<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
I am glad that we are finally on the same page with this issue. It could have happened a couple of emails before if you would inspect the issue instead of sending me to reading Spring documentation. It that case I would not be forced to bring it to the public
list first.
<div>Thanks,</div>
<div>Zhanna<br>
<div><br>
<div>
<div>
<div>On Aug 21, 2015, at 10:21 AM, Justin Richer <<a href="mailto:jricher@MIT.EDU">jricher@MIT.EDU</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
I’ve been digging into this for the past half hour with all kinds of different combinations. On further investigation, it does look like the system can be coerced to give a token to a valid user without ROLE_USER. The authorization endpoint is protected, and
tokens still cannot be generated without a valid login. The default implementation of MITREid Connect only uses ROLE_USER and ROLE_ADMIN for user accounts, so this is a bit of a moot point for both the default and the general case. This could be problematic
for the new UMA server which uses ROLE_EXTERNAL_USER, but there’s still no chance of accessing local identity data or impersonating another user. Non-whitelisted sites are still bounced through the approval page, which does require ROLE_USER and mitigates
this issue.
<div class=""><br class="">
</div>
<div class="">So to summarize, if your system has user accounts with a role other than ROLE_USER (most don’t) and if you have whitelisted sites, then it’s possible to get a token for the non-ROLE_USER account on a whitelisted site. To tighten security and prevent
unexpected behavior, we’ve patched the configuration to account for this, filed (and patched) in this issue:</div>
<div class=""><br class="">
</div>
<div class=""> <a href="https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/892" class="">
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/892</a></div>
<div class=""><br class="">
</div>
<div class="">The fix is simple, just add this line to the main <security:http> block in user-context.xml or equivalent:</div>
<div class=""><br class="">
</div>
<div class="">
<div style="margin: 0px; font-size: 11px; font-family: Monaco; color: rgb(57, 51, 255);" class="">
<span style="" class=""><span class="Apple-tab-span" style="white-space:pre"></span></span><span style="color: #009193" class=""><</span><span style="color: #4e9192" class="">security:intercept-url</span><span style="" class="">
</span><span style="color: #932192" class="">pattern</span><span style="" class="">=</span>"/authorize"<span style="" class="">
</span><span style="color: #932192" class="">access</span><span style="" class="">=</span>"hasRole('ROLE_USER')"<span style="" class="">
</span><span style="color: #009193" class="">/></span></div>
</div>
<div class=""><span style="color: #009193" class=""><br class="">
</span></div>
<div class=""><br class="">
</div>
<div class="">Thank you for looking into this matter, though in the future if you really believe it to be a security issue that would affect in-production systems, it’s considered bad form to disclose your findings on a public list first.</div>
<div class=""><br class="">
</div>
<div class=""> — Justin<br class="">
<div class=""><br class="">
</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Aug 21, 2015, at 9:43 AM, Justin Richer <<a href="mailto:jricher@mit.edu" class="">jricher@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
I am unable to replicate the exploit. Even when the client has been whitelisted, when going to the authorization endpoint, I am prompted to log in. I am unable to generate a token from an unauthenticated user, and so I don’t believe this is a security issue.
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Aug 21, 2015, at 9:30 AM, Zhanna Tsitkov <<a href="mailto:tsitkova@mit.edu" class="">tsitkova@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<font color="#232323" class="">Justin,</font>
<div class=""><font color="#232323" class="">While debugging workflow related to authorization code request </font><span style="color: rgb(35, 35, 35);" class="">I found that authorization EP provided by Spring Security OAuth2 (</span><span style="color: rgb(35, 35, 35);" class="">org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint)
</span><font color="#232323" class="">namespace is not protected as it’s supposed. I was able to enter this EP without any authentication. </font><span style="color: rgb(35, 35, 35);" class="">Section "</span><span style="color: rgb(35, 35, 35); line-height: 1.43;" class="">Configuring
the Endpoint URL“ of </span><span style="color: rgb(35, 35, 35); line-height: 25px;" class="">“</span><font color="#232323" class=""><span style="line-height: 1.43;" class="">OAuth 2 Developer Guide</span><span style="line-height: 25px;" class="">”</span><span style="line-height: 1.43;" class=""> states
</span></font><font color="#232323" class="">(See <a href="https://github.com/spring-projects/spring-security-oauth/blob/master/docs/oauth2.md" class="">https://github.com/spring-projects/spring-security-oauth/blob/master/docs/oauth2.md</a>)</font><span style="color: rgb(35, 35, 35);" class="">:
“</span><span style="color: rgb(35, 35, 35); background-color: rgb(255, 255, 255); line-height: 25px;" class="">N.B.</span><span style="color: rgb(35, 35, 35); background-color: rgb(255, 255, 255); line-height: 25px;" class=""> </span><span style="color: rgb(35, 35, 35);" class="">T</span><span style="color: rgb(35, 35, 35); line-height: 25px; background-color: rgb(255, 255, 255);" class="">he
