Menu
▾
▴
Re: [Unity-idm-discuss] unity is not checking OIDC client sencrets
|
From: Roman K. <ro...@un...> - 2024-03-11 11:48:42
|
Hi Sander, We took a closer look at the "checking the JTI against it's internal database" topic. In general we do not see this as a potential vulnerability, or at least the same as guessing the access token itself. This could indeed be a problem if the JTI is exposed e.g. in logs OR in case users in possession of JTI should have privileges to query user info. We do see however a room for improvement, where Unity could validate if the jwt token as a whole, is the same as the one published by Unity. I'll open an enhancement ticket to cover that. Best, Roman czw., 7 mar 2024 o 12:11 Krzysztof Benedyczak <kb...@un...> napisał(a): > Hi Sander, > > W dniu 6.03.2024 o 13:05, Sander Apweiler pisze: > > Hi Kryzsztof, hi Roman, > > > > we got the hint from one of our connected clients that unity does not > > check the client secret in the authentication flow. This would be a > > huge security issue. The client is a confidential client with optional > > PKCE. The operators told us unity is not checking the secret even if > > they disable PKCE for it. Is there any scenario where unity does not > > check the client secrets in the requests? > > Yes, I can confirm that. A regression introduced when adding support for > PKCE for confidential clients. > > We will release a fixed version ASAP. > > > > I know i past we had some issues with missing basic auth header or > > passwords containing special character, which were not proper encoded > > and unity did not accept their requests. > > > > Another issue which was also re-opened was checking the token signature > > at the userinfo endpoint. In Mai 2022 Roman said unity is only checking > > the JTI against it's internal database and using the information from > > that but not further checking the send token. Here we got the question > > if there was an update of this behaviour. > > I don't think so, but I'll let Roman to answer. > > Best, > Krzysztof > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > |
