-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
substantial and significant security issues with current "bearer token" scheme #1
Comments
Hi @zenomt! Thanks for bringing up these issues; these are all excellent discussion points. Couple of comments to clarify.
That's correct. Specifically, the client (RP/presenter) issues signed PoP tokens for each resource server. The resource server has only two inputs at the moment (as reflected in the Sample 401 header:
True, we don't use a challenge or nonce in the 401 responses currently. That's definitely something we can add (and require the PoP tokens to include). (Opened new issue, #3)
Not quite the case. The RS can revoke a token simply by refusing to honor it, for whatever reason. So, the Resource Server (Solid at the moment has no concept of a RS+Authorization server pair, the only Authorization Server in play is the IdP) has full control over the tokens.
That's correct. (Or rather, the format of the token is mandated by the scope of the
Right. Solid does not support multiple security realms within one origin. (Or rather, the WAC ACL system lets each resource to act as a separate independent realm within an origin). |
replies to a few points. regarding token revocation:
sure. the "no reasonable way" part refers to how to implement it. the server could remember that it doesn't like the webid (which could potentially affect other authenticated sessions, like from other devices), or that it doesn't like the "reasonable" ways of revoking a token include "forgetting it from the list of valid tokens" or "remember (maybe just a hash of) it in a list of revoked tokens until it's no longer valid, which is always bounded to a reasonable period of time that the server is willing to remember stuff for". regarding realms:
as we discussed in gitter (more for everybody else here in the Issue), multiple realms per origin is a fundamental part of HTTP authorization. today's Solid client implementations may not support multiple realms per origin (which would mainly require using heuristics to discover the extent of different realms and remembering which tokens go with which realm), and the PoP tokens span them (because the
from the gitter discussion, consider two Solid-compatible LDP servers mounted to different paths on an nginx-like reverse proxy. each one is running its own authentication/authorization system, and each would therefore be in its own independent realm (by definition, and hopefully also announced that way in the |
Although it is mentioned in the
So, my question about that setup is - why wouldn't those two servers just be mounted on two separate subdomains, via that same reverse proxy? There's no good reason these days to run two separate auth* systems on different paths of a single origin. For example, as LiveJournal found out, there are significant security benefits to giving each user their own subdomain (and so they moved their profile model from Also, in terms of TLS certs, it used to be expensive to get wildcard TLS certificates (which could explain the desire for serving different systems off the same subdomain). But these days, with Lets Encrypt, wildcard certs are free, which removes that concern. Like, I'm not against the realm mechanism (we do return the |
As a result of the discussion so far, I opened a couple of new issues:
|
we had another call this morning (for folks who missed the schedule change) where it was suggested i link more prominently to my proposed solution to the bullet points in this issue's description. https://github.com/zenomt/webid-auth-protocol addresses the concerns i enumerated above. i made a reference implementation (auth server and command-line token getter) of that proposed auth protocol at https://github.com/zenomt/webid-auth-nginx . |
i'd be happy saying in the spec something like "hey clients, don't forget about realms!", and maybe punting on it in a reference implementation until a situation comes up where it's needed. i think that kind of situation might arise further down the line when Solid becomes more standard™, and its principles (like LDP servers) are more ubiquitous. in enterprise systems today at least it's not uncommon at all for applications to be mounted to different paths on the same origin. and in enterprises (like the one i work at), wildcard certificates are very not-free, and Let's Encrypt is not an option. |
@zenomt I see, thanks. |
@zenomt Question about the cost aspect, though. Do you find it the case (in enterprise environment) where the cost of a single additional certificate (for a specific subdomain) outweighs the security downsides to using multiple realms per domain? |
@dmitrizagidulin sorry, i didn't mean to imply that a wildcard certificate was exorbitant (though last time i looked at the prices we pay at Day Job i'm glad i wouldn't have to pay out of my own pocket!). i merely wanted to challenge the notion that they are "free", and to challenge that (specifically) Let's Encrypt is a viable alternative in enterprise deployments. the Same Origin concept definitely applies even in enterprises. i don't think that multiple realms per domain constitutes a "security downside"; rather, it is (or would not unreasonably be) a deployment reality where distinct trusted applications run in the same origin. the main point i want to make about realms is that (presumably) not every resource server a Solid client will want to access will be a Personal Online Datastore. i think prohibiting, rather than acknowledging, a valid mode of web access would be detrimental in the long term. |
@zenomt Got it, I think I understand what you're saying. Thanks! |
Since DPoP requires signature for each request, including http method and request uri, it seems to address this concern. |
not exactly. the DPoP request/signature could have been generated at any time in the past. signing an unguessable/unforgeable server-chosen value proves an unforgeable "comes-after" temporal relationship. |
@zenomt - so, I'm still slightly unclear on what threat model the nonce in the response is supposed to address. |
@dmitrizagidulin it addresses two main concerns:
|
The objections here have been noted. That said, the panel consensus has been to proceed with DPoP + bearer tokens. |
as i mentioned on the mailing list on july 12, i believe there are substantial and significant security issues with the currently implemented
(with documentation waiting to be merged)Proof-of-Possession "bearer token" authorization scheme. the most important issues are:also, these proof tokens are necessarily big and must be passed around on every request. HTTP/2 header compression might mitigate that somewhat over the network between a client and a server (or at least a reverse proxy or application gateway), but at some point in the processing chain a multi-K blob of bytes needs to be processed on every request.
some time ago i proposed an alternative authorization method that addresses the above concerns.
The text was updated successfully, but these errors were encountered: