Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow token parameter from the POST body #31561

Closed
wants to merge 3 commits into from
Closed

allow token parameter from the POST body #31561

wants to merge 3 commits into from

Conversation

slingamn
Copy link
Contributor

@slingamn slingamn commented Jul 4, 2024

I encountered this while trying to patch Forgejo but thought that I should ask here as well about the validity of the proposed fix. It seems to me that the intent of #28390 was to deprecate passing token as a URL parameter, which is a security issue. However, blocking attempts to read from (http.Request).Form means that token cannot be read from the POST body either.

Since OIDC introspection actually mandates reading the token from the POST body, the proposed fix here is to check (http.Request).PostForm first and return successfully on finding the token there. (I'm only checking for token and not for access_token, since I'm not aware of any flows that send access_token in the POST body.)

Thanks for your time.

@slingamn
allow token parameter from the POST body
081bb68 
As per go-gitea#28390 this will be
disallowed as a URL parameter for security reasons, but in
the POST body it is secure and required for some flows.
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jul 4, 2024
@pull-request-size pull-request-size bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jul 4, 2024
@github-actions github-actions bot added the modifies/go Pull requests that update Go code label Jul 4, 2024
@slingamn
Copy link
Contributor Author

cc @jackHay22 @kdumontnu ; sorry for the @'s but would you be able to look at this? As I understand it, without this patch, OIDC introspection will break in 1.23 when DISABLE_QUERY_AUTH_TOKEN starts defaulting to true.

@lunny
Copy link
Member

lunny commented Jul 14, 2024

I think this needs more discussions about the security. I couldn't find the big difference between GET and POST via API requests.

@techknowlogick
Copy link
Member

Thanks @slingamn, this seems like a reasonable addition. Could you verify that the "token" field is not used in any other POSTs for the API as that would otherwise conflict, as well could you add some tests (that don't need to be super involved)? If not, let me know and I can make a complimentary PR.
Could you also send an example use-case so I can also run through some local integration tests myself?

@lafriks
Copy link
Member

lafriks commented Jul 14, 2024

I don't think this is a good idea to accept that for all requests as this should be used for specific use cases in specific endpoints instead

@slingamn
Copy link
Contributor Author

@lunny for the security rationale for the original change, see this comment, which clarifies that the issue is confined to GET and doesn't affect POST: #28390 (comment)

@pull-request-size pull-request-size bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jul 15, 2024
@slingamn slingamn mentioned this pull request Jul 15, 2024
Merged
@slingamn
Copy link
Contributor Author

@lafriks I looked into this and you're right. I opened #31632 as an improved (but riskier) version of this change).

@slingamn slingamn closed this Jul 15, 2024
6543 pushed a commit that referenced this pull request Jul 23, 2024
@slingamn
fix OIDC introspection authentication (#31632)
2f1cb1d 
See discussion on #31561 for some background.

The introspect endpoint was using the OIDC token itself for
authentication. This fixes it to use basic authentication with the
client ID and secret instead:

* Applications with a valid client ID and secret should be able to
  successfully introspect an invalid token, receiving a 200 response
  with JSON data that indicates the token is invalid
* Requests with an invalid client ID and secret should not be able
  to introspect, even if the token itself is valid

Unlike #31561 (which just future-proofed the current behavior against
future changes to `DISABLE_QUERY_AUTH_TOKEN`), this is a potential
compatibility break (some introspection requests without valid client
IDs that would previously succeed will now fail). Affected deployments
must begin sending a valid HTTP basic authentication header with their
introspection requests, with the username set to a valid client ID and
the password set to the corresponding client secret.
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Oct 13, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. modifies/go Pull requests that update Go code size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@slingamn @lunny @techknowlogick @lafriks @GiteaBot