New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Honour HTTP_AGENT in policies #1425

Open
cornelinux opened this Issue Feb 6, 2019 · 4 comments

Comments

Projects
None yet
3 participants
@cornelinux
Copy link
Member

cornelinux commented Feb 6, 2019

It could make sense to also make policies dependent on the HTTP-AGENT. This of course is often difficult, since the client can change its HTTP-AGENT, so this could only be possible if the client acutally is a trusted system.

But this way, we would be independent of the client IP.

@fredreichbier @plettich what do you think?

@plettich

This comment has been minimized.

Copy link
Contributor

plettich commented Feb 6, 2019

How do we trust a client system?

@cornelinux

This comment has been minimized.

Copy link
Member Author

cornelinux commented Feb 6, 2019

If the client is a server, this could be trusted. This way on one machine there could be several different applications, that query privacyIDEA with different HTTP_AGENTs.

At the moment there would be no (easy) way for us, to have different policies for different applications originating from the same IP.

@fredreichbier

This comment has been minimized.

Copy link
Member

fredreichbier commented Feb 6, 2019

Ah yeah, I guess matching the HTTP user agent makes sense in order to differentiate applications from the same IP. But this wouldn't work in all cases, would it? e.g. two ownCloud instances at the same IP would still send the same user agent and would be indistinguishable?

Instead of focusing on the user agent, we could also implement matching arbitrary HTTP request headers?

@cornelinux

This comment has been minimized.

Copy link
Member Author

cornelinux commented Feb 6, 2019

arbitrary HTTP headers sound nice!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment