Comments (4)
lahavsavir
commented on June 16, 2024
1
Guys,
Let’s please move to an internal communications channel to advance this
discussion.
Thank you,
Lahav
On Tue, 11 Dec 2018 at 22:26 Johannes Liebermann ***@***.***> wrote:
How about talking to OneLogin about this use case? We need *some*
solution which would eliminate the need for contacting an admin for every
app a user wants to add, without creating huge security risks. They might
have an idea. If they don't, we could try pushing towards a new feature.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#53 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AEFW6CjkR-Ux-trIIxVyH40IY-m8qpTwks5u4BTegaJpZM4V8UYA>
.
--
…--
*Kind Regards,*
[image: allcloud-signature-icon-3.png]
Lahav Savir
Founder, EVP and Chief Architect
AllCloud, Cloud Platforms
m: +972 (54) 4321688
w: www.allcloud.io e: [email protected]
--
This message and the information contained herein is proprietary and
confidential and subject to the AllCloud policy statement, you may review
it here <https://bit.ly/2Mu90e4>.
from clisso.
commented on June 16, 2024
As this is one of the most requested features internally, I'll try to advance this.
I wonder if a shared embeddable token is considered a security risk again? @lahavsavir
Compared to the previous internal solution, this removes the possibility to list users but still keeps the possibility to enumerate apps if I know the email addresses of users (which are incredible hard to guess).
Alternatives I see is developing some Lambda that is storing the needed credentials securely and can only be used after authentication (I'd prefer IAM based auth).
@lahavsavir, @johananl WDYT?
from clisso.
johananl
commented on June 16, 2024
Looks like the embed token is much safer than the API credentials, because all it allows you to do is obtain the list of apps. On the other hand, it still allows obtaining a list of apps without providing user credentials, MFA etc. It also allows a user to get a list of apps that are accessible to another user by sending a request to the API with their email address (and the same token), however it won't allow them to get credentials for these apps if they themselves don't have permissions for them.
The question is if the above is acceptable. It might be acceptable for some use cases.
Looks like the embed token is shared by design, i.e. you can't even generate two on a given OneLogin account, only replace the one existing token.
A Lambda-based solution seems outside the scope of Clisso to me. All Clisso provides is an interface to OneLogin/Okta. This could still be a valid solution for specific use cases, however I don't see how Lambda helps us provide a generic solution to the app ID retrieval issue.
REMINDER: This is a public repository now. We should avoid discussing specifics or "internal" stuff. For these we should use other channels. Just a reminder because this discussion could lead to sensitive issues.
from clisso.
johananl
commented on June 16, 2024
How about talking to OneLogin about this use case? We need some solution which would eliminate the need for contacting an admin for every app a user wants to add, without creating huge security risks. They might have an idea. If they don't, we could try pushing towards a new feature.
from clisso.
Related Issues (20)
- Abstract Regex patterns into their own functions
- Move Spinner code to function
- Reduce nested if statements
- Can't use brew install anymore HOT 2
- Clisso newer than 0.7 causes 500 errors in OneLogin HOT 4
- Issue with brew install HOT 1
- Support AWS Multi Account App - OneLogin HOT 1
- Add support for pre/post execution HOT 4
- Support Okta fastpass HOT 1
- Okta FastPass HOT 1
- Could not get temporary credentials: no valid AWS roles were returned HOT 3
- invalid memoy address when trying to connect HOT 2
- Rename release to 0.7.0 HOT 3
- Error should be handled first HOT 2
- Could not get temporary credentials: generating SAML assertion: doing HTTP request: 401 Unauthorized HOT 8
- Get a group of apps HOT 6
- Question: how to assign a default AWS region? HOT 1
- Error - Could not get temporary credentials: EOF HOT 3
- Could not get temporary credentials: generating SAML assertion: doing HTTP request: 404 Not Found HOT 2
- No way to specify pretty names for IAM roles HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from clisso.