oauth2: Protects consent flow against session fixation #754
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pnicolcev-tulipretail
pushed a commit
to pnicolcev-tulipretail/hydra
that referenced
this pull request
Jan 25, 2018
pnicolcev-tulipretail
pushed a commit
to pnicolcev-tulipretail/hydra
that referenced
this pull request
Jan 25, 2018
pnicolcev-tulipretail
pushed a commit
to pnicolcev-tulipretail/hydra
that referenced
this pull request
Jan 25, 2018
mgalagan-sugarcrm
pushed a commit
to sugarcrm/hydra
that referenced
this pull request
May 11, 2018
* docs: Incorporates changes from version v0.10.10 * vendor: Adds offline_access scope alias (ory#724) Closes ory#722 * oauth2: Prints debug message to logs and evaluate transmitting it to clients too (ory#727) Closes ory#715 * docs: Adds documentation on third-party deps (ory#728) Closes ory#716 * health: Stop requiring x-forwarded-proto (ory#731) Closes ory#726 * sdk: Adds php registry dummy (ory#733) * pkg: Adds pagination parsing helper * policy: Replaces pagination parser with helper * groups: Adds ListGroup and limit + offsets Closes ory#732 * sdk: Updates SDKs to implement list group capabilities * cli: Adds list groups command * group: Resolves CI test issues by removing group * config: Adds method to return ClusterURL without trailing slashes (ory#748) Closes ory#650 * Resolves issues with pagination (ory#750) * client: Returns 404 only when policy allows getting a client (ory#751) * oauth2: Protects consent flow against session fixation (ory#754) Closes ory#753 * docs: Incorporates changes from version v0.11.2 * teleme: Improves telemetry module and upgrades to segment 3.0.0 (ory#752) * docs: Incorporates changes from version v0.11.3 * oauth2: Resolves possible session fixation attack This patch resolves a vulnerability in the consent flow. This vulnerability affects versions 0.10.0 ~ 0.11.5 only. Versions < 0.10.0 are not affected. The vulnerability can be exploited as follows: 1. Malice initiates an OAuth 2.0 Authorization Code Flow: https://hydra/oauth2/auth?client=... 2. Hydra redirects malice to the consent app and appends consent id "example-id": https://consent-app/?consent=example-id 3. Malice convinces Bob to open url https://consent-app/?consent=example-id and authorize the access request. 4. The consent app would redirect Bob back to `https://hydra/oauth2/auth?client=...&consent=example-id`. However, through some means, Malice is able to prevent redirection of Bob's user agent. 5. Malice accesses the original auth code url and appends the consent id: `https://hydra/oauth2/auth?client=...&consent=example-id` 6. As the consent request is granted but not claimed, and because Malice's user agent contains the valid CSRF token, Malice receives an authorize code that is meant to be issued to Bob. 7. Malice can now act on Bob's behalf. For this attack to work, the following preconditions must be met: 1. Malice must be able to convince Bob to access the forged consent url. 2. Malice must be able to convince Bob to grant the forged consent request. 3. Malice must be able to prevent the consent app's redirect after successful consent request acceptance. 4. Malice must be able to perform this attack within the expiry (10 minutes) of the consent request. For these reasons, an exploit for this vulnerability is not likely, but possible. This patch closes the described vulnerability by requiring a `consent_csrf` value additional to the `consent` value in the query parameters of the authorization url. Without that value, the authorization code flow will not be successful. The `consent_csrf` is transmitted out-of-band to the consent app and not accessible to Malice. Let's revisit the example from above: 1. Malice initiates an OAuth 2.0 Authorization Code Flow: https://hydra/oauth2/auth?client=... - Hydra creates the consent request id and an additional CSRF token which is stored in the database and the encrypted cookie. Malice is not able to see the CSRF token. 2. Hydra redirects malice to the consent app and appends consent id "example-id": https://consent-app/?consent=example-id 3. Malice convinces Bob to open url https://consent-app/?consent=example-id and authorize the access request. 4. The consent app would redirect Bob back to `https://hydra/oauth2/auth?client=...&consent=example-id&consent_csrf=csrf_token`. The redirection URL is only accessible to the consent app and Bob's user agent. However, through some means, Malice is able to prevent redirection of Bob's user agent. 5. Malices does not know the value for `consent_csrf`, accessing `https://hydra/oauth2/auth?client=...&consent=example-id` without setting `consent_csrf` causes the request to fail and the consent to be revoked. This patch does not introduce breaking changes. Upgrading to the version which contains this patch does not require any code changes or deployment changes. * cmd: Adds OpenID Connect refresh handler Previously, it was impossible to refresh OpenID Connect ID Tokens. This is now possible as the factory has been added to the oauth2 factory in the host process. Closes ory#794 * metrics: Improves naming of traits (ory#803) Closes ory#802 * IDM-313: Fix tests after v0.11.9 merge to idm-master
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #753
ping @ekousp