Review generation of UID in DefaultClaimUidExtractor #30
Comments
|
@ajaybhargavb please discuss with @Tratcher to understand the multi-name and no-name scenarios. |
|
The Historically IOW - the Name claim is not the right one - the templates should set both nameid and Name - and use NameId for anti-forgery to educate people. If NameId is not set - thrown an exception. Now give me your "hobbyist user" arguments ;p |
|
OK so. Look for a "sub" claim first. If it's present use that, the value and the issuer. And then if nothing of the above is present, sha256 the entire identity. Throwing seems rather drastic. Keep in mind we're not using the identity alone, it is combined with a random value. That work @leastprivilege ? |
|
The one last comment about this is that using the authenticated user's identifier tends to break antiforgery once the user toggles between anon and authenticated (as it did in prior versions of MVC). |
|
Added bonus - make sure you check all identities on the principal, and have configuration so a developer can specify a claim to use if needed. |
|
Oh wait, hmmm, yea, when a user logins the CSRF token would no longer be valid. Argh. That would affect login pages only though/ |
|
Or if user has 2 tabs open. But sure, it's a narrow window of problems, but we saw them every once in a while with MVC 4 & 5 (with IdentityServer2). If there was some facility that could tell if the user's csrf token was authenticated vs not and reg, that might be useful. Then again, it might just be too complicated, and/or open to some abuse by an attacker in some oddball way. |
|
I'm not so worried about the two tab problem - if they already have a token, which they would get on the first request, we'll reuse that. It doesn't change between pages. |
|
No, but your auth cookies can be changed by actions in one tab while you're filling out the form on the other one. |
|
True. I'm kinda ok breaking at that point, if you've logged in on one tab and not another |
|
Imagine you submit a login (current request is anon, so you have an anon antixsrf). The result of the login page (for whatever reason) does not redirect, but renders a new form. That form's anti-xsrf is under the impression that you're anon, but now you've got an auth cookie. When you submit this newly rendered page they don't line up. That was the scenario I saw people hitting (more than one) in the prior versions of MVC. |
|
Are we agreed though that the token should regenerate / change when someone logs in? |
|
I guess I never understood why the user's identity was incorporated into the antixsrf token. RoR does not do this. What's the additional protection from doing this (if I may ask)? |
|
Well to be fair rails doesn't do auth, that's left to 3rd parties. It's to stop CSRF dropping an auth cookie for an authenticated user by an attacker, which can then be used to produce a known value. |
|
/cc @GrabYourPitchforks as well in case he has addtl specifics on the history
|
|
I just emailed him :) So the cookie part of the token is basically a session identifier. It's only the form based half that contains the UID part, so login works just fine. |
Well, this repo for anti-xsrf is also arguably independent from the rest of ASP.NET, no? Meaning, can you assume the use of cookie authentication? Maybe you can... just thinking out loud (not arguing for anything).
But if the login form has xsrf, then wouldn't that protect against this? Also, how would the xsrf attacker get a known value if it's CRNG? I guess I'm missing the attack vector. |
|
No, it's not assume cookie, it'll use any valid identity on the principal. Anon users get a simple match, drop csrf cookie with value. Match it against the value in the form. So, you can set it if you got XSS, and lo, the next form generated will use it. |
I meant to re-gen the antixsrf when the identity changes. Would that be done somehow related to the cookie MW, or do you detect if the identity is different?
Well, if there's XSS then you have bigger problems. |
|
It also protects against supercookies, i.e. someone on badsite.azurewebsites.net dropping a CSRF cookie for azurewebsites.net |
LOL that's what they get for running in a shared host name/trust boundary. same for localStorage, sessionStorage, CSP, etc... :) |
|
In the default Antiforgery configuration, the cookie token contains no identify information. That's left to the request token (aka form or header token). And the request token is regenerated in every request. Put another way, We aren't there yet. But the "logging in breaks tokens" problem will go away once validation occurs early enough. @rynowak is working on this. |
According to @blowdart and @lodejard the way we generate the UID for a
ClaimsPrincipalis wrong in antiforgery.We should use the
ClaimsIdentity.NameClaimTypeof all authenticated identities to generate the UID rather than looking for a claim of typeClaimTypes.NameIdentifier.We need to also figure out the right thing to do (or if it's possible) when the user does not have a name.
The text was updated successfully, but these errors were encountered: