search

ging / fiware-idm

OAuth 2.0-based authentication of users and devices, user profile management, Single Sign-On (SSO) and Identity Federation across multiple administration domains.
https://keyrock-fiware.github.io
MIT License
36 stars 81 forks source link

Keyrock OIDC + oauth2-proxy seems to authorize any enabled user even if not authorized for the application. #256

Open mgaggero opened 2 years ago

mgaggero commented 2 years ago

I'm using Keyrock as OIDC provider for oauth2-proxy in a k8s ingress. It works flawless except that Keyrock permits access to the oauth2-proxy upstream url also to users that are not authorized or not are members of authorized organization for the application. Only in the case the user is not enabled in Keyrock the access is also denied to oauth2-proxy. Access should be allowed only to authorized users/orgs for the given application.

Keyrock: 8.1.0 Oauth2-proxy: 7.2.0

mgaggero commented 2 years ago

At first glance the debug's log shows that no queries are performed to asses whether an user is authorized in the application but only if the user has already authorized the app to use its data. Then it prompts for app's authorization.

Executing (default): SELECT `id`, `name`, `description`, `image`, `response_type`, `url`, `redirect_uri` FROM `oauth_client` AS `OauthClient` WHERE `OauthClient`.`id` = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx';
Executing (default): SELECT `id`, `username`, `salt`, `password`, `enabled`, `email`, `gravatar`, `image`, `admin`, `date_password`, `starters_tour_ended`, `extra` FROM `user` AS `User` WHERE `User`.`email` = '<email_address>';
Executing (default): SELECT `User_Authorized_Application`.`id`, `User_Authorized_Application`.`shared_attributes`, `User_Authorized_Application`.`login_date`, `User_Authorized_Application`.`user_id`, `User_Authorized_Application`.`oauth_client_id`, `User`.`id` AS `User.id`, `User`.`username` AS `User.username`, `User`.`gravatar` AS `User.gravatar`, `User`.`image` AS `User.image`, `User`.`email` AS `User.email` FROM `user_authorized_application` AS `User_Authorized_Application` LEFT OUTER JOIN `user` AS `User` ON `User_Authorized_Application`.`user_id` = `User`.`id` WHERE `User_Authorized_Application`.`user_id` = 'yyyyyyyyyyyyyyyyyyyyyy' AND `User_Authorized_Application`.`oauth_client_id` = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' LIMIT 1;
POST /oauth2/authorize?approval_prompt=force&client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&redirect_uri=http%3A%2F%2Flocalhost%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=zzzzzzzz 200 24.620 ms - 17381