Project

General

Profile

Actions
Copy link

tickets #166250

open

Kanidm 1.4.0 upgrade preparation - oauth2

Added by firstyear about 2 months ago. Updated about 1 month ago.

Status:
In Progress
Priority:
Normal
Assignee:
crameleon
Category:
FreeIPA/Kanidm
Target version:
-
Start date:
2024-09-04
Due date:
% Done:

60%

Estimated time:

Description

In order to harder OAuth2 against certain classes of redirection attacks Kanidm will strictly enforce the redirection URIs used in future.

# kanidmd domain upgrade-check
📜 Using config file: "/etc/kanidm/server.toml"
00000000-0000-0000-0000-000000000000 WARN     🚧 [warn]: This is running as uid == 0 (root) which may be a security risk.
00000000-0000-0000-0000-000000000000 WARN     🚧 [warn]: WARNING: DB folder permissions on /var/lib/private/kanidm indicate it may not be RW. This could cause the server start up to fail!
00000000-0000-0000-0000-000000000000 INFO     i [info]: Running domain upgrade check ...
00000000-0000-0000-0000-000000000000 INFO     i [info]: domain_name            : infra.opensuse.org
00000000-0000-0000-0000-000000000000 INFO     i [info]: domain_uuid            : d3d06344-5441-4e07-80b1-ba478d2f2229
00000000-0000-0000-0000-000000000000 INFO     i [info]: domain_current_level   : 7
00000000-0000-0000-0000-000000000000 INFO     i [info]: domain_upgrade_level   : 8
00000000-0000-0000-0000-000000000000 INFO     i [info]: ------------------------
00000000-0000-0000-0000-000000000000 INFO     i [info]: upgrade_item           : security key usage
00000000-0000-0000-0000-000000000000 INFO     i [info]: status                 : PASS
00000000-0000-0000-0000-000000000000 INFO     i [info]: ------------------------
00000000-0000-0000-0000-000000000000 INFO     i [info]: upgrade_item           : oauth2 strict redirect uri enforcement
00000000-0000-0000-0000-000000000000 INFO     i [info]: status                 : FAIL
00000000-0000-0000-0000-000000000000 INFO     i [info]: description            : To harden against possible public client open redirection vulnerabilities, redirect uris must now be registered ahead of time and are validated rather than the former origin verification process.
00000000-0000-0000-0000-000000000000 INFO     i [info]: action                 : Verify the redirect uri's for OAuth2 clients and then enable strict-redirect-uri on each client.
00000000-0000-0000-0000-000000000000 INFO     i [info]: affected_entry         : gitlab@infra.opensuse.org
00000000-0000-0000-0000-000000000000 INFO     i [info]: affected_entry         : grafana@infra.opensuse.org
00000000-0000-0000-0000-000000000000 INFO     i [info]: affected_entry         : netbox@infra.opensuse.org
00000000-0000-0000-0000-000000000000 INFO     i [info]: affected_entry         : matomo@infra.opensuse.org

The following 4 entries need to be checked and updated so that:

  • kanidm system oauth2 set-landing-url matches the expected "frontpage" of the application
  • kanidm system oauth2 add-redirect-url matches the expected full URI where a client will redirect to. For example, https://example.app.suse.de/oauth2/redirect

Once configured, the strict url check needs to be enabled (enable-strict-redirect-url)

For example, grafana needs to change to https://grafana.infra.opensuse.org/login/generic_oauth or gitlab to https://gitlab.infra.opensuse.org/oauth/redirect

I didn't want to just change these myself, since this obviously has the capacity to cause some outages to the affected applications.

No client changes are needed - this is purely a Kanidm only change.

Hide closed

Checklist

  • Grafana
  • GitLab
  • Matomo
  • NetBox
  • Enable strict mode
Actions
Copy link

Also available in: Atom PDF