search

ory / kratos

The most scalable and customizable identity server on the market. Replace your Homegrown, Auth0, Okta, Firebase with better UX and DX. Has all the tablestakes: Passkeys, Social Sign In, Multi-Factor Auth, SMS, SAML, TOTP, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=kratos
Apache License 2.0
11.22k stars 961 forks source link

Inactive user expose account enumeration attack #3234

Open amirzahavi opened 1 year ago

amirzahavi commented 1 year ago

Preflight checklist

Describe the bug

When a user is "inactive" using the identity API (admin API), after a login attempt the login flow respond with 401 instead of the usual 400 (with a generic error message).

we accpect the response to be as an invalid login credentials:

{
    "id": "5dc9e2c7-0000-0000-8959-000000000000",
    "oauth2_login_challenge": null,
    "type": "browser",
    "request_url": "http://kratos-public.default.svc.cluster.local/self-service/login/browser",
    "ui": {
        "action": "http://localhost/auth/self-service/login?flow=5dc9e2c7-0000-0000-8959-000000000000",
        "method": "POST",
        "nodes": [...],
        "messages": [
            {
                "id": 4000006,
                "text": "The provided credentials are invalid, check for spelling mistakes in your password or username, email address, or phone number.",
                "type": "error",
                "context": {}
            }
        ]
    },
    "requested_aal": "aal1"
}

we self host Kratos

Reproducing the bug

  1. create a user in Kratos
  2. set the user as "inactive" using the identity API
  3. try to login

Relevant log output

{
    "code": 401,
    "status": "Unauthorized",
    "request": "51b199fa-d306-4cc9-a3fc-000000000000",
    "reason": "This account was disabled.",
    "details": {
        "identity_id": "39d48bab-ea5c-4014-8c7d-000000000000"
    },
    "message": "identity is disabled"
}

Relevant configuration

No response

Version

v0.11.1

On which operating system are you observing this issue?

None

In which environment are you deploying?

Kubernetes with Helm

Additional Context

We are self-host Kratos behind Oathkeeper with Keto using Kubernetes+Helm.

The login is performed inside a SPA context, using the @ory/client SDK (v1.1.7) updateLoginFlow function

aeneasr commented 1 year ago

Thank you for the report. This is on purpose, because users should know whether their account was locked or not. We can probably improve displaying the error message better so it's not a full error but instead gives you a flow with a message indicating that the login is disabled for that user. WDYT?

amirzahavi commented 1 year ago

Hi @aeneasr, Thank you for the quick response, my first assumption was misleading, I forgot that when I typed the password it was the correct one, and just after that I got 401 as expected. When I type the wrong password, it returns 400 as expected.

But for the sake of consistency, it still would be nice to get the same flow body with a message indicating the user is blocked something like Account is blocked, please contact your account administrator.