堆栈内存溢出
  简体   繁体   English

FIWARE-Keyrock:如果OAuth2凭据不控制访问,为什么它们与应用程序相关?

[英]FIWARE-Keyrock: Why are the OAuth2 credentials related to apps if they do not control access?

 原文  2017-03-28 20:55:33       oauth-2.0/ access-token/ fiware/ identity-management/ fiware-wilma

问题描述

We have a scenario where I want to protect a service X with Wilma PEP Proxy. 我们有一种情况,我想使用Wilma PEP代理保护服务X。 The service X is registered in Keyrock. 服务X在Keyrock中注册。 The Wilma PEP Proxy contains the PEP credentials generated in Keyrock for service X. An application Y gets access to service X with the proper OAuth2 credentials generated for this specific service (client_id and client_secret from Service X). Wilma PEP代理包含在Keyrock中为服务X生成的PEP凭据。应用程序Y可以使用为此特定服务生成的正确OAuth2凭据(来自Service X的client_id和client_secret)访问服务X。 It is ok. 没关系。 But there is a problem: an application Z also gets access to the service X with different OAuth2 credentials (not the service X credentials)!! 但是有一个问题:应用程序Z还可以使用不同的OAuth2凭据(而不是服务X凭据)访问服务X!

If this is possible, why do we have applications with specific OAuth2 credentials generated in Keyrock if they do not control anything?! 如果有可能,为什么如果应用程序不控制任何内容,为什么我们要在Keyrock中生成具有特定OAuth2凭据的应用程序? It does not make sense! 它没有任何意义!

It is a big security issue, because one intruder can register some application in Keyrock and with tokens generated for this specific application (with its own OAuth2 credentials) this intruder can access all the applications registered in this Keyrock instance! 这是一个很大的安全问题,因为一个入侵者可以在Keyrock中注册某个应用程序,并使用为此特定应用程序生成的令牌(具有其自己的OAuth2凭据),该入侵者可以访问在此Keyrock实例中注册的所有应用程序!

1 个解决方案

解决方案1
 1 已采纳  2017-03-30 08:58:19

As you can see in PEP Proxy documentation , Level 1 only checks authentication. 如您在PEP代理文档中所见,级别1仅检查身份验证。 So every user with a valid token (ie authenticated in Keyrock) will be redirected to the server app. 因此,每个具有有效令牌(即在Keyrock中进行了身份验证)的用户都将被重定向到服务器应用程序。 If you want to also check authorization you have to configure an AuthZForce server with basic or advanced security authorization levels. 如果还要检查授权,则必须配置具有基本或高级安全授权级别的AuthZForce服务器。

On the other hand, in the token validation response, you will obtain a field application_id that indicates you the scope in which the token was created. 另一方面,在令牌验证响应中,您将获得一个字段application_id,该字段指示您创建令牌的范围。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 FIWARE Keyrock OAuth回调-红宝石 - FIWARE keyrock oauth callback - ruby OAuth2 客户端凭据 - OAuth2 client credentials OAuth2和基于角色的访问控制 - OAuth2 and role-based access control Chrome应用中的Google Oauth2访问代码-无效的凭据 - Access code for Google Oauth2 in Chrome app - invalid credentials 存储通过客户端凭据oauth2流获得的访问令牌 - Storing access token obtained through client credentials oauth2 flow 如何使用 OAuth2 客户端凭据流在 Angular 中获取访问令牌 - How to get an access token in Angular with the OAuth2 client credentials flow OAuth2用户凭证授予 - OAuth2 User Credentials Grant 使用 postman + oauth2 访问 Google Apps Admin SDK - Using postman + oauth2 to access Google Apps Admin SDK OAuth2:客户端凭据流 - OAuth2: Client Credentials flow 我是否需要Oauth2用于我的Web Apps API - Do I need Oauth2 For my Web Apps API
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM