0.11 #796
Merged
0.11 #796
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This patch resolves a vulnerability in the consent flow. This vulnerability
affects versions 0.10.0 ~ 0.11.5 only. Versions < 0.10.0 are not affected.
The vulnerability can be exploited as follows:
1. Malice initiates an OAuth 2.0 Authorization Code Flow:
https://hydra/oauth2/auth?client=...
2. Hydra redirects malice to the consent app and appends consent
id "example-id": https://consent-app/?consent=example-id
3. Malice convinces Bob to open url https://consent-app/?consent=example-id
and authorize the access request.
4. The consent app would redirect Bob back to
`https://hydra/oauth2/auth?client=...&consent=example-id`. However,
through some means, Malice is able to prevent redirection of Bob's
user agent.
5. Malice accesses the original auth code url and appends the consent id:
`https://hydra/oauth2/auth?client=...&consent=example-id`
6. As the consent request is granted but not claimed, and because Malice's
user agent contains the valid CSRF token, Malice receives an authorize
code that is meant to be issued to Bob.
7. Malice can now act on Bob's behalf.
For this attack to work, the following preconditions must be met:
1. Malice must be able to convince Bob to access the forged consent url.
2. Malice must be able to convince Bob to grant the forged consent request.
3. Malice must be able to prevent the consent app's redirect after
successful consent request acceptance.
4. Malice must be able to perform this attack within the expiry (10 minutes)
of the consent request.
For these reasons, an exploit for this vulnerability is not likely,
but possible.
This patch closes the described vulnerability by requiring a
`consent_csrf` value additional to the `consent` value in the query
parameters of the authorization url. Without that value, the authorization
code flow will not be successful. The `consent_csrf` is transmitted out-of-band
to the consent app and not accessible to Malice. Let's revisit the example
from above:
1. Malice initiates an OAuth 2.0 Authorization Code Flow:
https://hydra/oauth2/auth?client=...
- Hydra creates the consent request id and an additional CSRF token
which is stored in the database and the encrypted cookie. Malice
is not able to see the CSRF token.
2. Hydra redirects malice to the consent app and appends consent
id "example-id": https://consent-app/?consent=example-id
3. Malice convinces Bob to open url https://consent-app/?consent=example-id
and authorize the access request.
4. The consent app would redirect Bob back to
`https://hydra/oauth2/auth?client=...&consent=example-id&consent_csrf=csrf_token`.
The redirection URL is only accessible to the consent app and Bob's user agent.
However, through some means, Malice is able to prevent redirection of Bob's
user agent.
5. Malices does not know the value for `consent_csrf`, accessing
`https://hydra/oauth2/auth?client=...&consent=example-id` without
setting `consent_csrf` causes the request to fail and the consent to
be revoked.
This patch does not introduce breaking changes. Upgrading to the version
which contains this patch does not require any code changes or deployment
changes.
Previously, it was impossible to refresh OpenID Connect ID Tokens. This is now possible as the factory has been added to the oauth2 factory in the host process. Closes #794
Add docs/sdk/php.md Signed-off-by: Philip Nicolcev <[email protected]>
…ase in cleartext (#820) This release resolves a security issue (reported by [platform.sh](https://www.platform.sh)) related to the fosite storage implementation in this project. Fosite used to pass all of the request body from both authorize and token endpoints to the storage adapters. As some of these values are needed in consecutive requests, the storage adapter of this project chose to drop all of the key/value pairs to the database in plaintext. This implied that confidential parameters, such as the `client_secret` which can be passed in the request body since fosite version 0.15.0, were stored as key/value pairs in plaintext in the database. While most client secrets are generated programmatically (as opposed to set by the user) and most popular OAuth2 providers choose to store the secret in plaintext for later retrieval, we see it as a considerable security issue nonetheless. The issue has been resolved by sanitizing the request body and only including those values truly required by their respective handlers. This also implies that typos (eg `client_secet`) won't "leak" to the database. There are no special upgrade paths required for this version. This issue does not apply to you if you do not use an SQL backend. If you do upgrade to this version, you need to run `hydra migrate sql path://to.your/database`. If your users use POST body client authentication, it might be a good move to remove old data. There are multiple ways of doing that. **Back up your data before you do this**: 1. **Radical solution:** Drop all rows from tables `hydra_oauth2_refresh`, `hydra_oauth2_access`, `hydra_oauth2_oidc`, `hydra_oauth2_code`. This implies that all your users have to re-authorize. 2. **Sensitive solution:** Replace all values in column `form_data` in tables `hydra_oauth2_refresh`, `hydra_oauth2_access` with an empty string. This will keep all authorization sessions alive. Tables `hydra_oauth2_oidc` and `hydra_oauth2_code` do not contain sensitive information, unless your users accidentally sent the client_secret to the `/oauth2/auth` endpoint. We would like to thank [platform.sh](https://www.platform.sh) for sponsoring the development of a patch that resolves this issue.
This issue solves a broken update with godep and properly includes the 0.17.0 fosite patch.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Before creating your pull request, make sure that you have
signed the DOC. You can ammend your
signature to the current commit using
git commit --amend -s.Please create PRs only for bugs, or features that have been discussed with the maintainers, either at the
ORY Community or join the ORY Chat.
If you think you found a security vulnerability, please refrain from posting it publicly on the forums, the chat, or GitHub
and send us an email to [email protected] instead.
Please remove this template if you completed the steps from above.