Details
-
Type:
Monitor
-
Status: Closed
-
Priority:
Major
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: 2021
-
Component/s: FIWARE-TECH-HELP
-
HD-Chapter:Security
-
HD-Enabler:KeyRock
Description
Created question in FIWARE Q/A platform on 08-02-2017 at 21:02
Please, ANSWER this question AT https://stackoverflow.com/questions/42123486/fiware-keyrock-tokens-with-general-permission-enabling-unauthorized-access-to
Question:
FIWARE - Keyrock tokens with general permission enabling unauthorized access to applications (security issue?)
Description:
In a local Keyrock instance, we have two users, A and B, with two different applications, AppA and AppB, respectively. Both users are distinct from the default "admin" user "idm". The Wilma PEP Proxy is configured with PEP credentials from user A. The problem is that user B can get a valid token from the Keyrock IdM and can access successfully the AppA (which, as mentioned, is registered in Wilma PEP Proxy with PEP credentials from user A).
Is this a default behavior of Keyrock+Wilma components (GE's) or is this really a security problem? I think the user B should not get access to application of user A. It seems that all tokens are general and have access to all applications independently of users. Am I missing some understanding about all this process?
Activity
| Field | Original Value | New Value |
|---|---|---|
| Component/s | FIWARE-TECH-HELP [ 10278 ] |
| Status | Open [ 1 ] | In Progress [ 3 ] |
| Status | In Progress [ 3 ] | Answered [ 10104 ] |
| Assignee | Alvaro Alonso [ aalonsog ] |
| HD-Enabler | KeyRock [ 10889 ] | |
| Description |
Created question in FIWARE Q/A platform on 08-02-2017 at 21:02 {color: red}Please, ANSWER this question AT{color} https://stackoverflow.com/questions/42123486/fiware-keyrock-tokens-with-general-permission-enabling-unauthorized-access-to +Question:+ FIWARE - Keyrock tokens with general permission enabling unauthorized access to applications (security issue?) +Description:+ In a local Keyrock instance, we have two users, A and B, with two different applications, AppA and AppB, respectively. Both users are distinct from the default "admin" user "idm". The Wilma PEP Proxy is configured with PEP credentials from user A. The problem is that user B can get a valid token from the Keyrock IdM and can access successfully the AppA (which, as mentioned, is registered in Wilma PEP Proxy with PEP credentials from user A). Is this a default behavior of Keyrock+Wilma components (GE's) or is this really a security problem? I think the user B should not get access to application of user A. It seems that all tokens are general and have access to all applications independently of users. Am I missing some understanding about all this process? |
Created question in FIWARE Q/A platform on 08-02-2017 at 21:02
{color: red}Please, ANSWER this question AT{color} https://stackoverflow.com/questions/42123486/fiware-keyrock-tokens-with-general-permission-enabling-unauthorized-access-to +Question:+ FIWARE - Keyrock tokens with general permission enabling unauthorized access to applications (security issue?) +Description:+ In a local Keyrock instance, we have two users, A and B, with two different applications, AppA and AppB, respectively. Both users are distinct from the default "admin" user "idm". The Wilma PEP Proxy is configured with PEP credentials from user A. The problem is that user B can get a valid token from the Keyrock IdM and can access successfully the AppA (which, as mentioned, is registered in Wilma PEP Proxy with PEP credentials from user A). Is this a default behavior of Keyrock+Wilma components (GE's) or is this really a security problem? I think the user B should not get access to application of user A. It seems that all tokens are general and have access to all applications independently of users. Am I missing some understanding about all this process? |
| HD-Chapter | Security [ 10841 ] |
| Resolution | Done [ 10000 ] | |
| Status | Answered [ 10104 ] | Closed [ 6 ] |
| Fix Version/s | 2021 [ 12600 ] |