auth: OIDC login UX (include code in login URL) #3248
Labels
auth-credentials
authentication, authorization, credentials, AWS Builder ID, sso
feature-request
New feature or enhancement. May require GitHub community feedback.
pending-release
security
Following on from #3229 (comment)
I don't think the current behaviour addresses the phising concern: The phising concern referenced is that a code flow can be initiated on a device the attacker controls, e.g. by presenting a URL to the user in email, and then the mitigations talk about what the SSO portal should do to ensure that the user is actually in possession of the 'device' in question.
For this vscode extension, the device is VScode itself. But since VSCode can show URLs, a malicious extension can almost certainly trigger a URL to be presented that requests device code authorisation from the user. In this scenario the AWS extension isn't even involved (except perhaps by being present it increases the false confidence the user might have in the code request).
The recommended mitigations are to get the user to check that they can see the code they are requesting on the device they think they are approving.
Something like:
<client>
to access<scopes>
' the confirmation prompt should be "authorise<client>
which is showing code<CODE>
to access<scopes>
'. Or some similar thing.tl;dr: The code not being included in the request by the vscode extension doesn't mitigate the security concerns at all; that needs to be done with changes to the portal and the extension UI.
Note that the
aws sso login
is also significantly vulnerable to this problem, though it already shows the code clearly, but the portal lets things down.The text was updated successfully, but these errors were encountered: