oauth2: Resolves client secrets from potentially leaking to the database in cleartext #820
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mgalagan-sugarcrm
pushed a commit
to sugarcrm/hydra
that referenced
this pull request
May 30, 2018
…ase in cleartext (ory#820) This release resolves a security issue (reported by [platform.sh](https://www.platform.sh)) related to the fosite storage implementation in this project. Fosite used to pass all of the request body from both authorize and token endpoints to the storage adapters. As some of these values are needed in consecutive requests, the storage adapter of this project chose to drop all of the key/value pairs to the database in plaintext. This implied that confidential parameters, such as the `client_secret` which can be passed in the request body since fosite version 0.15.0, were stored as key/value pairs in plaintext in the database. While most client secrets are generated programmatically (as opposed to set by the user) and most popular OAuth2 providers choose to store the secret in plaintext for later retrieval, we see it as a considerable security issue nonetheless. The issue has been resolved by sanitizing the request body and only including those values truly required by their respective handlers. This also implies that typos (eg `client_secet`) won't "leak" to the database. There are no special upgrade paths required for this version. This issue does not apply to you if you do not use an SQL backend. If you do upgrade to this version, you need to run `hydra migrate sql path://to.your/database`. If your users use POST body client authentication, it might be a good move to remove old data. There are multiple ways of doing that. **Back up your data before you do this**: 1. **Radical solution:** Drop all rows from tables `hydra_oauth2_refresh`, `hydra_oauth2_access`, `hydra_oauth2_oidc`, `hydra_oauth2_code`. This implies that all your users have to re-authorize. 2. **Sensitive solution:** Replace all values in column `form_data` in tables `hydra_oauth2_refresh`, `hydra_oauth2_access` with an empty string. This will keep all authorization sessions alive. Tables `hydra_oauth2_oidc` and `hydra_oauth2_code` do not contain sensitive information, unless your users accidentally sent the client_secret to the `/oauth2/auth` endpoint. We would like to thank [platform.sh](https://www.platform.sh) for sponsoring the development of a patch that resolves this issue.
aeneasr
pushed a commit
that referenced
this pull request
Jun 3, 2018
…ase in cleartext (#820) This release resolves a security issue (reported by [platform.sh](https://www.platform.sh)) related to the fosite storage implementation in this project. Fosite used to pass all of the request body from both authorize and token endpoints to the storage adapters. As some of these values are needed in consecutive requests, the storage adapter of this project chose to drop all of the key/value pairs to the database in plaintext. This implied that confidential parameters, such as the `client_secret` which can be passed in the request body since fosite version 0.15.0, were stored as key/value pairs in plaintext in the database. While most client secrets are generated programmatically (as opposed to set by the user) and most popular OAuth2 providers choose to store the secret in plaintext for later retrieval, we see it as a considerable security issue nonetheless. The issue has been resolved by sanitizing the request body and only including those values truly required by their respective handlers. This also implies that typos (eg `client_secet`) won't "leak" to the database. There are no special upgrade paths required for this version. This issue does not apply to you if you do not use an SQL backend. If you do upgrade to this version, you need to run `hydra migrate sql path://to.your/database`. If your users use POST body client authentication, it might be a good move to remove old data. There are multiple ways of doing that. **Back up your data before you do this**: 1. **Radical solution:** Drop all rows from tables `hydra_oauth2_refresh`, `hydra_oauth2_access`, `hydra_oauth2_oidc`, `hydra_oauth2_code`. This implies that all your users have to re-authorize. 2. **Sensitive solution:** Replace all values in column `form_data` in tables `hydra_oauth2_refresh`, `hydra_oauth2_access` with an empty string. This will keep all authorization sessions alive. Tables `hydra_oauth2_oidc` and `hydra_oauth2_code` do not contain sensitive information, unless your users accidentally sent the client_secret to the `/oauth2/auth` endpoint. We would like to thank [platform.sh](https://www.platform.sh) for sponsoring the development of a patch that resolves this issue.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This release resolves a security issue (reported by platform.sh) related to the fosite storage implementation in this project. Fosite used to pass all of the request body from both authorize and token endpoints to the storage adapters. As some of these values are needed in consecutive requests, the storage adapter of this project chose to drop all of the key/value pairs to the database in plaintext.
This implied that confidential parameters, such as the
client_secretwhich can be passed in the request body since fosite version 0.15.0, were stored as key/value pairs in plaintext in the database. While most client secrets are generated programmatically (as opposed to set by the user) and most popular OAuth2 providers choose to store the secret in plaintext for later retrieval, we see it as a considerable security issue nonetheless.The issue has been resolved by sanitizing the request body and only including those values truly required by their respective handlers. This also implies that typos (eg
client_secet) won't "leak" to the database.There are no special upgrade paths required for this version.
This issue does not apply to you if you do not use an SQL backend. If you do upgrade to this version, you need to run
hydra migrate sql path://to.your/database.If your users use POST body client authentication, it might
be a good move to remove old data. There are multiple ways of doing that. Back up your data before you do this:
hydra_oauth2_refresh,hydra_oauth2_access,hydra_oauth2_oidc,hydra_oauth2_code. This implies that all your users have to re-authorize.form_datain tableshydra_oauth2_refresh,hydra_oauth2_accesswithan empty string. This will keep all authorization sessions alive. Tables
hydra_oauth2_oidcandhydra_oauth2_codedo not contain sensitive information, unless your users accidentally sent the client_secret to the
/oauth2/authendpoint.We would like to thank platform.sh for sponsoring the development of a patch that resolves this issue.