Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: pass associated oauth client data to token hook #3790

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

terev
Copy link
Contributor

@terev terev commented Jul 2, 2024

Enables passing a sanitized copy of the associated oauth client to token hooks. I left the ClientID parameter as is to avoid this being a breaking change.

Checklist

  • I have read the contributing guidelines.
  • I have referenced an issue containing the design document if my change
    introduces a new feature.
  • I am following the
    contributing code guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got the approval (please contact
    security@ory.sh) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

@terev terev requested review from aeneasr, hperl and alnr as code owners July 2, 2024 18:23
@terev terev changed the title feat: Pass sanitized payload+client metadata to token hook feat: pass sanitized payload+client metadata to token hook Jul 2, 2024
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thank you for your contribution! This looks pretty good and I have some ideas how to improve it further :)

Makefile Outdated Show resolved Hide resolved
GrantedScopes: requester.GetGrantedScopes(),
GrantedAudience: requester.GetGrantedAudience(),
GrantTypes: requester.GetGrantTypes(),
Payload: requester.Sanitize([]string{"assertion"}).GetRequestForm(),
Payload: payload,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a fundamentally different approach to forwarding request data:

  • Before: We restrict the list of parameters to a set of known values that don't leak sensitive data
  • Now: We try to guesstimate a list of parameters we better not include but can not guarantee that all requirements are met

I'm really not sure if I agree with this approach. I would rather extend the default allowed parameters to include all known parameters that are OK to forward like prompt etc.

The problem with the parameters is that it includes data from the POST payload which is quite likely to contain sensitive things like tokens, passwords, assertions, signatures, ...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aeneasr

Thanks for having a look, really appreciate your team's work! My goal is to pass any additional and non sensitive parameters to the token hook. I was unable to find any guidelines around transmission of additional token endpoint parameters other than that they have to be stored. So I figured this meant they might be fine to utilize in an extensible manner.

For my approach, my thinking was that the set of sensitive parameters for a given token request is actually constrained based on the grant types requested. So its easy to determine this set and filter them out. Is there additional sensitive parameters I didn't include? For what its worth assertion is already specifically leaked to token hooks.

A couple other approaches i considered:

  • Always filter all sensitive parameters out but I opted to generate the set based on grant type so there's a clean signal of test failure if a new grant type is added but not supported by this function.
  • Make the list of acceptable additional parameters configurable in the token_hook (with validation to exclude any oauth params).

oauth2/token_hook.go Outdated Show resolved Hide resolved
@terev terev force-pushed the payload-to-token-hook branch from 7f342c5 to 7c8319d Compare July 17, 2024 05:12
@terev terev changed the title feat: pass sanitized payload+client metadata to token hook feat: pass associated oauth client data to token hook Jul 17, 2024
@terev
Copy link
Contributor Author

terev commented Jul 17, 2024

@aeneasr I've reduced the scope of this mr to just passing the oauth client to the token hook, as it seems like the extra parameters part of the original motivation was controversial. I would still be very interested to hear your thoughts on this if you have any.

@terev terev requested a review from aeneasr July 17, 2024 05:20
@terev terev force-pushed the payload-to-token-hook branch from 7c8319d to 72d8556 Compare July 25, 2024 17:42
@aeneasr aeneasr self-requested a review September 16, 2024 16:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants