Use Application#confidential? to determine revocation auth eligibility #1119
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Since this is security related, is it worth backporting to 4.x? Would require #1031 to also be backported. |
|
I don't sure we can backport it due to incompatibility issues. Everyone need to migrate new columns and so on. |
OAuth applications that obtain an access token using the "implicit" grant flow will have their ID set on the token record. Unfortunately this causes the revocation controller code to think it's as confidential application. Because of this, Doorkeeper enforces oauth client authentication and the revocation call fails. Fixes doorkeeper-gem#891 Add NEWS entry Add specs for both public and confidential apps in revocation
|
@nbulaj this can be merged for 5.x fix. Semver is getting in the way here, because I agree that we cannot "backport" to 4.x without requiring an upgrade path. #1031 defaults all apps as confidential, so it maintains backwards compatibility in that sense. However developers must:
I'm not familiar with the rules around stuff like this, but can't we autogenerate some "hey you're using 4.2.0-secfix1, please run 🤷♂️ |
|
No problem for the 5.x release, yes,. What about 4.x - I'll think on it tomorow. Thanks! |
camallen
added a commit
to camallen/Panoptes
that referenced
this pull request
Jul 26, 2018
WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211) There is no breaking change in this release, however to take advantage of the security fix you must: 1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration 2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit) 3. Update their `confidential` column to `false` for those public apps This is a backported security release. For more information: * doorkeeper-gem/doorkeeper#1119 * doorkeeper-gem/doorkeeper#891
jfly
added a commit
to jfly/worldcubeassociation.org
that referenced
this pull request
Jul 30, 2018
…st install message: WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211) There is no breaking change in this release, however to take advantage of the security fix you must: 1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration 2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit) 3. Update their `confidential` column to `false` for those public apps This is a backported security release. For more information: * doorkeeper-gem/doorkeeper#1119 * doorkeeper-gem/doorkeeper#891 This adds the mentioned migration, but does not bother to set confidential to false for public applications. As far as I can tell, this just means that despite upgrading doorkeeper, it will still not be possible for public applications to revoke tokens, so we're no worse off than we were before. I believe that in doorkeeper 5, there will be a UI that allows application developers to decide if their application is "confidential" or not. I think it's ok for us to just wait for that day, and leave this effort on our various 3rd party developers.
jfly
added a commit
to jfly/worldcubeassociation.org
that referenced
this pull request
Jul 31, 2018
…st install message: WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211) There is no breaking change in this release, however to take advantage of the security fix you must: 1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration 2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit) 3. Update their `confidential` column to `false` for those public apps This is a backported security release. For more information: * doorkeeper-gem/doorkeeper#1119 * doorkeeper-gem/doorkeeper#891 This adds the mentioned migration, but does not bother to set confidential to false for public applications. As far as I can tell, this just means that despite upgrading doorkeeper, it will still not be possible for public applications to revoke tokens, so we're no worse off than we were before. I believe that in doorkeeper 5, there will be a UI that allows application developers to decide if their application is "confidential" or not. I think it's ok for us to just wait for that day, and leave this effort on our various 3rd party developers.
jfly
added a commit
to jfly/worldcubeassociation.org
that referenced
this pull request
Jul 31, 2018
…st install message: WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211) There is no breaking change in this release, however to take advantage of the security fix you must: 1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration 2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit) 3. Update their `confidential` column to `false` for those public apps This is a backported security release. For more information: * doorkeeper-gem/doorkeeper#1119 * doorkeeper-gem/doorkeeper#891 This adds the mentioned migration, but does not bother to set confidential to false for public applications. As far as I can tell, this just means that despite upgrading doorkeeper, it will still not be possible for public applications to revoke tokens, so we're no worse off than we were before. I believe that in doorkeeper 5, there will be a UI that allows application developers to decide if their application is "confidential" or not. I think it's ok for us to just wait for that day, and leave this effort on our various 3rd party developers.
jfly
added a commit
to thewca/worldcubeassociation.org
that referenced
this pull request
Jul 31, 2018
…st install message: WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211) There is no breaking change in this release, however to take advantage of the security fix you must: 1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration 2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit) 3. Update their `confidential` column to `false` for those public apps This is a backported security release. For more information: * doorkeeper-gem/doorkeeper#1119 * doorkeeper-gem/doorkeeper#891 This adds the mentioned migration, but does not bother to set confidential to false for public applications. As far as I can tell, this just means that despite upgrading doorkeeper, it will still not be possible for public applications to revoke tokens, so we're no worse off than we were before. I believe that in doorkeeper 5, there will be a UI that allows application developers to decide if their application is "confidential" or not. I think it's ok for us to just wait for that day, and leave this effort on our various 3rd party developers.
camallen
pushed a commit
to zooniverse/panoptes
that referenced
this pull request
Aug 7, 2018
* [Security] Bump doorkeeper from 4.2.6 to 4.4.0 Bumps [doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) from 4.2.6 to 4.4.0. **This update includes security fixes.** - [Release notes](https://github.com/doorkeeper-gem/doorkeeper/releases) - [Changelog](https://github.com/doorkeeper-gem/doorkeeper/blob/master/NEWS.md) - [Commits](doorkeeper-gem/doorkeeper@v4.2.6...v4.4.0) Signed-off-by: dependabot[bot] <[email protected]> * add confidential column to oauth_applications WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211) There is no breaking change in this release, however to take advantage of the security fix you must: 1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration 2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit) 3. Update their `confidential` column to `false` for those public apps This is a backported security release. For more information: * doorkeeper-gem/doorkeeper#1119 * doorkeeper-gem/doorkeeper#891 * add note on what this migration default value means some of our apps (first_party password / session grants and implicit) will require the non-default value of confidential = false * switch to non-confidential oauth application ensure the spec testing devise session to token via password grant (#101) uses a non-confidential application * add data migration for oauth confidential attribute set confidential to false for implicit, native apps as well as any first party apps that use the password grant without supplying the client secret (PFE / python client). * move comment to be more informative * only change apps we know use non-confidential password flow avoid changing other apps that may be using client_id & client_secrets to authenticate, only update the first party apps we know about.
kaznum
added a commit
to kaznum/sanataro
that referenced
this pull request
Nov 14, 2019
Post-install message from doorkeeper: WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211) There is no breaking change in this release, however to take advantage of the security fix you must: 1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration 2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit) 3. Update their `confidential` column to `false` for those public apps This is a backported security release. For more information: * doorkeeper-gem/doorkeeper#1119 * doorkeeper-gem/doorkeeper#891
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
OAuth applications that obtain an access token using the "implicit" grant flow will have their ID set on the token record. Unfortunately this causes the revocation controller code to think it's as confidential application. Because of this, Doorkeeper enforces oauth client authentication and the revocation call fails.
Fixes #891