Add the ability to disable DPoP
#566
Comments
|
For maximum OIDC compatibility, It would be nice for the SDK and Service be able to adjust automatically to the capabilities of the IdP.
|
I think that the second point isn't the best way to do things since it would enable bypassing DPoP. We should do things based on the structure of the token we are passed as the default, I think. I like adding a config option that makes us enforce DPoP! |
|
Agreed - we should allow the administrator to configure if DPoP is enabled or not. Trying to make the SDK's 'smart' enough to figure out if DPoP is enabled is likely a way to open a door for attack vs simply making it an administrator switch. That would match with how many other security settings are controlled in the overall software stack. |
|
@dmihalcik-virtru We plan on moving forward with adding a enforce dpop setting in the platform so by default it will be more of a soft check. If dpop is presented in the request we will validate it. Otherwise we will just validate the bearer token. This means KAS will ignore checking the signed request body. Can you confirm we don't lose anything by not checking that signed body in a rewrap request? |
|
@strantalis we definitely do lose something by not checking the body signature. For example If we have a body signature then an eavesdropper can just rewrap the single TDF that they intercepted the request for. Maybe putting stable, unique, identifier of the TDF in the path could mitigate this? Probably doesn't work for GRPC, though. |
This is probably splitting hairs but I'd say that by default it will be a hard check. Administrators that have IdPs that don't do what we need them to can disable the check but by default we will be enforcing DPoP. |
* add `auth.enforceDPoP`. enabling this setting tells the auth middleware to accept tokens that do not have a `cnf` claim as valid. since having DPoP or not is a property this config goes along with each issuer * change the return of `checkToken` to return a context that has the right stuff in it so that we don't have to validate that something that came back without an error is non-nil * make it possible to disable auth on rewrap. currently we can't because we require there be a dpop JWK addresses #566 --------- Co-authored-by: Dave Mihalcik <dmihalcik@virtru.com>
|
addressed by: #617 |
* add `auth.enforceDPoP`. enabling this setting tells the auth middleware to accept tokens that do not have a `cnf` claim as valid. since having DPoP or not is a property this config goes along with each issuer * change the return of `checkToken` to return a context that has the right stuff in it so that we don't have to validate that something that came back without an error is non-nil * make it possible to disable auth on rewrap. currently we can't because we require there be a dpop JWK addresses opentdf/platform#566 --------- Co-authored-by: Dave Mihalcik <dmihalcik@virtru.com>
* add `auth.enforceDPoP`. enabling this setting tells the auth middleware to accept tokens that do not have a `cnf` claim as valid. since having DPoP or not is a property this config goes along with each issuer * change the return of `checkToken` to return a context that has the right stuff in it so that we don't have to validate that something that came back without an error is non-nil * make it possible to disable auth on rewrap. currently we can't because we require there be a dpop JWK addresses opentdf/platform#566 --------- Co-authored-by: Dave Mihalcik <dmihalcik@virtru.com>
Customers will have a variety of IdPs. Some of them do not implement DPoP. Allowing these customers to use these IdPs could be supported by adding a switch that disables DPoP checking.
This does weaken security somewhat so it's important to consider the implications.
Another idea would be to allow the IdP to control this. In this case we would only validate tokens that we detect are DPoP via the method here: #409
The text was updated successfully, but these errors were encountered: