User from one tenant can log in into another, create application, token and invoke APIs

wso2 / product-apim

Welcome to the WSO2 API Manager source code! For info on working with the WSO2 API Manager repository and contributing code, click the link below.

http://wso2.github.io/

Apache License 2.0

848 stars 786 forks source link

User from one tenant can log in into another, create application, token and invoke APIs #9926

Open lpastor74 opened 3 years ago

lpastor74 commented 3 years ago

Description:

In a multitenant environment, users from one tenant can log in to another domain, create applications, tokens, and invoke APIs. IMO this is a security issue.

Steps to reproduce:

In the tenant domain, I enabled the self-registration proces. The user registered himself over the devportal self-registration process.(get Internal/subscriber role) User login into his domain with username/password. In devportal clicked on 'go to public dev portal' button and click on any other domain listed there. He will be redirected to dev portal of another tenant and he will see all API, be able to create applications, token,s and invoke APIs.

Affected Product Version:

Tested on 3.2

Environment details (with versions):

OS: Mac
Client:
Env (Docker/K8s): Binary installation

Optional Fields

Related Issues:

Suggested Labels:

[Urgent] [Security]

tharikaGitHub commented 3 years ago

Hi @lpastor74 I checked this in the latest 3.2.0 WUM updated pack. Even though a user of another tenant domain is allowed to view all public APIs of any other tenant's developer portal, he is not allowed to subscribe. Please see the image below. The self signed user is in xyz.com domain, but the API is in wso2.com domain.

lpastor74 commented 3 years ago

Hi Tharika

you are right, I wasn't paying attention. If APIs is declared 'visible by my domain' - user from another domain is not able to see it. Still, there is a concern about the user can see the list of all tenants (this could be declared as a security issue, is there a way to disable the list of all tenants before the user gets a login screen ?)

tharikaGitHub commented 3 years ago

Hi @lpastor74 your concern is valid in the point that we allow any user to view the tenant domains available in an organization. But if we hide this, no one will be able to discover the APIs specific to a particular domain. As this is the Developer Portal, we should allow anyone to discover the APIs they need, subject to the visibility constraints which we can enforce through the Publisher Portal.

If we disable the list of Tenants before providing the login screen, anonymous users will not be able to view the Public APIs in other available tenant domains apart from the super tenant domain.

And even a user who self signs through the Developer portal should know what tenant domains are available in order to provide the domain information during the signup process.

So I believe this is not really a security issue. What do you think?

lpastor74 commented 3 years ago

Hi @tharikaGitHub I agree with the perception of API discoverability.
The use case that I'm having right now is like

Devportal is a hub of APIs for different tenants
The owner of the devportal would like to hide tenants from each other (don't want API discovery or don't what to tenants know about others)
Ideally through the login screen, the tenant will be redirected to his domain only

My question/ suggestion is that we should have a possibility to hide the list of all tenants before the login screen.