Actions
tickets #166250
openKanidm 1.4.0 upgrade preparation - oauth2
Start date:
2024-09-04
Due date:
% Done:
60%
Estimated time:
Description
In order to harder OAuth2 against certain classes of redirection attacks Kanidm will strictly enforce the redirection URIs used in future.
# kanidmd domain upgrade-check
📜 Using config file: "/etc/kanidm/server.toml"
00000000-0000-0000-0000-000000000000 WARN 🚧 [warn]: This is running as uid == 0 (root) which may be a security risk.
00000000-0000-0000-0000-000000000000 WARN 🚧 [warn]: WARNING: DB folder permissions on /var/lib/private/kanidm indicate it may not be RW. This could cause the server start up to fail!
00000000-0000-0000-0000-000000000000 INFO i [info]: Running domain upgrade check ...
00000000-0000-0000-0000-000000000000 INFO i [info]: domain_name : infra.opensuse.org
00000000-0000-0000-0000-000000000000 INFO i [info]: domain_uuid : d3d06344-5441-4e07-80b1-ba478d2f2229
00000000-0000-0000-0000-000000000000 INFO i [info]: domain_current_level : 7
00000000-0000-0000-0000-000000000000 INFO i [info]: domain_upgrade_level : 8
00000000-0000-0000-0000-000000000000 INFO i [info]: ------------------------
00000000-0000-0000-0000-000000000000 INFO i [info]: upgrade_item : security key usage
00000000-0000-0000-0000-000000000000 INFO i [info]: status : PASS
00000000-0000-0000-0000-000000000000 INFO i [info]: ------------------------
00000000-0000-0000-0000-000000000000 INFO i [info]: upgrade_item : oauth2 strict redirect uri enforcement
00000000-0000-0000-0000-000000000000 INFO i [info]: status : FAIL
00000000-0000-0000-0000-000000000000 INFO i [info]: description : To harden against possible public client open redirection vulnerabilities, redirect uris must now be registered ahead of time and are validated rather than the former origin verification process.
00000000-0000-0000-0000-000000000000 INFO i [info]: action : Verify the redirect uri's for OAuth2 clients and then enable strict-redirect-uri on each client.
00000000-0000-0000-0000-000000000000 INFO i [info]: affected_entry : gitlab@infra.opensuse.org
00000000-0000-0000-0000-000000000000 INFO i [info]: affected_entry : grafana@infra.opensuse.org
00000000-0000-0000-0000-000000000000 INFO i [info]: affected_entry : netbox@infra.opensuse.org
00000000-0000-0000-0000-000000000000 INFO i [info]: affected_entry : matomo@infra.opensuse.org
The following 4 entries need to be checked and updated so that:
kanidm system oauth2 set-landing-url
matches the expected "frontpage" of the applicationkanidm system oauth2 add-redirect-url
matches the expected full URI where a client will redirect to. For example, https://example.app.suse.de/oauth2/redirect
Once configured, the strict url check needs to be enabled (enable-strict-redirect-url
)
For example, grafana needs to change to https://grafana.infra.opensuse.org/login/generic_oauth
or gitlab to https://gitlab.infra.opensuse.org/oauth/redirect
I didn't want to just change these myself, since this obviously has the capacity to cause some outages to the affected applications.
No client changes are needed - this is purely a Kanidm only change.
Actions