The security offered by access_token is way too weak, especially for non-TLS client traffic. (SPEC-112) #424
Comments
|
https://github.com/rescrv/libmacaroons could be a fun possible solution to this. -- @ara4n |
|
We will have trouble getting any kind of simple We should support alternative authentication mechanisms, but I don't feel that they should be applied by default, since by default people should be using HTTPS. If we do end up doing time limited tokens, we might want to look into the OAuth2 guidelines, and consider if we should be supporting OAuth2 login completely (where clients redirect to your home server to login, then get a token back). The added benefit to that of course would be the ability to define app-specific redirect URIs (e.g. -- @kegsay |
|
We now use macaroons and provide a -- @kegsay |
|
This bug is a bit handwavey; it's not clear what would represent a satisfactory implementation to allow closure. Tokens don't actually expire yet (SYN-533), so the presence of a OTOH without concrete suggestions about what else would be better, my inclination is to close this bug. -- @richvdh |
|
Possibly a bit off topic, but what is the reason for allowing non-TLS connections in the client-server API? This might not be an issue of TLS was mandated by the spec. -- Jimmy Cuadra |
|
Both to make it trivial to debug (e.g. to allow tcpdumping http problems without TLS getting in the way), and to support utterly stupid clients like IOT devices which aren't smart enough to talk TLS. -- @ara4n |
|
In either case, I'd like to see a token invalidating endpoint, for cases like when the token gets compromised. You also mention logging out, but I cannot see anything about that in the spec. -- Gergely Polonkai |
|
So, this bug had a few references to Macaroons, but I feel that none of the posts that did so explained how Macaroons help - so I'll try and do so. The really nice thing with Macaroons is that anyone can further constrain them, but nobody can remove a constraint once it's added. This allows the client to constrain the macaroon sent back to the server to a very short lifetime (on the order of seconds), while the one it actually holds may have a very long validity period indeed. If anyone sniffs the in-flight Macaroon, it will (by and large) be useless too soon to do them any good. In addition, it can be constrained to the operation in question (if Synapse supported such caveats), so the sniffed macaroon would (say) only be usable for sending messages (and not state events), or perhaps even only to a specific room. It can also be constrained to the user's external IP, which helps even more. This would (partially) resolve SYN-299, too, so I'm copying it there, although TBH the right solution to that is probably "Authorization: Macaroon " -- Alex Elsayed |
|
An interesting and well-written article discussing the problems with simple bearer tokens in oauth, much of which rings true for us: https://web.archive.org/web/20110518133340/http://hueniverse.com/2010/09/oauth-bearer-tokens-are-a-terrible-idea/ -- @richvdh |
matrixbot
changed the title
|
...meanwhile, we've removed the tokenrefresh endpoint for now, as nothing was using it. so if anything this bug has gone backwards :( |
|
see #395 |
|
On the plus side, we have got matrix-org/synapse#1098, which makes the risk of leaking less. If anything used it. |
richvdh
added
improvement
|
I'm closing this in favour of #1042 and https://github.com/matrix-org/matrix-doc/issues/1043. |
Surely we should be using an actual digest handshake or HMAC or similar to make it a /little/ harder for clients' access_tokens to not be silently sequestered?
(Imported from https://matrix.org/jira/browse/SPEC-112)
(Reported by @ara4n)
The text was updated successfully, but these errors were encountered: