-
Notifications
You must be signed in to change notification settings - Fork 184
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[QA] Browser session is valid for newly created user of same name #904
Comments
@C0rby maybe exploitable like this:
|
Oooh, that is interesting and tricky since oidc is a stateless mechanism AFAIK and there is no central "session" we could invalidate. |
David Christofas commented: So after a bit of research I found the following options:
Both options are not really satisfying. I think this issue requires some more brainstorming together with the team. |
Jörn Friedrich Dreyer commented: optimal solution: idp sends the |
Ilja Neumann commented: Contacted upstream with the proposal of [~jfd]. Meanwhile we could quickly implement this feature in a fork and use that until the change has landed it upstream. We done this before. |
|
This issue still exists
simplescreenrecorder-2022-12-14_10.36.08.mp4started ocis with docker |
Since my last update of ocis last week I believe, I am no longer able to login (access denied). Im using Authelia, and my setup has been working for a long time. I see no breaking changes, but now I'm being asked for a claim, which I never used. Now I'm being spammed with:
I searched the docs, I've tried to add various options such the ones below, to no avail. Can you please advise?
Using ocis web with docker, windows client and the android client. All latest versions. |
This reverts commit 52951b4. The change broke authentication for at least the desktop client when using the builtin idp. There seem to be issues in the IDP (lico) which result in the implicit scoped not being added correctly in some case. When that scope is missing the `lg.uuid` claim will not be present in the userinfo and we can correctly match users by id. This reverts back to the old behaviour of matching users by name. Which also brings some aspects of owncloud#904 Fixes owncloud#6368
This reverts commit 52951b4. The change broke authentication for at least the desktop client when using the builtin idp. There seem to be issues in the IDP (lico) which result in the implicit scoped not being added correctly in some case. When that scope is missing the `lg.uuid` claim will not be present in the userinfo and we can correctly match users by id. This reverts back to the old behaviour of matching users by name. Which also brings some aspects of owncloud#904 Fixes owncloud#6415
This reverts commit 52951b4. The change broke authentication for at least the desktop client when using the builtin idp. There seem to be issues in the IDP (lico) which result in the implicit scoped not being added correctly in some case. When that scope is missing the `lg.uuid` claim will not be present in the userinfo and we can correctly match users by id. This reverts back to the old behaviour of matching users by name. Which also brings some aspects of owncloud#904 Fixes owncloud#6415
This reverts commit 52951b4. The change broke authentication for at least the desktop client when using the builtin idp. There seem to be issues in the IDP (lico) which result in the implicit scoped not being added correctly in some case. When that scope is missing the `lg.uuid` claim will not be present in the userinfo and we can correctly match users by id. This reverts back to the old behaviour of matching users by name. Which also brings some aspects of #904 Fixes #6415
This reverts commit 52951b4. The change broke authentication for at least the desktop client when using the builtin idp. There seem to be issues in the IDP (lico) which result in the implicit scoped not being added correctly in some case. When that scope is missing the `lg.uuid` claim will not be present in the userinfo and we can correctly match users by id. This reverts back to the old behaviour of matching users by name. Which also brings some aspects of #904 Fixes #6415
This avoids that recreating the user with the same name will create the same "sub" claim. Even though it gets a new UUID Fixes: #904
Reconfigure the oidc clients for lico, so that lico adds the "lg.uuid" to tokens and userinfo by default. That claim will contain the userid. So we can now use the userid for matching users when using the default idm/idp configuration. This fixes further problems so that users being recreated with the same name are correctly treated as differnt users. Fixes: #904
This reverts commit 52951b4. The change broke authentication for at least the desktop client when using the builtin idp. There seem to be issues in the IDP (lico) which result in the implicit scoped not being added correctly in some case. When that scope is missing the `lg.uuid` claim will not be present in the userinfo and we can correctly match users by id. This reverts back to the old behaviour of matching users by name. Which also brings some aspects of #904 Fixes #6415
Although a newly created user with the same name couldn't access the data of the previously created user of the same name, the browser session still remains logged in even after you change the entire credential (including password). Only when you change the username will the session redirects to logout. preview.mp4
preview2.mp4 |
To really fix this, I think we need to address libregraph/lico#98 first. After that we can bring back the original fix for the issue: 52951b4 |
@micbar does it make sense to tackle this, since we are planning to move to another idp? |
As just discussed and agreed on:
-> the old user has at most 5 mins to view personal files of the new user and these files first need to be uploaded BUT: this scenario has to be retested when the idp is changed |
Setup via docker-compose-eos-test.yml from branch
fix-yml-for-rc5
on localhostFrom the WEB UI:
This is a corner case, but may lead to access to a wrong account's data.
Expected behaviour: sessions remain invalidated forever, once the user is deleted.
The text was updated successfully, but these errors were encountered: