dashboard icon indicating copy to clipboard operation
dashboard copied to clipboard
verified publisher icon kubermatic

Dashboard secure login

Open p0lyn0mial opened this issue 6 years ago • 4 comments

Note: Issues relating to this epic are managed via ZenHub.

At the moment the dashboard uses OAuth Implicit Grant flow for login. This is bad for at least two reasons. Firstly Implicit flow is not considered secure, mainly because the ID token is returned in URL. Secondly its lifetime is usually short, it’s one day in our case and requires users to constantly log in into the app.

To solve the mentioned issues we could use Authorization Code, below is simplified diagram depicting interactions between the actors.

User (Browser) <—— ( 1, 4 ) ——> Server < ———— ( 2, 3) ———> OIDC Provider

In step 1 a user sends a request to a server without exposing any credentials like Client ID (Implicit Grant), next the server and the provider exchange a series of requests. At the end the server gets both the ID and Refresh tokens. In Step 4 the tokens are send back to the user.

Tokens are considered confidential and should be stored carefully, therefore:

  • The ID token should be valid only for a short period of time, for example 10 minutes.
  • The Refresh token could be valid for 30 days or so.
  • The ID token doesn’t have to be persisted in a cookie or web storage. It could be simply saved in memory.
The token could be saved in a global variable accessible to our code. On startup, the app could use
the Refresh token to get a new ID token.
  • The Refresh token could be stored in a secure cookie read only on the server set httpOnly, secure and SameSite=strict flags for the cookie
  • The Refresh token stored in a cookie should be send only to some endpoints not all (set cookie path)
If the path is not set then the cookie is send for the domain, for example each request to dev.kubermatic.io includes the cookie. This means that the cookie could be read by the API server, the controllers and the dashboard. This is not necessary because the cookie could be read only by two endpoints. One for refreshing the ID token and one for handling "download kubeconfig" endpoint.
  • The Refresh token is used to get a new ID token

p0lyn0mial avatar Mar 05 '19 08:03 p0lyn0mial

@kubermatic/ui-team this issue is over a year old, is it still relevant?

cschieder avatar Sep 22 '20 11:09 cschieder

Quite relevant. This requires some backend changes though.

floreks avatar Sep 22 '20 11:09 floreks

This is still relevant and important for our customers.

ahmedwaleedmalik avatar Mar 04 '24 10:03 ahmedwaleedmalik

Tracked as part of https://support.kubermatic.com/a/tickets/6068?current_tab=details support ticket.

archups avatar Mar 15 '24 07:03 archups