Menu
▾
▴
Re: [Unity-idm-discuss] unity is not checking OIDC client sencrets
|
From: Sander A. <sa....@fz...> - 2024-03-15 12:26:45
|
Hi Krzysztof,
thanks for the fast fix. After we deployed the new version and test
with the confidential client using PKCE. The client get only
status: 401, body: {"error":"invalid_client","error_description":"Client authentication failed; not authenticated"})
using PKCE or not. Other applications, which did not use PKCE are
working well. In log files I see only:
2024-03-15T10:50:42,537 [qtp1837191723-34] DEBUG unity.server.core.ClientIPSettingHandler: Handling client XXXXX request to URL /oauth2/token
2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Client authentication attempt using flow pwd
2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Client authentication attempt using authenticator pwd
2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Not defined credential for pwd
2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Request to an address with optional authentication - /oauth2/token - invocation will proceed without authentication
2024-03-15T10:50:42,543 [qtp1837191723-34] DEBUG unity.server.oauth.BaseOAuthResource: Retuning OAuth error response: invalid_client: Client authentication failed; not authenticated
Checking the client, the credential is well defined and login on
userhome works. The password does not contain any character, ehich may
cause trouble in encoding. Do you have any idea what causes this issue?
Best regards,
Sander
On Thu, 2024-03-07 at 12:11 +0100, Krzysztof Benedyczak wrote:
> Hi Sander,
>
> W dniu 6.03.2024 o 13:05, Sander Apweiler pisze:
> > Hi Kryzsztof, hi Roman,
> >
> > we got the hint from one of our connected clients that unity does
> > not
> > check the client secret in the authentication flow. This would be a
> > huge security issue. The client is a confidential client with
> > optional
> > PKCE. The operators told us unity is not checking the secret even
> > if
> > they disable PKCE for it. Is there any scenario where unity does
> > not
> > check the client secrets in the requests?
>
> Yes, I can confirm that. A regression introduced when adding support
> for
> PKCE for confidential clients.
>
> We will release a fixed version ASAP.
>
>
> > I know i past we had some issues with missing basic auth header or
> > passwords containing special character, which were not proper
> > encoded
> > and unity did not accept their requests.
> >
> > Another issue which was also re-opened was checking the token
> > signature
> > at the userinfo endpoint. In Mai 2022 Roman said unity is only
> > checking
> > the JTI against it's internal database and using the information
> > from
> > that but not further checking the send token. Here we got the
> > question
> > if there was an update of this behaviour.
>
> I don't think so, but I'll let Roman to answer.
>
> Best,
> Krzysztof
>
--
Large-Scale Data Science
Juelich Supercomputing Centre
phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
