A user can override claims propagated to a backend service.

[LukaszMarchewka]

Describe the bug
A user can override claims when a configurations uses JWT validator with propagate-claims and headers_to_pass

Your configuration file

{
  "version": 2,
  "endpoints": [
    {
      "endpoint": "/api",
      "output_encoding": "no-op",
      "querystring_params": [
        "*"
      ],
      "extra_config": {
        "github.com/devopsfaith/krakend-jose/validator": {
          "alg": "RS256",
          "jwk-url": "http://keycloak:8080/auth/realms/test/protocol/openid-connect/certs",
          "disable_jwk_security": true,
          "propagate-claims": [
            [
              "scope",
              "x-user-scope"
            ],
            [
              "preferred_username",
              "x-user-username"
            ],
            [
              "email",
              "x-user-email"
            ]
          ]
        }
      },
      "headers_to_pass": [
        "x-user-scope",
        "x-user-username",
        "x-user-email"
      ],
      "backend": [
        {
          "host": [
            "localhost:8080"
          ],
          "url_pattern": "/__debug",
          "encoding": "no-op"
        }
      ]
    }
  ],
  "extra_config": {}
}

Commands used
I have started keycloak locally, configured test realm with one user using command:

docker network create krakend-test

docker run --rm --name keycloak -p 8081:8080 \
  -e KEYCLOAK_USER=admin \
  -e KEYCLOAK_PASSWORD=admin \
  --net krakend-test \
  -d jboss/keycloak:13.0.0

docker exec keycloak /opt/jboss/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin --client admin-cli --password admin

docker exec keycloak /opt/jboss/keycloak/bin/kcadm.sh create realms -s realm=test -s enabled=true

docker exec keycloak /opt/jboss/keycloak/bin/kcadm.sh create clients -r test -s clientId=trusted -s enabled=true -s directAccessGrantsEnabled=true -s publicClient=true

docker exec keycloak /opt/jboss/keycloak/bin/kcadm.sh create users -r test -s username=user -s enabled=true -s email=user@example.com

docker exec keycloak /opt/jboss/keycloak/bin/kcadm.sh set-password -r test --username user --new-password=password

After that I have started krakend:

docker run --rm --name kraken -p 8080:8080 \
  -v "${PWD}/krakend.json:/etc/krakend/config/krakend.json" \
  --net krakend-test \
  devopsfaith/krakend run -d -c /etc/krakend/config/krakend.json

Now I have to authenticate and then use the Access Token to execute request to Krakend

ACCESS_TOKEN=`curl -v -X POST 'localhost:8081/auth/realms/test/protocol/openid-connect/token' \
-u trusted: \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=password' \
-d 'username=user' \
-d 'password=password' | jq -r .access_token`

curl 'localhost:8080/api' -H "Authorization: Bearer ${ACCESS_TOKEN}"

I see everything is fine in krakend logs

[GIN-debug] redirecting request 301: /__debug/ --> /__debug/
2021/06/04 07:57:28  DEBUG: [Method: GET]
2021/06/04 07:57:28  DEBUG: [URL: /__debug/]
2021/06/04 07:57:28  DEBUG: [Query: map[]]
2021/06/04 07:57:28  DEBUG: [Params: [{param /}]]
2021/06/04 07:57:28  DEBUG: [Headers: map[Accept-Encoding:[gzip] Referer:[http://localhost:8080/__debug] User-Agent:[KrakenD Version 1.3.0] X-Forwarded-For:[172.20.0.1] X-Forwarded-Host:[localhost:8080] X-User-Email:[user@example.com] X-User-Scope:[profile email] X-User-Username:[user]]]
2021/06/04 07:57:28  DEBUG: [Body: ]
[GIN] 2021/06/04 - 07:57:28 | 200 |      170.87µs |      172.20.0.1 | GET      "/__debug/"
[GIN] 2021/06/04 - 07:57:28 | 200 |   28.302619ms |      172.20.0.1 | GET      "/api"

But now I'm going to execute the same request as before but I want to explicitly set headers x-user-email, x-user- username and x-user-scope

curl 'localhost:8080/api' -H "Authorization: Bearer ${ACCESS_TOKEN}" -H 'x-user-email: admin@example.com' -H 'x-user-username: admin' -H 'x-user-scope: admin'

Logs from krakend:

[GIN-debug] redirecting request 301: /__debug/ --> /__debug/
2021/06/04 08:00:48  DEBUG: [Method: GET]
2021/06/04 08:00:48  DEBUG: [URL: /__debug/]
2021/06/04 08:00:48  DEBUG: [Query: map[]]
2021/06/04 08:00:48  DEBUG: [Params: [{param /}]]
2021/06/04 08:00:48  DEBUG: [Headers: map[Accept-Encoding:[gzip] Referer:[http://localhost:8080/__debug] User-Agent:[KrakenD Version 1.3.0] X-Forwarded-For:[172.20.0.1] X-Forwarded-Host:[localhost:8080] X-User-Email:[admin@example.com user@example.com] X-User-Scope:[admin profile email] X-User-Username:[admin user]]]
2021/06/04 08:00:48  DEBUG: [Body: ]
[GIN] 2021/06/04 - 08:00:48 | 200 |     173.059µs |      172.20.0.1 | GET      "/__debug/"
[GIN] 2021/06/04 - 08:00:48 | 200 |    27.46322ms |      172.20.0.1 | GET      "/api"

As you can see these headers are wrong now (user can override climes from JWT):

• x-user-username contains admin and user
• x-user-scope contains admin profile and email
• x-user-email contains admin@example.com and user@example.com

Expected behavior
headers passed to backend service shouldn't contain headers provided explicitly by user like admin. It allows to execute very bad attacks easily. Of course that behavior is desired only for configuration with propagate-claims.

[kpacha]

this should be fixed in v1.4.0 (to be released next week)

this is the related PR: krakend/krakend-jose#63

[LukaszMarchewka]

awesome, thank you :)

[github-actions]

This issue was marked as resolved a long time ago and now has been automatically locked as there has not been any recent activity after it. You can still open a new issue and reference this link.