Change the application access authentication flow#17592
Conversation
ryanclark
force-pushed
the
ryan/change-app-access-login-flow
branch
2 times, most recently
from
593d08f to
f283234
Compare
ikkisoft
left a comment
ikkisoft
left a comment
There was a problem hiding this comment.
In term of security and protection against Login CSRF, the current implementation is comparable to the previous one. I did leave one comment, since I believe this mechanism will break for teleport installations that are configured with multiple public IPs/Domain names.
However, it's important to note that this security mechanism fully relies on a properly configured CORS policy. Given that the Access-Control-Allow-Origin uses the teleport's configuration (public_addr field), it is particularly important to ensure that all hostnames listed in this setting are trusted. Arbitrary HTML/Javascript hosted under such domains will have full access to cross-origin requests hence bypassing this protection.
Arbitrary HTML/JS on any proxy address is an issue in general, as it'll give access to the proxy API without CORS being needed. I don't see this being an issue, there would be more attack vectors if there was arbitrary HTML/JS on a proxy endpoint than a That being said, I wouldn't be against a HMAC signature for the cookie that's also passed along, so brute force attempts to guess a cookie value couldn't be achieved. Thanks for taking the time to review this. |
|
Agree. I was mostly concerned about a user's misconfiguration in which the CORS Access-Control-Allow-Origin returns an host that is not owned by the admin. E.g. dangling DNS records |
ryanclark
force-pushed
the
ryan/change-app-access-login-flow
branch
from
f283234 to
3676f04
Compare
ryanclark
force-pushed
the
ryan/change-app-access-login-flow
branch
from
3676f04 to
1927781
Compare
ryanclark
force-pushed
the
ryan/change-app-access-login-flow
branch
from
1927781 to
fcaa36c
Compare
ryanclark
force-pushed
the
ryan/change-app-access-login-flow
branch
from
d5fa235 to
e5ff95d
Compare
ryanclark
force-pushed
the
ryan/change-app-access-login-flow
branch
3 times, most recently
from
428323b to
3fbbe08
Compare
ryanclark
force-pushed
the
ryan/change-app-access-login-flow
branch
from
8272108 to
d67a71a
Compare
ryanclark
force-pushed
the
ryan/change-app-access-login-flow
branch
2 times, most recently
from
e9e4394 to
6a0c4d6
Compare
ryanclark
force-pushed
the
ryan/change-app-access-login-flow
branch
from
6a0c4d6 to
fc69f29
Compare
r0mant
left a comment
r0mant
left a comment
There was a problem hiding this comment.
@ryanclark I tried this branch in my local cluster and I can't connect to any applications. I get "Access to XXX was denied" from the browser.
ryanclark
force-pushed
the
ryan/change-app-access-login-flow
branch
from
dfe322c to
fdde943
Compare
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
ryanclark
force-pushed
the
ryan/change-app-access-login-flow
branch
from
dcd9fb4 to
639c9e5
Compare
Reverted parts of: #17592 Kept json field renames
Reverted parts of: #17592 Kept json field renames
…okie block (#30321) * Copy pasta revert back to previous app redirection logic Reverted parts of: #17592 Kept json field renames * Remove unused fields (were renamed while back) * Refactor previous implementation - Create unique cookie for each state token created - Preserve path and queries * Split handlers * Fix tests and lint * Address CR * Add backwards compatability * Emit errs with invalid vals and attempt to delete session * Update test * Address CRs * Fix lint
…okie block (#30321) * Copy pasta revert back to previous app redirection logic Reverted parts of: #17592 Kept json field renames * Remove unused fields (were renamed while back) * Refactor previous implementation - Create unique cookie for each state token created - Preserve path and queries * Split handlers * Fix tests and lint * Address CR * Add backwards compatability * Emit errs with invalid vals and attempt to delete session * Update test * Address CRs * Fix lint
…rty cookie block (#37692) * Fix app redirection loop on browser's incognito mode and 3rd party cookie block (#30321) * Copy pasta revert back to previous app redirection logic Reverted parts of: #17592 Kept json field renames * Remove unused fields (were renamed while back) * Refactor previous implementation - Create unique cookie for each state token created - Preserve path and queries * Split handlers * Fix tests and lint * Address CR * Add backwards compatability * Emit errs with invalid vals and attempt to delete session * Update test * Address CRs * Fix lint * Fix import
7 participants
Previously, we'd pass the value of the cookie that needed to be set to
/x-teleport-authvia thePOSTbody. This opened it up to CSRF attacks, which was mediated by implementing a?state=query param and a cookie.This added quite a few different redirects, which can be simplified by allowing cross origin requests from the proxy address to the application's
/x-teleport-authendpoint, and sending the cookie value via a customX-Cookie-Valueheader instead.Custom headers cannot be added to
<form>elements, nor included in ano-corsfetch()request. This means a user cannot be tricked into launching an application by a third party malicious actor.This would fix #15935, as we're no longer relying on the cookie that gets unset by the
x-teleport-authdance.