FIWARE - Keyrock tokens with general permission enabling unauthorized access to applications (security issue?)
Question
In a local Keyrock instance, we have two users, A and B, with two different applications, AppA and AppB, respectively. Both users are distinct from the default "admin" user "idm". The Wilma PEP Proxy is configured with PEP credentials from user A. The problem is that user B can get a valid token from the Keyrock IdM and can access successfully the AppA (which, as mentioned, is registered in Wilma PEP Proxy with PEP credentials from user A).
Is this a default behavior of Keyrock+Wilma components (GE's) or is this really a security problem? I think the user B should not get access to application of user A. It seems that all tokens are general and have access to all applications independently of users. Am I missing some understanding about all this process?
1 answers
solution1
-1 2017-02-09 11:23:09
that's actually the expected behavior. The token check in PEP just ensure the user has an account in Keyrock (authentication check). If you want to manage the access to the applications you have to create and assign roles to the users inside each application (authorization check).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.