Bug #4692

[API] Prompt user when logging in to a client for the first time.

Added by Peter Amstutz over 4 years ago. Updated over 4 years ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
API
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Story points:
2.0

Description

Background: A third party web service can use a link or redirect to send a user's browser through the login process, which culminates in the third party receiving an API token. This facilitates user-deployed applications against production API services, but it also gives a malicious third party an opportunity to trick a user into sending the user's API key to the third party.

Fix:

When user A arrives at API server's login process with a return_to URL that is not already trusted by this user, the user should be prompted to understand and accept this situation before continuing. (The user should have the option to remember this decision for next time.)

The API admin should be able to configure a whitelist in services/api/config/application.yml. This could default to workbench_address.

The user-managed whitelist can be stored in the user's prefs hash.

From IRC:

<tetron> tomclegg: so OAuth does require an secret client token
<tetron> tomclegg: but workbench doesn't use OAuth to authenticate to API server.
<tetron> tomclegg: API server uses OAuth with the SSO server
<tetron> tomclegg: so that's probably a weak link


Related issues

Related to Arvados - Bug #4690: [DRAFT] [Workbench] Prevent CSRF and XSS attacksNew

History

#1 Updated by Peter Amstutz over 4 years ago

  • Description updated (diff)

#2 Updated by Peter Amstutz over 4 years ago

  • Description updated (diff)

#3 Updated by Tom Clegg over 4 years ago

  • Subject changed from [API] Potential vulnerability: Any client can perform log in process to receive an API token to [API] Prompt user when logging in to a client for the first time.
  • Description updated (diff)
  • Category set to API
  • Story points set to 2.0

Also available in: Atom PDF