[HELP-8244] [fiware-stackoverflow] FIWARE - Keyrock tokens with general permission enabling unauthorized access to applications (security issue?) - JIRA

Details

Type: Monitor
Status: Closed
Priority: Major
Resolution: Done
Affects Version/s: None
Fix Version/s: 2021
Component/s: FIWARE-TECH-HELP
Labels:

Source URL:
http://stackoverflow.com/questions/42123486/fiware-keyrock-tokens-with-general-permission-enabling-unauthorized-access-to
HD-Chapter:
Security
HD-Enabler:
KeyRock

Description

Created question in FIWARE Q/A platform on 08-02-2017 at 21:02
Please, ANSWER this question AT http://stackoverflow.com/questions/42123486/fiware-keyrock-tokens-with-general-permission-enabling-unauthorized-access-to

Question:
FIWARE - Keyrock tokens with general permission enabling unauthorized access to applications (security issue?)

Description:
In a local Keyrock instance, we have two users, A and B, with two different applications, AppA and AppB, respectively. Both users are distinct from the default "admin" user "idm". The Wilma PEP Proxy is configured with PEP credentials from user A. The problem is that user B can get a valid token from the Keyrock IdM and can access successfully the AppA (which, as mentioned, is registered in Wilma PEP Proxy with PEP credentials from user A).

Is this a default behavior of Keyrock+Wilma components (GE's) or is this really a security problem? I think the user B should not get access to application of user A. It seems that all tokens are general and have access to all applications independently of users. Am I missing some understanding about all this process?

Activity

Ascending order - Click to sort in descending order

Backlog Manager created issue - 09/Feb/17 12:05 AM

Hide

Permalink

Backlog Manager added a comment - 09/Feb/17 12:05 AM

2017-02-09 00:05|CREATED monitor | # answers= 0, accepted answer= False

Show

Backlog Manager added a comment - 09/Feb/17 12:05 AM 2017-02-09 00:05|CREATED monitor | # answers= 0, accepted answer= False

Backlog Manager made changes - 09/Feb/17 12:05 AM

Field	Original Value	New Value
Component/s		FIWARE-TECH-HELP [ 10278 ]

Fernando Lopez made changes - 09/Feb/17 9:49 AM

HD-Enabler		KeyRock [ 10889 ]
Description	Created question in FIWARE Q/A platform on 08-02-2017 at 21:02 {color: red}Please, ANSWER this question AT{color} http://stackoverflow.com/questions/42123486/fiware-keyrock-tokens-with-general-permission-enabling-unauthorized-access-to +Question:+ FIWARE - Keyrock tokens with general permission enabling unauthorized access to applications (security issue?) +Description:+ In a local Keyrock instance, we have two users, A and B, with two different applications, AppA and AppB, respectively. Both users are distinct from the default "admin" user "idm". The Wilma PEP Proxy is configured with PEP credentials from user A. The problem is that user B can get a valid token from the Keyrock IdM and can access successfully the AppA (which, as mentioned, is registered in Wilma PEP Proxy with PEP credentials from user A). Is this a default behavior of Keyrock+Wilma components (GE's) or is this really a security problem? I think the user B should not get access to application of user A. It seems that all tokens are general and have access to all applications independently of users. Am I missing some understanding about all this process?	Created question in FIWARE Q/A platform on 08-02-2017 at 21:02 {color: red}Please, ANSWER this question AT{color} http://stackoverflow.com/questions/42123486/fiware-keyrock-tokens-with-general-permission-enabling-unauthorized-access-to +Question:+ FIWARE - Keyrock tokens with general permission enabling unauthorized access to applications (security issue?) +Description:+ In a local Keyrock instance, we have two users, A and B, with two different applications, AppA and AppB, respectively. Both users are distinct from the default "admin" user "idm". The Wilma PEP Proxy is configured with PEP credentials from user A. The problem is that user B can get a valid token from the Keyrock IdM and can access successfully the AppA (which, as mentioned, is registered in Wilma PEP Proxy with PEP credentials from user A). Is this a default behavior of Keyrock+Wilma components (GE's) or is this really a security problem? I think the user B should not get access to application of user A. It seems that all tokens are general and have access to all applications independently of users. Am I missing some understanding about all this process?
HD-Chapter		Security [ 10841 ]

Fernando Lopez made changes - 09/Feb/17 9:49 AM

Assignee

Alvaro Alonso [ aalonsog ]

Alvaro Alonso made changes - 09/Feb/17 12:25 PM

Status

Open [ 1 ]

In Progress [ 3 ]

Alvaro Alonso made changes - 09/Feb/17 12:25 PM

Status

In Progress [ 3 ]

Answered [ 10104 ]

Alvaro Alonso made changes - 09/Feb/17 12:25 PM

Resolution		Done [ 10000 ]
Status	Answered [ 10104 ]	Closed [ 6 ]

Fernando Lopez made changes - 27/May/21 10:52 AM

Fix Version/s

2021 [ 12600 ]

Transition

Time In Source Status

Execution Times

Last Executer

Last Execution Date

Open

In Progress

12h 20m

Alvaro Alonso

09/Feb/17 12:25 PM

In Progress

Answered

Alvaro Alonso

09/Feb/17 12:25 PM

Answered

Closed

Alvaro Alonso

09/Feb/17 12:25 PM

People

Assignee:

Alvaro Alonso

Reporter:

Backlog Manager

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

09/Feb/17 12:05 AM

Updated:

27/May/21 10:52 AM

Resolved:

09/Feb/17 12:25 PM

Agile

View on Board