authentik
authentik copied to clipboard
goauthentik
Basic authentication with app password is always evaluated in local context (127.0.0.1)
Describe the bug
When authenticating a user with basic auth (with an app password for that user), the token is validated using a separate internal request to /application/o/token/. All policies are run against that context which prevents access to data from the original request. Client ip address is always 127.0.0.1, no original headers available.
This could also be a security problem if such policies are to prevent users from external networks to access applications, and while it works using regular auth, basic auth with app password allows to bypass it.
To Reproduce Steps to reproduce the behavior:
- Create an app and with an expression policy
return ak_client_ip.is_private. - Create an app password for a user.
- From public ip address:
curl -u <user>:<appPassword> https://<app>.<domain>.<tld> - Observe log
Expected behavior At least client ip and headers from original requests should be available to the policy.
Logs Event info:
Action: Login
App: authentik.providers.oauth2.views.token
User: <user>
Created: 2/5/2024, 10:07:26 AM
Client IP: 127.0.0.1
Tenant: Default tenant
Context:
{
"application": {
"pk": "a55a03f1ba864783b0be7219642708af",
"app": "authentik_core",
"name": "<application>",
"model_name": "application"
},
"auth_method": "token",
"http_request": {
"args": {},
"path": "/application/o/token/",
"method": "POST",
"user_agent": "goauthentik.io/outpost/2023.10.7 (provider=<provider>)"
},
"auth_method_args": {
"identifier": "<tokenId>"
}
}
Version and Deployment (please complete the following information):
- authentik version: [e.g. 2023.10]
- Deployment: docker-compose
Additional context Add any other context about the problem here.
