[mitreid-connect] Client credentials security issue?

[Luiz Omori]

Ohhh, I’m extremely sorry. There was a bug in my test harness that was causing the id token to leak between requests. Looking at the actual messages exchanged I can confirm that the server only sent the access token. I apologize.

Regards,
Luiz

From: Justin Richer <jricher at mit.edu>
Date: Monday, July 10, 2017 at 9:46 AM
To: Luiz Omori <luiz.omori at duke.edu>
Cc: "mitreid-connect at mit.edu" <mitreid-connect at mit.edu>
Subject: Re: [mitreid-connect] Client credentials security issue?

Can you send me, off list, transcripts of the http transactions?



--Justin

 Sent from my phone

-------- Original message --------
From: Luiz Omori <luiz.omori at duke.edu>
Date: 7/10/17 9:08 AM (GMT-05:00)
To: Justin Richer <jricher at mit.edu>
Cc: mitreid-connect at mit.edu
Subject: Re: [mitreid-connect] Client credentials security issue?

I can reproduce this behaviour with https://mitreid.org<https://urldefense.proofpoint.com/v2/url?u=https-3A__mitreid.org&d=DwMGaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=-mMH3LV8D6reZOq3duNPrropZtYA_7G3p6-ypBmImcw&s=IoxTCR7dCp6b5LSsF_rhB9lqPI4srkM-DXhRemGKzGk&e=>.


1.       Perform Authorization Code flow to successfully acquire an access token. Not sure if it matters, but I’ve created my own client, Duke.

2.       Perform client credentials using the same client above. Server responded with an ID Token. My request didn’t contain any scopes.

Yes, I had seen the exact line of code you are talking about. It could be a problem in my environment, but I didn’t see it being hit for the client credentials flow when I was debugging my local instance.

Regards,
Luiz

From: Justin Richer <jricher at mit.edu>
Date: Friday, July 7, 2017 at 5:36 PM
To: Luiz Omori <luiz.omori at duke.edu>
Cc: "mitreid-connect at mit.edu" <mitreid-connect at mit.edu>
Subject: Re: [mitreid-connect] Client credentials security issue?

I just tried this on the mitreid.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__mitreid.org&d=DwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=uke5BTnN2wjpd6gKBTPKqgofFvPI-7IDTsHjji5CIYU&s=z5nd_a4EUNIWWgh52HcYNXOPaygCp3jwzRmSu3Qi-YE&e=> test server and I couldn’t replicate it. Then I checked the code and what you’re describing is prevented by this line in ConnectTokenEnhancer:

if (originalAuthRequest.getScope().contains(SystemScopeService.OPENID_SCOPE)
&& !authentication.isClientOnly()) {

If you do get an ID token at all through some fluke, it should refer to the client that authenticated, as that’s the authenticated “user” in that scenario. Same deal with token introspection of access tokens.

 — Justin

On Jul 7, 2017, at 4:26 PM, Luiz Omori <luiz.omori at duke.edu<mailto:luiz.omori at duke.edu>> wrote:

Hi,

I’ve just run by chance into a suspicious behaviour while exercising the Client Credentials flow. Along with the request I’ve sent scope=openid offline_access. Interesting enough, I got an id_token back. That id-token was referring to a user that I used for an Authorization Code request done immediately before the Client Credentials call. My usage of scope for the Client Credentials may or may not be legal, but in any case I don’t think the server should be sending an ID Token back for Client Credentials. I’m using server version 1.3.1.

Regards,
Luiz
_______________________________________________
mitreid-connect mailing list
mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
http://mailman.mit.edu/mailman/listinfo/mitreid-connect<https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.mit.edu_mailman_listinfo_mitreid-2Dconnect&d=DwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=uke5BTnN2wjpd6gKBTPKqgofFvPI-7IDTsHjji5CIYU&s=FzfiqkrzHX9g0M1w3fRW7R60mCOgNwyH6aU6jUGKmoQ&e=>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20170710/809605c3/attachment-0001.html