fiware-idm icon indicating copy to clipboard operation
fiware-idm copied to clipboard

Published 20 hours ago verified publisher icon ging

Keyrock OIDC + oauth2-proxy seems to authorize any enabled user even if not authorized for the application.

Open mgaggero opened this issue 3 years ago • 1 comments

I'm using Keyrock as OIDC provider for oauth2-proxy in a k8s ingress. It works flawless except that Keyrock permits access to the oauth2-proxy upstream url also to users that are not authorized or not are members of authorized organization for the application. Only in the case the user is not enabled in Keyrock the access is also denied to oauth2-proxy. Access should be allowed only to authorized users/orgs for the given application.

Keyrock: 8.1.0 Oauth2-proxy: 7.2.0

mgaggero avatar Nov 25 '21 18:11 mgaggero

At first glance the debug's log shows that no queries are performed to asses whether an user is authorized in the application but only if the user has already authorized the app to use its data. Then it prompts for app's authorization.

Executing (default): SELECT `id`, `name`, `description`, `image`, `response_type`, `url`, `redirect_uri` FROM `oauth_client` AS `OauthClient` WHERE `OauthClient`.`id` = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx';
Executing (default): SELECT `id`, `username`, `salt`, `password`, `enabled`, `email`, `gravatar`, `image`, `admin`, `date_password`, `starters_tour_ended`, `extra` FROM `user` AS `User` WHERE `User`.`email` = '<email_address>';
Executing (default): SELECT `User_Authorized_Application`.`id`, `User_Authorized_Application`.`shared_attributes`, `User_Authorized_Application`.`login_date`, `User_Authorized_Application`.`user_id`, `User_Authorized_Application`.`oauth_client_id`, `User`.`id` AS `User.id`, `User`.`username` AS `User.username`, `User`.`gravatar` AS `User.gravatar`, `User`.`image` AS `User.image`, `User`.`email` AS `User.email` FROM `user_authorized_application` AS `User_Authorized_Application` LEFT OUTER JOIN `user` AS `User` ON `User_Authorized_Application`.`user_id` = `User`.`id` WHERE `User_Authorized_Application`.`user_id` = 'yyyyyyyyyyyyyyyyyyyyyy' AND `User_Authorized_Application`.`oauth_client_id` = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' LIMIT 1;
POST /oauth2/authorize?approval_prompt=force&client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&redirect_uri=http%3A%2F%2Flocalhost%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=zzzzzzzz 200 24.620 ms - 17381

mgaggero avatar Nov 26 '21 09:11 mgaggero