Authorization endpoint </span><code style="color: rgb(35, 35, 35); box-sizing: border-box; padding: 0.2em 0px; margin: 0px; background-color: rgba(0, 0, 0, 0.0392157); border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px;" class="">/oauth/authorize</code><span style="color: rgb(35, 35, 35); line-height: 25px; background-color: rgb(255, 255, 255);" class=""> (or
its mapped alternative) should be protected using Spring Security so that it is only accessible to authenticated users.</span><span style="color: rgb(35, 35, 35); line-height: 25px;" class="">“. The example provided in the document implies that the endpoint
must be protected from outside by the Spring Security framework.</span></div>
<div class="">
<div class=""><span style="color: rgb(35, 35, 35); line-height: 25px; background-color: rgb(255, 255, 255);" class="">There is some sort of protection </span><span style="color: rgb(35, 35, 35); line-height: 25px;" class="">within the endpoint itself, but it certainly
does not require ROLE_USER authority as you suggested previously. I was able to pass internal security check using different role. </span></div>
<div class=""><span style="color: rgb(35, 35, 35); line-height: 25px;" class="">On the other hand, the other OAuth2 endpoint responsible for user approval process </span><span style="color: rgb(35, 35, 35);" class="">"/oauth/confirm_access” is protected as
expected. </span></div>
<div class=""><font color="#232323" class="">Thus, this endpoint mitigate the lack of proper security for authorize endpoint. But, it seems to me that for white-listed clients it does not matter. </font></div>
<div class=""><font color="#232323" class=""><br class="">
</font></div>
<div class=""><font color="#232323" class="">In my opinion it is a security issue of MitreID Connect.</font></div>
<div class=""><br class="">
</div>
<div class=""><span style="color: rgb(35, 35, 35);" class="">Thanks,</span></div>
<div class=""><font color="#232323" class="">Zhanna</font></div>
<div class=""><br class="">
</div>
<div class="">
<div class="">On Aug 20, 2015, at 4:48 PM, Justin Richer <<a href="mailto:jricher@MIT.EDU" class="">jricher@MIT.EDU</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
I suggest reading the documentation for Spring Security and Spring Security OAuth.
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Aug 20, 2015, at 10:21 AM, Zhanna Tsitkov <<a href="mailto:tsitkova@mit.edu" class="">tsitkova@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
ok. Sounds good. Can you please point to a particular place where this is implemented.
<div class=""><br class="">
</div>
<div class="">Thanks,</div>
<div class="">Zhanna<br class="">
<div class=""><br class="">
<div class="">
<div class="">On Aug 20, 2015, at 10:14 AM, Justin Richer <<a href="mailto:jricher@mit.edu" class="">jricher@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
The rest of Spring Security, which is configured throughout the code, outside the XML. Specifically, the authorization endpoint requires ROLE_USER to access.
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Aug 20, 2015, at 10:04 AM, Zhanna Tsitkov <<a href="mailto:tsitkova@mit.edu" class="">tsitkova@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
In this block access intercept is set to permitAll: <span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);" class=""><</span><span class="pl-ent" style="box-sizing: border-box; color: rgb(99, 163, 92); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">security</span><span class="pl-ent" style="box-sizing: border-box; color: rgb(99, 163, 92); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">:</span><span class="pl-ent" style="box-sizing: border-box; color: rgb(99, 163, 92); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">intercept-url</span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);" class="">
</span><span class="pl-e" style="box-sizing: border-box; color: rgb(121, 93, 163); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">pattern</span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);" class="">=</span><span class="pl-s" style="box-sizing: border-box; color: rgb(24, 54, 145); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);"><span class="pl-pds" style="box-sizing: border-box;">"</span>/**<span class="pl-pds" style="box-sizing: border-box;">"</span></span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);" class="">
</span><span class="pl-e" style="box-sizing: border-box; color: rgb(121, 93, 163); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);">access</span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);" class="">=</span><span class="pl-s" style="box-sizing: border-box; color: rgb(24, 54, 145); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);"><span class="pl-pds" style="box-sizing: border-box;">"</span>permitAll<span class="pl-pds" style="box-sizing: border-box;">"</span></span><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; line-height: 16px; white-space: pre; background-color: rgb(255, 255, 255);" class="">
/></span>
<div class="">What mechanism is used to protect this EP? </div>
<div class=""><br class="">
</div>
<div class="">Thanks,</div>
<div class="">Zhanna</div>
<div class=""><br class="">
<div class="">
<div class="">
<div class="">On Aug 20, 2015, at 9:47 AM, Justin Richer <<a href="mailto:jricher@MIT.EDU" class="">jricher@MIT.EDU</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
As it says in the paragraph of documentation that you quoted below, it’s protected the same way that the rest of the UI is protected. This is handled in the main <security:http> block in user-context.xml.
