search

inblockio / aqua-PKC

Create your own Data Vault called "Personal Knowledge Container". A system implementing the Aqua Protocol for sovereign data management. Suitable for individuals and organisations alike.
https://pkc.inblock.io/
Apache License 2.0
11 stars 4 forks source link

siweoidc: Unrecognised client id. #136

Closed Zusel closed 7 months ago

Zusel commented 7 months ago

After a few minutes, the OIDC refuses its service. The error message 'Unrecognised client id.' appears when attempting to log in to the MW.

Environment: pkc.inblock.io pkc-siweoidc.inblock.io

Bildschirmfoto vom 2024-04-24 19-21-51

Analysis is still pending.

FantasticoFox commented 7 months ago

Might be related and or is definitely a reconfig we need to do for the public deployment:

Ticket #08916137: Important notice regarding a potentially misconfigured Redis instance on your Droplet pkc.inblock.io: ref:!00Df2018t5m.!500Ke019Vj7:ref

Hello,

A recent network security scan suggests your Droplet pkc.inblock.io is running Redis and that it may be unintentionally exposing data or misconfigured to allow unauthorized access.

Redis listens for traffic from everywhere on port 6379, and you can validate this report by attempting to connect to your Redis on 6379 via a simple telnet command:

telnet 139.59.150.15 6379

If the connection is successful, you will receive output like the following, which will confirm that your Redis installation is visible to the public Internet:

Trying 139.59.150.15...
Connected to 139.59.150.15.
Escape character is '^]'.

You will want to restrict outside access to your Redis instance to prevent outsiders from reading or obtaining your data.

Remediation of this issue will take just a few minutes and is relatively straightforward. You will need to open /etc/redis/redis.conf and uncomment (remove the “#”) or modify the line beginning with:

bind 127.0.0.1 ::1

Afterwards, restart redis with:

sudo systemctl restart redis

You could find this information also in our community tutorial at: https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-redis-on-ubuntu-20-04

We also recommend that you implement a firewall rule preventing access to only hosts that require access to this service via rules on the Droplet itself or via our Cloud Firewall product, which is available at no cost. You can find out more about our firewall option at https://www.digitalocean.com/docs/networking/firewalls/

We are not aware of any actual abuse or security breach. We send this notification so you can take steps to secure your services and data.

We also recognize that your configuration may have this port open intentionally and that you’ve taken steps to secure your service, and that these notices may not be helpful to you. Please respond to this ticket and we’ll be happy to add you to our whitelist for these notifications.

Regards,

Security Operations

Zusel commented 7 months ago

Similar problem: in my opinion, we do not need to expose port 80 of the MW. The traffic should go through the proxy.

Zusel commented 7 months ago

Analysis: The problem is that no value is stored for clients/siwe in Redis. This is why there is a problem with "Unrecognized client id.". I have not yet found the reason why this happens.

Zusel commented 7 months ago

The following considerations: When deploying to the web, we only need to expose the ports from the proxy. All other ports are not required and are sometimes a security risk. That's why we need 2 Composer files here. One for the local deployment and one for the web deployment. For the local deployment, exposing the ports is okay because they only look at localhost anyway and it simplifies debugging. For the web deployment, only the proxy may be exposed.

This should be controlled by the pkc-script and it should decide (based on the parameters passed) which compose file is used.

danielriedmueller commented 7 months ago

I would like to share my findings so far as well. Maybe its already known, but maybe its helpful.