Bug #4692
closed
[API] Prompt user when logging in to a client for the first time.
Description
Background: A third party web service can use a link or redirect to send a user's browser through the login process, which culminates in the third party receiving an API token. This facilitates user-deployed applications against production API services, but it also gives a malicious third party an opportunity to trick a user into sending the user's API key to the third party.
Fix:
When user A arrives at API server's login process with a return_to URL that is not already trusted by this user, the user should be prompted to understand and accept this situation before continuing. (The user should have the option to remember this decision for next time.)
The API admin should be able to configure a whitelist in services/api/config/application.yml. This could default to workbench_address.
The user-managed whitelist can be stored in the user's prefs hash.
From IRC:
<tetron> tomclegg: so OAuth does require an secret client token
<tetron> tomclegg: but workbench doesn't use OAuth to authenticate to API server.
<tetron> tomclegg: API server uses OAuth with the SSO server
<tetron> tomclegg: so that's probably a weak link
Updated by
Updated by Tom Clegg about 10 years ago
- Subject changed from [API] Potential vulnerability: Any client can perform log in process to receive an API token to [API] Prompt user when logging in to a client for the first time.
- Description updated (diff)
- Category set to API
- Story points set to 2.0
Updated by Ward Vandewege over 3 years ago
- Target version deleted (
Arvados Future Sprints)