Dashboard secure login - Githubissues

p0lyn0mial commented 5 years ago

Note: Issues relating to this epic are managed via ZenHub.

At the moment the dashboard uses OAuth Implicit Grant flow for login. This is bad for at least two reasons. Firstly Implicit flow is not considered secure, mainly because the ID token is returned in URL. Secondly its lifetime is usually short, it’s one day in our case and requires users to constantly log in into the app.

To solve the mentioned issues we could use Authorization Code, below is simplified diagram depicting interactions between the actors.

User (Browser) <—— ( 1, 4 ) ——> Server < ———— ( 2, 3) ———> OIDC Provider

In step 1 a user sends a request to a server without exposing any credentials like Client ID (Implicit Grant), next the server and the provider exchange a series of requests. At the end the server gets both the ID and Refresh tokens. In Step 4 the tokens are send back to the user.

Tokens are considered confidential and should be stored carefully, therefore:

The ID token should be valid only for a short period of time, for example 10 minutes.
The Refresh token could be valid for 30 days or so.
The ID token doesn’t have to be persisted in a cookie or web storage. It could be simply saved in memory. The token could be saved in a global variable accessible to our code. On startup, the app could use the Refresh token to get a new ID token.
The Refresh token could be stored in a secure cookie read only on the server set httpOnly, secure and SameSite=strict flags for the cookie
The Refresh token stored in a cookie should be send only to some endpoints not all (set cookie path) If the path is not set then the cookie is send for the domain, for example each request to dev.kubermatic.io includes the cookie. This means that the cookie could be read by the API server, the controllers and the dashboard. This is not necessary because the cookie could be read only by two endpoints. One for refreshing the ID token and one for handling "download kubeconfig" endpoint.
The Refresh token is used to get a new ID token

cschieder commented 3 years ago

@kubermatic/ui-team this issue is over a year old, is it still relevant?

floreks commented 3 years ago

Quite relevant. This requires some backend changes though.

ahmedwaleedmalik commented 6 months ago

This is still relevant and important for our customers.

archups commented 6 months ago

Tracked as part of https://support.kubermatic.com/a/tickets/6068?current_tab=details support ticket.

kubermatic / dashboard

Dashboard secure login #1105