fix(Session): avoid password confirmation on SSO #43942
Conversation
blizzz
requested review from
nickvergessen,
ArtificialOwl,
ChristophWurst,
juliushaertl,
julien-nc and
nc-fkl
|
@ArtificialOwl do you think it works with GSS, there is also an IApacheBackend implemented, or would this be tricky? |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
The scopes are for "what to access". Bringing in the origin into it sounds like abuse? |
You could argue that, definitely. Extending the Tokens would break API though. |
blizzz
force-pushed
the
fix/43612/avoid-pwd-confirm-sso
branch
from
6c63a57
to
9ed2917
Compare
You could also argue that this new scope allow you to access password confirmation requiring endpoints without the password. |
| $sessionId = $this->session->getId(); | ||
| $token = $this->tokenProvider->getToken($sessionId); | ||
| $scope = $token->getScopeAsArray(); | ||
| if (isset($scope['sso-based-login']) && $scope['sso-based-login'] === true) { |
There was a problem hiding this comment.
Should we actually make those strings constants (also the only other scope filesystem) and put them to IToken so that we have somehow documented what is in use?
There was a problem hiding this comment.
Actually, yes, good idea. But perhaps only 29+.
blizzz
force-pushed
the
fix/43612/avoid-pwd-confirm-sso
branch
3 times, most recently
from
9c4d59e
to
e050f03
Compare
blizzz
added
2. developing
blizzz
force-pushed
the
fix/43612/avoid-pwd-confirm-sso
branch
from
416acb9
to
ab94c02
Compare
SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
blizzz
force-pushed
the
fix/43612/avoid-pwd-confirm-sso
branch
from
ab94c02
to
f6d6efe
Compare
|
/backport 340939e to stable29 |
|
/backport 340939e to stable28 |
blizzz
added
3. to review
|
/backport 340939e to stable27 |
nickvergessen
added
the
pending documentation
Summary
SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories.
Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated.
The root source might be elsewhere actually… The last-password-confirm value in the session that both SAML and OIDC store should persists (otherwise, if session data was lost, the SAML user would be logged out). It might be overwritten from elswhere, though I could not find a good candidate either. Anyway, modifying that timestamp in the session was a hack from the start.
Todos
Checklist