Comments (8)
IMO Vouch should default to disallow all until properly configured with a whitelist OR allowAllUsers
is set. This is a security product, and must be secure by default.
I don't want to break existing setups.
I understand. For the configurations where allowAllUsers
is 'false' and no domains or whitelist are configured, the main question for me is whether administrators under that their configuration is equivalent to "allow all". If they do not realize this, "breaking" their setup would likely be a good thing.
In these configurations I think it is likely the admin does not realize Vouch is effectively in "allow all". Vouch pushes the client through the authentication flow, and it is reasonable to assume during testing that this authentication "did" something. People are much less likely to test authenticating with a disallowed user.
Do you have any opinion on what that interface should look like?
I agree that the configuration parameters are not clear. To be honest I still don't understand domains
and what that is really used for. I wrote an oauth proxy like this for a previous employer, so I'm adding on my TODO list a task to review the whole app. At the same time I will get a much better understanding of the configuration parameters and will be able to make a proposal at that point. If I don't put something here or tag this issue, feel free to ping me.
from vouch-proxy.
hmm, should it default open or default closed?
Although I do tend to agree with you I'm reluctant to change the behavior. I don't want to break existing setups.
There's general sense that the domain/whitelist/AllowAllUsers
config options are confusing. I expect that it'll get rewritten for v1.0.0
. Do you have any opinion on what that interface should look like?
In either case the current behavior should be documented, perhaps in the config.
from vouch-proxy.
I personally don't care which state it is, but I agree, allowAllUsers exists to allow all users, so it does't make sense.
My vote is pick a state, make sure the config errors if both are true on startup, and bump the major version or something.
from vouch-proxy.
IMO Vouch should default to disallow all until properly configured with a whitelist OR allowAllUsers is set. This is a security product, and must be secure by default.
I'll second this. The default fallback behavour you raised in this issue really makes me uneasy. Leave out some configuration options, and it defaults to wide open?! I would expect this to be fixed with urgency, even if it breaks existing deployments.
Similarly I was quite surprised that the default oauth scope was User
for the github provider (Not sure about other providers). This means whoever administrates vouch is getting write access to my profile by default. It can be disabled by adding scopes
as an empty list to the oauth
block:
oauth:
scopes:
- ''
However this felt like a hack to achieve something which I feel should be default behaviour. If I'm protecting some of my endpoints with vouch, I'd expect to make the concious decision to enable a level of oauth which gives me any write access to my user's profiles.
from vouch-proxy.
thanks @vulcan25
Could you open a separate issue for the github scopes issue? I'm happy to work with you on exploring better default scopes.
from vouch-proxy.
@bnfinet Seems I spoke to soon regarding scopes; Looks like you changed this to read:user
as per #63
from vouch-proxy.
@mmorsky suggested in #106 an update to the Debug message from this block
from vouch-proxy.
There has been a clear log.warn in for 9 months...
log.Warn("verifyUser: no domains, whitelist, teamWhitelist or AllowAllUsers configured, any successful auth to the IdP authorizes access")
https://github.com/vouch/vouch-proxy/blob/master/handlers/auth.go#L166
I feel like that's a good compromise. closing
from vouch-proxy.
Related Issues (20)
- Recommendations for using several OIDC endpoints HOT 1
- Vouch 400 and Invalid session state when opening a previous tab or returning to a tab after the laptop and browser has gone to sleep HOT 14
- How to pass OAuth2 ADFS token to server application? HOT 2
- How to fix "oauth.callback_url must be within a configured domains where the cookie will be sent" HOT 1
- docker build fails with golang image version `golang:1.18` HOT 4
- passing IdP access token to app via `Authorization "Bearer $ACCESS_TOKEN"` from kubernetes ingress-nginx HOT 2
- Select first value in multi-valued claim HOT 4
- WebAuthn/passkeys/Direct email login support? HOT 3
- Snowflake OAuth as additional oauth provider
- Setting log level via environment variables does not work HOT 1
- support for one instance with both publicAccess: true and false at different roots HOT 1
- Is vouch-proxy abandonware? HOT 5
- When ModSecurity/naxsi and auth_request (Vouch Proxy) and HTTP/2 is enabled, POST/PUT requests hang HOT 12
- receive "Required String parameter 'redirect_uri' is not present" from Cognito when YAML is not properly formatted HOT 3
- Authenticate additional user accounts outside of Google domain HOT 2
- Vouch Proxy and Keycloak 400 bad request after authenticating HOT 19
- 400 Error with vouch in a path HOT 11
- scope of nginx auth_request_set HOT 1
- Vouch Loses Redirect URL upon re-authorization HOT 1
- feat: Storage Backend for jwt cache HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vouch-proxy.