Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check for sub claim, not username, when validating #310

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Check for sub claim, not username, when validating #310

wants to merge 7 commits into from

Conversation

rhansen
Copy link

@rhansen rhansen commented Aug 12, 2020
edited
Loading

Not all IdPs provide a username or email claim in the UserInfo response.

This is a partial fix to #309. A more complete fix would:

  • Use sub and iss for whitelisting instead of username. (Or at least add sub+iss filtering as a separate option, and add warnings to username whitelisting that explain its security flaws.)
  • Extract iss from id_token and save it in structs.User and jwtmanager.VouchClaims.

@bnfinet bnfinet mentioned this pull request Dec 7, 2020
Open
@djcrabhat djcrabhat mentioned this pull request Feb 19, 2021
Closed
@bnfinet bnfinet mentioned this pull request Aug 25, 2021
Closed
bnfinet and others added 7 commits November 21, 2021 20:09
@bnfinet @rhansen
remove ID, a vestige of the db
0ef511d
@bnfinet @rhansen
Delete unused GoogleUser struct
2f8a037
@rhansen
Delete unused fields from AliData
5b332a3
@rhansen
GitHub: Simplify User object copy
bab9864
@rhansen
GitHub: Fix user info sample used for testing
2efe90c 
GitHub doesn't provide username, createdon, lastupdate, or sub in the
user info JSON it returns.
@bnfinet @rhansen
GitHub: Improve debug logging
8298dda
@rhansen @bnfinet
Check for sub claim, not username, when validating
270fa9f 
Not all IdPs provide a `username` or `email` claim in the UserInfo
response, and many IdPs allow users to change their username or email
address.

Co-authored-by: Benjamin Foote <git@bnf.net>
erictapen
erictapen reviewed Nov 22, 2021
View reviewed changes
Copy link

@erictapen erictapen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When using this code in my setup, I was able to solve the exact problem described in #309, so thank you!

@erictapen erictapen mentioned this pull request Nov 22, 2021
Closed
@Firstyear
Copy link

@rhansen I think that there should also be a check here for preferred_username which is the defined claim in OIDC per:

https://openid.net/specs/openid-connect-basic-1_0.html#StandardClaims

sub should always be the "primary key" but preferred_username is the correct username claim to use, and then you should fall back to username if preferred_username was not presented.

@aaronpk
Copy link
Collaborator

aaronpk commented Feb 22, 2022

From the openid spec about the preferred_username:

The RP MUST NOT rely upon this value being unique

This is meant for display purposes, but not meant to differentiate between accounts. This is not at all the same as sub

@Firstyear
Copy link

I ... mentioned that. sub is the primary key, and preferred username is for display.

@aaronpk
Copy link
Collaborator

aaronpk commented Feb 22, 2022

Unless I'm horribly out of date, Vouch doesn't have the concept of a display username, so it should never use preferred_username

@bnfinet
Copy link
Member

bnfinet commented Feb 22, 2022

@aaronpk that's correct, VP does not utilize preferred_username. It can be passed downstream in a header but VP doesn't use it.

@mig5
Copy link
Contributor

mig5 commented Mar 30, 2022
edited
Loading

that's correct, VP does not utilize preferred_username. It can be passed downstream in a header but VP doesn't use it.

From my experience though, Vouch does however expect a generic OIDC provider to return 'Username' in order to evaluate things such as its username 'whitelist', which is equally as wrong. This is overridden for certain specific vendor OPs supported in Vouch, but not for the generic provider.

In my own OP, the claim is called something like foobarID (the user cannot change it or influence the value of it, so I willfully ignore the warning in the spec about relying on something like it, like a username). I had to change my OP to also send a claim called Username with the same value as the foobarID claim, before I could use things like the Username 'whitelist' in the Vouch config.

The best solution would be to allow specifying the claim param that is to be treated as the Username. As has been mentioned here, the technically-correct value per the spec is that of the 'sub'. But in practical terms, for things like 'whitelist' or other evaluations on a 'human friendly' name, it would be good to be able to configure it.

Apache's mod_authz_openid for example lets you do Require claim someclaim:somevalue as an equivalent of Vouch's user 'whitelist'.

@arun-898 arun-898 mentioned this pull request Aug 19, 2022
Open
@turboMaCk
Copy link

Hello. I would like to use vouch-proxy but seeing this open since Aug 12, 2020 is sort of blocking for me. Is there any plan on how to address the issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@erictapen erictapen erictapen left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@rhansen @Firstyear @aaronpk @bnfinet @mig5 @turboMaCk @erictapen