Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Auditor: Flag Identity Providers with disabled signature verification #37

Merged
merged 3 commits into from
Oct 1, 2024
Merged

New Auditor: Flag Identity Providers with disabled signature verification #37

merged 3 commits into from
Oct 1, 2024

Conversation

malexmave
Copy link
Collaborator

@malexmave malexmave commented Oct 1, 2024
edited
Loading

This PR adds an auditor that checks if a configured Identity Provider does not verify the signature on the tokens of the upstream identity provider. This can lead to dangerous vulnerabilities.

At the moment, it only checks for OIDC and Keycloak-OIDC IDPs. I will have to check which other IDP presents have a similar setting, and adapt the pull request accordingly. Hence, it is a draft.

The auditor now supports both SAML and OIDC. Other identity providers do not seem to have an option to disable verification and should thus be safe by default.

Closes #15.

@malexmave malexmave self-assigned this Oct 1, 2024
@malexmave malexmave added the enhancement New feature or request label Oct 1, 2024
twwd
twwd previously approved these changes Oct 1, 2024
View reviewed changes
@malexmave malexmave marked this pull request as ready for review October 1, 2024 12:33
@malexmave malexmave requested a review from twwd October 1, 2024 12:34
@malexmave malexmave changed the title New Auditor: Flag OIDC Identity Providers with disabled signature verification New Auditor: Flag Identity Providers with disabled signature verification Oct 1, 2024
@twwd twwd force-pushed the feature/oidc-idp-without-signature-checks branch from ee05b3a to 167a99c Compare October 1, 2024 12:43
@twwd twwd enabled auto-merge (squash) October 1, 2024 12:44
@twwd twwd merged commit 546e20a into main Oct 1, 2024
3 checks passed
@twwd twwd deleted the feature/oidc-idp-without-signature-checks branch October 1, 2024 12:44
@malexmave malexmave mentioned this pull request Oct 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@twwd twwd twwd approved these changes

Assignees

@malexmave malexmave

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

New Check: Signature Verification for IDPs disabled
2 participants
@malexmave @twwd