node-solid-server icon indicating copy to clipboard operation
node-solid-server copied to clipboard
verified publisher icon nodeSolidServer

Access allowed despite authentication failure

Open edwardsph opened this issue 4 years ago • 1 comments

Testing version: 5.6.4 Having got an access token using DPoP, if I make a request to a resource but use the token in Bearer mode instead of signing the request with DPoP again, the request succeeds whilst also reporting access denied.

www-authenticate: [Bearer realm="https://inrupt.net", error="access_denied", error_description="Token does not pass the audience allow filter"]

Similarly, if I create a bad DPoP token using the wrong htm I still get the resource despite:

www-authenticate: [Bearer realm="https://inrupt.net", error="invalid_token", error_description="Invalid PoP token"]

Lastly, creating an invalid DPoP token with a different htu gives me:

www-authenticate: [Bearer realm="https://inrupt.net", error="invalid_token", error_description="htu https://solid-test-suite-alice.inrupt.net/private/asdasd does not match https://solid-test-suite-alice.inrupt.net/private/"]

whilst also succeeding with the request.

I was just about to post this when I thought of other tests I could do. I sent an invalid Bearer token and it still worked:

www-authenticate: [Bearer realm="https://inrupt.net", error="invalid_token", error_description="Access token is not a JWT"]

It seems that having an active session overrides all other security considerations as all the above fail when there is no session.

edwardsph avatar Feb 23 '21 08:02 edwardsph

I'm not sure if this is 100% related, but the error message is similar, so will add it here. In some cases, I get the header response:

AnyHashable("Www-Authenticate"): "Bearer realm=\"https://inrupt.net\", error=\"invalid_token\", error_description=\"htu https://crspybits.inrupt.net/NewDirectory does not match https://crspybits.inrupt.net/NewDirectory/\"",

I get a 200 http status code response.

What's further unusual about this is that it does not always happen. I'm still evaluating, but it seems if the NewDirectory path doesn't exist on the server, it doesn't happen. Put another way, it seems the comparison between the htu field and the url used in the request differs depending on if the resource exists on the server. I'm using a GET lookup request like https://www.w3.org/TR/ldp-primer/#filelookup to do this test.

crspybits avatar Aug 22 '21 00:08 crspybits