf6bfc00aceedd5bb8164...", refresh_token: nil, expires_in: 1209600, revoked_at: nil, created_at: "2016-10-05 12:37:11", scopes: "profile">
The
oauth_access_grants
table is empty, as expected since usingimplicit
.When I try to revoke this token using the POST /oauth/revoke API endpoint (the one at the bottom, which does not require
client_id
orclient_secret
to be passed), it does not get revoked.Diving into the source code, I see in the
tokens_controller.rb
:However, as per above the token does specify the
application_id
, despite having used theimplicit
grant type.Hence, when I try to revoke this token I land in the controller's
authorized?
method:Where
token
is present and specifies anapplication_id
, howeverserver.client
isnil
henceauthorized?
returns false and the token does not get revoked.I'm using doorkeeper
4.2.0
.Is this expected behavior or am I missing something?
Thank you.
The text was updated successfully, but these errors were encountered: