Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow cross provider oauth2 token introspection and restrict to confidential clients #11618

Open
bcollet opened this issue Oct 5, 2024 · 1 comment · May be fixed by #11617
Open

Allow cross provider oauth2 token introspection and restrict to confidential clients #11618

bcollet opened this issue Oct 5, 2024 · 1 comment · May be fixed by #11617
Labels
enhancement New feature or request

Comments

@bcollet
Copy link

bcollet commented Oct 5, 2024

Is your feature request related to a problem? Please describe.

Authentik's current implementation only allows for the introspection of tokens generated with the provider used to authenticate against the introspection endpoint.

This is an issue because the resource server is then required to use the same provider as the client and it prevents the use of multiple providers, each with their own client_id (let's say Thunderbird, Roundcube and mutt) to access a resource server (a Dovecot server for instance).

Describe the solution you'd like

See #11617

Remove the provider filter when retrieving tokens.

Additionally to prevent token fishing from public applications, I believe that restricting the introspection endpoint to confidential clients would be beneficial (and one could argue that a public client does not satisfy RFC7662 requirements for authentication).

Because of issue #11616 I don't think it is likely that preventing public clients from using the introspection endpoint will cause much harm.

Describe alternatives you've considered

Instead of allowing the introspection of all tokens, a per-provider option or scope (as described here for instance) could be an alternative, albeit one requiring more involvement.

@bcollet bcollet added the enhancement New feature or request label Oct 5, 2024
@matt1097
Copy link

I concur that machine-to-machine is effectively broken in 2024.8.3.
It looks like #11537 fixed a CVE and this was a side effect.

I really would +1 your alternative approach as the better fix. Although agreed that is a lot more work. Allowing each application to opt into which applications it wants to allow into an API

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
2 participants