Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Registration Token requirement can be bypassed by logging in with SSO #11067

Open
morg-mov opened this issue Oct 12, 2021 · 6 comments
Open

Registration Token requirement can be bypassed by logging in with SSO #11067

morg-mov opened this issue Oct 12, 2021 · 6 comments
Labels
A-Registration Creating an account A-Social Login Login via external identity providers A-SSO Single Sign-On (maybe OIDC) P4 (OBSOLETE: use S- labels.) Okay backlog: will not schedule, will accept patches T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements.

Comments

@morg-mov
Copy link

Description

Registration Token requirement (where you need a token given by an admin to sign up) can be bypassed by using a Third Party (OpenID) login service
I wish to have OpenID enabled on my private homeserver for the convenience of the people I give access to.
And I have registration tokens enabled since my Homeserver is private. (duh)

Steps to reproduce

  • Create account via Third Party (Twitch, Google, Github, Whatever) with Registration Token requirement enabled.

Version information

  • Homeserver: Would rather not provide publicly due to it being private, however it is self-hosted.

If not matrix.org:

  • Version: 1.44.0

  • Install method: Docker-Compose

  • Platform: Ubuntu 20.04 Server running on actual hardware, Homeserver running in Docker Container
@morg-mov morg-mov changed the title Registration Token Bypass Registration Token Bypass (Bug Report) Oct 12, 2021
@DMRobertson
Copy link
Contributor

I think the registration tokens are a fairly recent development, judging by the timelines on #10142 and matrix-org/matrix-spec-proposals#3231 .

If I understand correctly @Morg-S9 , I think you want to:

  • allow users to authenticate via OpenID
  • while requiring them to prove they were invited (by the token)

From a brief read, it sounds like the auth type m.login.registration_token is an alternative to other auth types, and not an additional requirement. If that's the case, it sounds like the behaviour is as intended (though I appreciate it's not what you expected!)

Perhaps someone in @matrix-org/spec-core-team can check my working?

@clokep
Copy link
Member

clokep commented Oct 13, 2021

From a brief read, it sounds like the auth type m.login.registration_token is an alternative to other auth types, and not an additional requirement.

I think it should theoretically be able to stacked on top (due to the way that UI authentication works), but there might be some gotchas with doing that with SSO. E.g. I'm not sure if we do that for consent right now.

@anoadragon453
Copy link
Member

The current implementation require users additionally provide a token when registering:

# Require users to submit a token during registration.
# Tokens can be managed using the admin API:
# https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/registration_tokens.html
# Note that `enable_registration` must be set to `true`.
# Disabling this option will not delete any tokens previously generated.
# Defaults to false. Uncomment the following to require tokens:
#
#registration_requires_token: true

The issue here may be that using SSO is considered a login (you've already registered an account elsewhere), rather than a registration through user-interactive authentication stages (which m.login.registration_token is one of). (Unless this is about a different mechanism which uses user-interactive auth for social login?)

@clokep
Copy link
Member

clokep commented Oct 14, 2021

The issue here may be that using SSO is considered a login (you've already registered an account elsewhere), rather than a registration through user-interactive authentication stages (which m.login.registration_token is one of). (Unless this is about a different mechanism which uses user-interactive auth for social login?)

Ah, yes that's likely why it doesn't work. SSO is a login, not registration. I think there's some bits in there to do consent and such though after making the account.

@richvdh richvdh changed the title Registration Token Bypass (Bug Report) Registration Token requirement can be bypassed by logging in with SSO Oct 18, 2021
@callahad
Copy link
Contributor

callahad commented Oct 21, 2021

It would be nice if you could configure this to be AND or OR'd with SSO, but that's evidently nontrivial. Right now it's OR and our documentation should make that more obvious to avoid footguns.

@callahad callahad added P4 (OBSOLETE: use S- labels.) Okay backlog: will not schedule, will accept patches T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements. and removed X-Needs-Discussion labels Oct 21, 2021
@deepbluev7
Copy link
Contributor

deepbluev7 commented Oct 22, 2021

If /login used UIA, you could add registration_tokens as an additional UIA stage. Sadly it does not use UIA and SSO is a different beast again. (relevant MSC: matrix-org/matrix-spec-proposals#2835)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
A-Registration Creating an account A-Social Login Login via external identity providers A-SSO Single Sign-On (maybe OIDC) P4 (OBSOLETE: use S- labels.) Okay backlog: will not schedule, will accept patches T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements.
Projects
None yet
Development

No branches or pull requests

7 participants