[HELP-8804] [fiware-stackoverflow] FIWARE - Keyrock tokens with general permission enabling unauthorized access to applications (security issue?) - JIRA

Details

Type: Monitor
Status: Closed
Priority: Major
Resolution: Done
Affects Version/s: None
Fix Version/s: 2021
Component/s: FIWARE-TECH-HELP
Labels:

Source URL:
https://stackoverflow.com/questions/42123486/fiware-keyrock-tokens-with-general-permission-enabling-unauthorized-access-to
HD-Chapter:
Security
HD-Enabler:
KeyRock

Description

Created question in FIWARE Q/A platform on 08-02-2017 at 21:02
Please, ANSWER this question AT https://stackoverflow.com/questions/42123486/fiware-keyrock-tokens-with-general-permission-enabling-unauthorized-access-to

Question:
FIWARE - Keyrock tokens with general permission enabling unauthorized access to applications (security issue?)

Description:
In a local Keyrock instance, we have two users, A and B, with two different applications, AppA and AppB, respectively. Both users are distinct from the default "admin" user "idm". The Wilma PEP Proxy is configured with PEP credentials from user A. The problem is that user B can get a valid token from the Keyrock IdM and can access successfully the AppA (which, as mentioned, is registered in Wilma PEP Proxy with PEP credentials from user A).

Is this a default behavior of Keyrock+Wilma components (GE's) or is this really a security problem? I think the user B should not get access to application of user A. It seems that all tokens are general and have access to all applications independently of users. Am I missing some understanding about all this process?

Activity

Descending order - Click to sort in ascending order

Transition

Time In Source Status

Execution Times

Last Executer

Last Execution Date

Open

In Progress

2h 58m

Backlog Manager

22/May/17 6:04 PM

In Progress

Answered

2h 59m

Backlog Manager

22/May/17 9:04 PM

Answered

Closed

6d 16h 8m

José Ignacio Carretero Guarde

29/May/17 1:13 PM

Fernando Lopez made changes - 27/May/21 10:59 AM

Fix Version/s

2021 [ 12600 ]

José Ignacio Carretero Guarde made changes - 29/May/17 1:13 PM

Resolution		Done [ 10000 ]
Status	Answered [ 10104 ]	Closed [ 6 ]

Fernando Lopez made changes - 28/May/17 8:04 PM

HD-Enabler		KeyRock [ 10889 ]
Description	Created question in FIWARE Q/A platform on 08-02-2017 at 21:02 {color: red}Please, ANSWER this question AT{color} https://stackoverflow.com/questions/42123486/fiware-keyrock-tokens-with-general-permission-enabling-unauthorized-access-to +Question:+ FIWARE - Keyrock tokens with general permission enabling unauthorized access to applications (security issue?) +Description:+ In a local Keyrock instance, we have two users, A and B, with two different applications, AppA and AppB, respectively. Both users are distinct from the default "admin" user "idm". The Wilma PEP Proxy is configured with PEP credentials from user A. The problem is that user B can get a valid token from the Keyrock IdM and can access successfully the AppA (which, as mentioned, is registered in Wilma PEP Proxy with PEP credentials from user A). Is this a default behavior of Keyrock+Wilma components (GE's) or is this really a security problem? I think the user B should not get access to application of user A. It seems that all tokens are general and have access to all applications independently of users. Am I missing some understanding about all this process?	Created question in FIWARE Q/A platform on 08-02-2017 at 21:02 {color: red}Please, ANSWER this question AT{color} https://stackoverflow.com/questions/42123486/fiware-keyrock-tokens-with-general-permission-enabling-unauthorized-access-to +Question:+ FIWARE - Keyrock tokens with general permission enabling unauthorized access to applications (security issue?) +Description:+ In a local Keyrock instance, we have two users, A and B, with two different applications, AppA and AppB, respectively. Both users are distinct from the default "admin" user "idm". The Wilma PEP Proxy is configured with PEP credentials from user A. The problem is that user B can get a valid token from the Keyrock IdM and can access successfully the AppA (which, as mentioned, is registered in Wilma PEP Proxy with PEP credentials from user A). Is this a default behavior of Keyrock+Wilma components (GE's) or is this really a security problem? I think the user B should not get access to application of user A. It seems that all tokens are general and have access to all applications independently of users. Am I missing some understanding about all this process?
HD-Chapter		Security [ 10841 ]

Fernando Lopez made changes - 28/May/17 8:03 PM

Assignee

Alvaro Alonso [ aalonsog ]

Hide

Permalink

Backlog Manager added a comment - 22/May/17 9:04 PM

2017-05-22 21:06|UPDATED status: transition Answered| # answers= 1, accepted answer= False

Show

Backlog Manager added a comment - 22/May/17 9:04 PM 2017-05-22 21:06|UPDATED status: transition Answered| # answers= 1, accepted answer= False

Backlog Manager made changes - 22/May/17 9:04 PM

Status

In Progress [ 3 ]

Answered [ 10104 ]

Hide

Permalink

Backlog Manager added a comment - 22/May/17 6:04 PM

2017-05-22 18:06|UPDATED status: transition Answer| # answers= 1, accepted answer= False

Show

Backlog Manager added a comment - 22/May/17 6:04 PM 2017-05-22 18:06|UPDATED status: transition Answer| # answers= 1, accepted answer= False

Backlog Manager made changes - 22/May/17 6:04 PM

Status

Open [ 1 ]

In Progress [ 3 ]

Backlog Manager made changes - 22/May/17 3:06 PM

Field	Original Value	New Value
Component/s		FIWARE-TECH-HELP [ 10278 ]

Hide

Permalink

Backlog Manager added a comment - 22/May/17 3:06 PM

2017-05-22 15:07|CREATED monitor | # answers= 1, accepted answer= False

Show

Backlog Manager added a comment - 22/May/17 3:06 PM 2017-05-22 15:07|CREATED monitor | # answers= 1, accepted answer= False

Backlog Manager created issue - 22/May/17 3:06 PM

People

Assignee:

Alvaro Alonso

Reporter:

Backlog Manager

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

22/May/17 3:06 PM

Updated:

27/May/21 10:59 AM

Resolved:

29/May/17 1:13 PM

Agile

View on Board