authentik icon indicating copy to clipboard operation
authentik copied to clipboard
verified publisher icon goauthentik

Flows should be aborted on policy errors

Open mzhaase opened this issue 1 year ago • 2 comments

Is your feature request related to a problem? Please describe. When creating a flow that uses an expression policy, an error in the policy causes the last step of the flow to be executed. This can be a potential security issue.

If a policy throws an error, the intended behavior of the flow is undefined. The only safe default is to abort the flow. In my experiments, I had for example users being created although the policy should have prevented it, due to a policy error.

Describe the solution you'd like The default for any created flow should be to abort if there is a policy error.

mzhaase avatar Oct 17 '24 12:10 mzhaase

When a policy throws an error the behaviour is not undefined, you can configure the policy result when a policy fails in the binding here: image

BeryJu avatar Oct 17 '24 12:10 BeryJu

By undefined I mean authentik cannot know what should happen. Therefore the default should be "Don't pass".

mzhaase avatar Oct 17 '24 12:10 mzhaase