开发者社区> jerrywangsap> 正文

关于 SAP Spartacus OAuth 2.0 Resource Owner Password Flow 实现的一些讨论

简介: 关于 SAP Spartacus OAuth 2.0 Resource Owner Password Flow 实现的一些讨论
+关注继续查看

McAfee discovered that it is possible to retrieve a valid authentication token for a user, using an unauthenticated request to the application’s backend API.


通过没有认证的请求,调用后台API,获取某个用户的Authentication token.


The application uses OpenID Connect OAuth 2.0 to authenticate users.


The OAuth 2.0 framework supports different flows that can be implemented by an application to retrieve user access tokens.


During testing, McAfee observed that the application appears to implement the Authorization Code Flow directly from the client application, using client-side JavaScript code to generate the POST request to retrieve the access token, which includes a client_id and client_secret parameter in the request. This is not appropriate for a single-page application (SPA) such as this, as it exposes the client_id and client_secret information to the client, either via embedded JavaScript source, or using an interception proxy.


client_id=mobile_android&client_secret=secret&grant_type=password&username=ct******@gmail.com&password=


Authentication Flow

Spartacus 2.1 uses what is called “Resource Owner Password Flow” or “Code Flow” as it’s called in the issue description.


“Resource Owner Password Flow” is the only flow fully supported by the SAP Commerce backend.


Spartacus 2.1 has built-in support for only this flow. Spartacus 3.0+ can be configured to work with alternate flows, but again, the alternate flows are not fully supported by the SAP Commerce backend.


As a reference, here is the spartacus 3.0 documentation that provides more info about this:


https://sap.github.io/spartacus-docs/session-management/#configuring-authorization-code-flow-or-implicit-flow


Spartacus exposes the “client_id” and “secret”.

Some backend endpoints like “customer registration” and “forgot your password” require a “client” authentication before they can be called.


This “client” authentication is performed by authenticating with a grant type of “client_credentials”. The access token provided for a “client_credentials” authentication is not associated with a specific user and only allows an occ client to call a handful of endpoints that don’t otherwise require a user authentication.


Someone could discover the “client” credentials (“client_id” and “secret”) using the browser dev tools, but these credentials can only be used to get a “client” access token and call endpoints that already do not require any user authentication.


This backend api behaves like this by design and Spartacus needs to comply with this contract.


The authentication endpoint allows account enumeration.

I tried to reproduce the issue from the information provided and I could not.Using the “grant type” of “password” in the authentication request gave the following response whenever the correct password was not provided:

{ "error": "invalid_grant", "error_description": "Bad credentials"}

There was no difference between an attempt with a username that exists and attempts with a username that does not exist in the system.


Therefore I can not see an account enumeration vulnerability with the observed behaviour.


Using a “grant type” of “client_credentials”, the user in the request is ignored and a “client” token is returned with no access to customer restricted endpoints.


You can perhaps double check the “grant type” used in the authentication requests or provide us with updated repro steps.


Auth requests can obtain an access token for a user without knowing his password

I tried to reproduce the issue from the information provided and I could not. I observed the expected behaviour.


If you post an authentication request with a “grant_type” of “client_credentials”, the access token will be generated for a “client” authentication based on “client_id” and “secret” regardless if a username is also provided in the post request.


The “client” authentication token will not work with user restricted endpoints.


If you post an authentication request with a “grant_type” of “password”, the backend will only authenticate a given user when the correct password is provided.


I was not able to get an access token for an existing user without providing his password.


Perhaps try the use case again and double check which “grant_type” is provided or provide us with updated repro steps.


Spartacus uses a new user session if a valid token is pasted in local storage.

While this is not a supported use case, this is not a security flaw. To get a user access token, a valid username/password pair needs to be provided to the auth endpoint.



版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

相关文章
阿里云服务器怎么设置密码?怎么停机?怎么重启服务器?
如果在创建实例时没有设置密码,或者密码丢失,您可以在控制台上重新设置实例的登录密码。本文仅描述如何在 ECS 管理控制台上修改实例登录密码。
18239 0
如何设置阿里云服务器安全组?阿里云安全组规则详细解说
阿里云安全组设置详细图文教程(收藏起来) 阿里云服务器安全组设置规则分享,阿里云服务器安全组如何放行端口设置教程。阿里云会要求客户设置安全组,如果不设置,阿里云会指定默认的安全组。那么,这个安全组是什么呢?顾名思义,就是为了服务器安全设置的。安全组其实就是一个虚拟的防火墙,可以让用户从端口、IP的维度来筛选对应服务器的访问者,从而形成一个云上的安全域。
15557 0
windows server 2008阿里云ECS服务器安全设置
最近我们Sinesafe安全公司在为客户使用阿里云ecs服务器做安全的过程中,发现服务器基础安全性都没有做。为了为站长们提供更加有效的安全基础解决方案,我们Sinesafe将对阿里云服务器win2008 系统进行基础安全部署实战过程! 比较重要的几部分 1.
11370 0
阿里云服务器如何登录?阿里云服务器的三种登录方法
购买阿里云ECS云服务器后如何登录?场景不同,阿里云优惠总结大概有三种登录方式: 登录到ECS云服务器控制台 在ECS云服务器控制台用户可以更改密码、更换系.
23610 0
阿里云服务器如何登录?阿里云服务器的三种登录方法
购买阿里云ECS云服务器后如何登录?场景不同,云吞铺子总结大概有三种登录方式: 登录到ECS云服务器控制台 在ECS云服务器控制台用户可以更改密码、更换系统盘、创建快照、配置安全组等操作如何登录ECS云服务器控制台? 1、先登录到阿里云ECS服务器控制台 2、点击顶部的“控制台” 3、通过左侧栏,切换到“云服务器ECS”即可,如下图所示 通过ECS控制台的远程连接来登录到云服务器 阿里云ECS云服务器自带远程连接功能,使用该功能可以登录到云服务器,简单且方便,如下图:点击“远程连接”,第一次连接会自动生成6位数字密码,输入密码即可登录到云服务器上。
31930 0
腾讯云服务器 设置ngxin + fastdfs +tomcat 开机自启动
在tomcat中新建一个可以启动的 .sh 脚本文件 /usr/local/tomcat7/bin/ export JAVA_HOME=/usr/local/java/jdk7 export PATH=$JAVA_HOME/bin/:$PATH export CLASSPATH=.
12122 0
阿里云ECS云服务器初始化设置教程方法
阿里云ECS云服务器初始化是指将云服务器系统恢复到最初状态的过程,阿里云的服务器初始化是通过更换系统盘来实现的,是免费的,阿里云百科网分享服务器初始化教程: 服务器初始化教程方法 本文的服务器初始化是指将ECS云服务器系统恢复到最初状态,服务器中的数据也会被清空,所以初始化之前一定要先备份好。
13829 0
+关注
2624
文章
0
问答
来源圈子
更多
+ 订阅
文章排行榜
最热
最新
相关电子书
更多
OceanBase 入门到实战教程
立即下载
阿里云图数据库GDB,加速开启“图智”未来.ppt
立即下载
实时数仓Hologres技术实战一本通2.0版(下)
立即下载