-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change the application access authentication flow #17592
Conversation
593d08f
to
f283234
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In term of security and protection against Login CSRF, the current implementation is comparable to the previous one. I did leave one comment, since I believe this mechanism will break for teleport installations that are configured with multiple public IPs/Domain names.
However, it's important to note that this security mechanism fully relies on a properly configured CORS policy. Given that the Access-Control-Allow-Origin
uses the teleport's configuration (public_addr
field), it is particularly important to ensure that all hostnames listed in this setting are trusted. Arbitrary HTML/Javascript hosted under such domains will have full access to cross-origin requests hence bypassing this protection.
Arbitrary HTML/JS on any proxy address is an issue in general, as it'll give access to the proxy API without CORS being needed. I don't see this being an issue, there would be more attack vectors if there was arbitrary HTML/JS on a proxy endpoint than a That being said, I wouldn't be against a HMAC signature for the cookie that's also passed along, so brute force attempts to guess a cookie value couldn't be achieved. Thanks for taking the time to review this. |
Agree. I was mostly concerned about a user's misconfiguration in which the CORS Access-Control-Allow-Origin returns an host that is not owned by the admin. E.g. dangling DNS records |
f283234
to
3676f04
Compare
3676f04
to
1927781
Compare
1927781
to
fcaa36c
Compare
d5fa235
to
e5ff95d
Compare
428323b
to
3fbbe08
Compare
8272108
to
d67a71a
Compare
e9e4394
to
6a0c4d6
Compare
6a0c4d6
to
fc69f29
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ryanclark I tried this branch in my local cluster and I can't connect to any applications. I get "Access to XXX was denied" from the browser.
dfe322c
to
fdde943
Compare
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
dcd9fb4
to
639c9e5
Compare
Reverted parts of: #17592 Kept json field renames
Reverted parts of: #17592 Kept json field renames
…okie block (#30321) * Copy pasta revert back to previous app redirection logic Reverted parts of: #17592 Kept json field renames * Remove unused fields (were renamed while back) * Refactor previous implementation - Create unique cookie for each state token created - Preserve path and queries * Split handlers * Fix tests and lint * Address CR * Add backwards compatability * Emit errs with invalid vals and attempt to delete session * Update test * Address CRs * Fix lint
…okie block (#30321) * Copy pasta revert back to previous app redirection logic Reverted parts of: #17592 Kept json field renames * Remove unused fields (were renamed while back) * Refactor previous implementation - Create unique cookie for each state token created - Preserve path and queries * Split handlers * Fix tests and lint * Address CR * Add backwards compatability * Emit errs with invalid vals and attempt to delete session * Update test * Address CRs * Fix lint
…rty cookie block (#37692) * Fix app redirection loop on browser's incognito mode and 3rd party cookie block (#30321) * Copy pasta revert back to previous app redirection logic Reverted parts of: #17592 Kept json field renames * Remove unused fields (were renamed while back) * Refactor previous implementation - Create unique cookie for each state token created - Preserve path and queries * Split handlers * Fix tests and lint * Address CR * Add backwards compatability * Emit errs with invalid vals and attempt to delete session * Update test * Address CRs * Fix lint * Fix import
Previously, we'd pass the value of the cookie that needed to be set to
/x-teleport-auth
via thePOST
body. This opened it up to CSRF attacks, which was mediated by implementing a?state=
query param and a cookie.This added quite a few different redirects, which can be simplified by allowing cross origin requests from the proxy address to the application's
/x-teleport-auth
endpoint, and sending the cookie value via a customX-Cookie-Value
header instead.Custom headers cannot be added to
<form>
elements, nor included in ano-cors
fetch()
request. This means a user cannot be tricked into launching an application by a third party malicious actor.This would fix #15935, as we're no longer relying on the cookie that gets unset by the
x-teleport-auth
dance.