Menu
▾
▴
Re: [Unity-idm-discuss] unity is not checking OIDC client sencrets
|
From: Sander A. <sa....@fz...> - 2024-03-18 09:21:17
|
Good morning Krzysztof,
this topic became very urgent because we have much more services
failing right now. We were not aware about so many services usinge PKCE
as confidential client. Do you have already any idea?
Best regards,
Sander
On Fri, 2024-03-15 at 13:26 +0100, Sander Apweiler wrote:
> Hi Krzysztof,
> thanks for the fast fix. After we deployed the new version and test
> with the confidential client using PKCE. The client get only
>
> status: 401, body:
> {"error":"invalid_client","error_description":"Client authentication
> failed; not authenticated"})
>
> using PKCE or not. Other applications, which did not use PKCE are
> working well. In log files I see only:
>
>
> 2024-03-15T10:50:42,537 [qtp1837191723-34] DEBUG
> unity.server.core.ClientIPSettingHandler: Handling client XXXXX
> request to URL /oauth2/token
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> unity.server.rest.AuthenticationInterceptor: Client authentication
> attempt using flow pwd
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> unity.server.rest.AuthenticationInterceptor: Client authentication
> attempt using authenticator pwd
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> unity.server.rest.AuthenticationInterceptor: Not defined credential
> for pwd
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> unity.server.rest.AuthenticationInterceptor: Request to an address
> with optional authentication - /oauth2/token - invocation will
> proceed without authentication
> 2024-03-15T10:50:42,543 [qtp1837191723-34] DEBUG
> unity.server.oauth.BaseOAuthResource: Retuning OAuth error response:
> invalid_client: Client authentication failed; not authenticated
>
> Checking the client, the credential is well defined and login on
> userhome works. The password does not contain any character, ehich
> may
> cause trouble in encoding. Do you have any idea what causes this
> issue?
>
> Best regards,
> Sander
>
> On Thu, 2024-03-07 at 12:11 +0100, Krzysztof Benedyczak wrote:
> > Hi Sander,
> >
> > W dniu 6.03.2024 o 13:05, Sander Apweiler pisze:
> > > Hi Kryzsztof, hi Roman,
> > >
> > > we got the hint from one of our connected clients that unity does
> > > not
> > > check the client secret in the authentication flow. This would be
> > > a
> > > huge security issue. The client is a confidential client with
> > > optional
> > > PKCE. The operators told us unity is not checking the secret even
> > > if
> > > they disable PKCE for it. Is there any scenario where unity does
> > > not
> > > check the client secrets in the requests?
> >
> > Yes, I can confirm that. A regression introduced when adding
> > support
> > for
> > PKCE for confidential clients.
> >
> > We will release a fixed version ASAP.
> >
> >
> > > I know i past we had some issues with missing basic auth header
> > > or
> > > passwords containing special character, which were not proper
> > > encoded
> > > and unity did not accept their requests.
> > >
> > > Another issue which was also re-opened was checking the token
> > > signature
> > > at the userinfo endpoint. In Mai 2022 Roman said unity is only
> > > checking
> > > the JTI against it's internal database and using the information
> > > from
> > > that but not further checking the send token. Here we got the
> > > question
> > > if there was an update of this behaviour.
> >
> > I don't think so, but I'll let Roman to answer.
> >
> > Best,
> > Krzysztof
> >
>
--
Large-Scale Data Science
Juelich Supercomputing Centre
phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
