Bugfix/OIDC aud field check#1640
Bugfix/OIDC aud field check#1640FracassandoCasualmente wants to merge 4 commits intoneicnordic:mainfrom
Conversation
Adds an alternative (evil) OIDC client that uses an access token of its own to impersonate a user in SDA
Avoids vulnerability where another OIDC client uses a user's token to log into SDA, impersonating the latter's identity
this client was used to demonstrate a vulnerability caused by not checking the 'aud' field in OIDC tokens
jbygdell
left a comment
jbygdell
left a comment
There was a problem hiding this comment.
Hi,
Thank you for your contribution.
We agree that this is something that needs addressing. Since the token authentication is used by several applications this will require changes to other parts of the code as well, mainly in the authenticator initiation and configurations. Which in turn requires changes to the helm chart and the test suite.
Removing unnecessary code Still need to add audience verification using jwt.Parse Co-authored-by: Joakim Bygdell <j.bygdell@gmail.com>
Hello! Regarding the changes that are missing, I don't really have experience with helm charts nor have broad knowledge of the code base, so it would take me some time (1+ month?) to fix. |
2 participants
Related issue(s) and PR(s)
This PR closes #1639.
Description
Resolves a vulnerability where a rogue server could impersonate any user who logs into it, enabling unauthorized access to any SDA instance using LS AAI.
How to test
make sda-s3-upcurl -H "Authorization: Bearer $token" localhost:8090/filessda-cli -config s3cmd.conf listand check that the inbox returns an error response