Open LeonardHd opened 6 days ago
Hi,
Thanks for reporting. There is indeed an issue with this specific flow when only client id and client secret differs and the workaround is to send additional useless parameters to the URL.
The global cache is on purpose and the fix will be to add credentials to the key in some way, the same way it is done in some other auths for instance.
Given that there is a workaround I don't see myself handling this in the near future but this is a valid issue in the backlog !
Hi,
Thanks for reporting. There is indeed an issue with this specific flow when only client id and client secret differs and the workaround is to send additional useless parameters to the URL.
The global cache is on purpose and the fix will be to add credentials to the key in some way, the same way it is done in some other auths for instance.
Given that there is a workaround I don't see myself handling this in the near future but this is a valid issue in the backlog !
Hi,
IMO, this issue is quite critical in term of security, let me explain my reasoning.
If someone uses the library with two differents client_id/client_secrent with the same token url, the current implementation can be highly misleading as it brings unexpected behaviour and it could allow to fetch an unexpected token from an other "client/session". It can have a strong impact on a business.
Taking into consideration that the current design of the cache does not support usage of different client_id, client_secret and it has a high security concern, I think this issue should be a top priority.
Concerning the workaround, it is not super clean... The endpoint of the token url may reject additional query param. It will depend on the flexibility of the implementation of the endpoint. It can work at one moment, but no guarantee on long term.
Hi @Colin-b thanks for this library - it helps people implementing OAuth flows which is great! I think we might have discovered an issue that causes unintended or unexpected token reuse across requests/auth objects.
The good news is we found an option that prevents it with the current version (see Considered options to mitigate the issue) but that might not be reasonable defaults (at least for the
OAuth2ClientCredentials
) or not very obvious for users.Let me know what you think and what you think about potential solutions to the problem.
Problem
When using the
auth
parameter (for example withOAuth2ClientCredentials
) to authenticate with a service, the global token cache is shared across allauth
objects for the same token urls. This can lead to unintended token reuse across differentauth
objects, for example, when using Microsoft Entra Id (i.e., Azure AD) to authenticate with different services via OAuth2.This could cause security issues because (not exhaustive):
An application may use different credentials to segregate access to different resources (for example dfor different users, different API calls, and so on). The global token cache may lead to reusing token across different
auth
objects, leading to unintended access to resources.Updating a secret during runtime may not invalidate the token cache, delaying the effect of the secret update.
Above behaviour might not be expected by the user and could lead to security issues.
Sample to reproduce
I have written a few pytest test cases to demonstrate the issue.
Considered options to mitigate the issue
I propose the following options to mitigate the issue. Please note that the following might not be exhaustive and there might be other ways to mitigate the issue.
Warn the user about the global token cache and the cache key implementation and the potential issues it might cause more explicitly in the documentation and the code (e.g., in the docstring of the
OAuth2ClientCredentials
class). Point them to passing a hash like we did in the sample withbuild_client_id_secret_hash
.Tie the token cache to the
auth
object. This would mean that the token cache is not shared across differentauth
objects.