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Aug 20, 2015, at 9:45 AM, Zhanna Tsitkov <<a href="mailto:tsitkova@mit.edu" class="">tsitkova@mit.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<font color="#232323" class="">Hi,</font>
<div class=""><font color="#232323" class="">According to the documentation for <span style="background-color: rgb(255, 255, 255); line-height: 18px; white-space: pre;" class="">configure method of
</span> <span class="pl-en" style="line-height: 18px; white-space: pre; background-color: rgb(255, 255, 255); box-sizing: border-box;">AuthorizationServerConfigurer
</span><span class="pl-k" style="line-height: 18px; white-space: pre; background-color: rgb(255, 255, 255); box-sizing: border-box;">interface</span><span style="line-height: 18px; white-space: pre; background-color: rgb(255, 255, 255);" class="">
</span></font></div>
<div class=""><span style="color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; line-height: 18px; white-space: pre; background-color: rgb(255, 255, 255);" class="">"</span></div>
<br class="">
<table class="tab-size js-file-line-container highlight" data-tab-size="8" style="box-sizing: border-box; border-collapse: collapse; border-spacing: 0px; tab-size: 8; color: rgb(51, 51, 51); font-family: Helvetica, arial, nimbussansl, liberationsans, freesans, clean, sans-serif, 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 13px; line-height: 18px; background-color: rgb(255, 255, 255); position: static; z-index: auto;">
<tbody style="box-sizing: border-box;" class="">
<tr style="box-sizing: border-box;" class="">
<td id="LC32" class="js-file-line blob-code-inner blob-code" style="box-sizing: border-box; padding: 0px 10px; position: relative; vertical-align: top; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; white-space: pre; overflow: visible; word-wrap: normal;">
<br class="">
</td>
</tr>
<tr style="box-sizing: border-box;" class="">
<td id="L33" class="blob-num js-line-number" data-line-number="33" style="box-sizing: border-box; padding: 0px 10px; width: 50px; min-width: 50px; white-space: nowrap; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; vertical-align: top; text-align: right; border-style: solid; border-color: rgb(238, 238, 238); border-width: 0px 1px 0px 0px; cursor: pointer; -webkit-user-select: none;">
</td>
<td id="LC33" class="js-file-line blob-code-inner blob-code" style="box-sizing: border-box; padding: 0px 10px; position: relative; vertical-align: top; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; white-space: pre; overflow: visible; word-wrap: normal;">
<span class="pl-c" style="box-sizing: border-box; color: rgb(150, 152, 150);">* The /oauth/authorize endpoint also needs to be secure, but that is a normal user-facing endpoint and should be</span></td>
</tr>
<tr style="box-sizing: border-box;" class="">
<td id="L34" class="blob-num js-line-number" data-line-number="34" style="box-sizing: border-box; padding: 0px 10px; width: 50px; min-width: 50px; white-space: nowrap; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; vertical-align: top; text-align: right; border-style: solid; border-color: rgb(238, 238, 238); border-width: 0px 1px 0px 0px; cursor: pointer; -webkit-user-select: none;">
</td>
<td id="LC34" class="js-file-line blob-code-inner blob-code" style="box-sizing: border-box; padding: 0px 10px; position: relative; vertical-align: top; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; white-space: pre; overflow: visible; word-wrap: normal;">
<span class="pl-c" style="box-sizing: border-box; color: rgb(150, 152, 150);">* secured the same way as the rest of your UI, so is not covered here. The default settings cover the most common</span></td>
</tr>
<tr style="box-sizing: border-box;" class="">
<td id="L35" class="blob-num js-line-number" data-line-number="35" style="box-sizing: border-box; padding: 0px 10px; width: 50px; min-width: 50px; white-space: nowrap; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; vertical-align: top; text-align: right; border-style: solid; border-color: rgb(238, 238, 238); border-width: 0px 1px 0px 0px; cursor: pointer; -webkit-user-select: none;">
</td>
<td id="LC35" class="js-file-line blob-code-inner blob-code" style="box-sizing: border-box; padding: 0px 10px; position: relative; vertical-align: top; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; white-space: pre; overflow: visible; word-wrap: normal;">
<span class="pl-c" style="box-sizing: border-box; color: rgb(150, 152, 150);">* requirements, following recommendations from the OAuth2 spec, so you don't need to do anything here to get a</span></td>
</tr>
<tr style="box-sizing: border-box;" class="">
<td id="L36" class="blob-num js-line-number" data-line-number="36" style="box-sizing: border-box; padding: 0px 10px; width: 50px; min-width: 50px; white-space: nowrap; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; vertical-align: top; text-align: right; border-style: solid; border-color: rgb(238, 238, 238); border-width: 0px 1px 0px 0px; cursor: pointer; -webkit-user-select: none;">
</td>
<td id="LC36" class="js-file-line blob-code-inner blob-code" style="box-sizing: border-box; padding: 0px 10px; position: relative; vertical-align: top; font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 12px; white-space: pre; overflow: visible; word-wrap: normal;">
<span class="pl-c" style="box-sizing: border-box; color: rgb(150, 152, 150);">* basic server up and running.</span></td>
</tr>
</tbody>
</table>
<div class="">"</div>
<div class="">In MitreID Connect it looks like this EP is not explicitly protected. How it is done? </div>
<div class="">Thanks,</div>
<div class="">Zhanna</div>
</div>
_______________________________________________<br class="">
mitreid-connect mailing list<br class="">
<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a><br class="">
<a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect" class="">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
_______________________________________________<br class="">
mitreid-connect mailing list<br class="">
<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a><br class="">
<a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</body>
</html>