[Backlogmanager] [FIWARE-JIRA] (HELP-8455) [fiware-stackoverflow] FIWARE-Keyrock: Why are the OAuth2 credentials related to apps if they do not control access?

Alvaro Alonso (JIRA) jira-help-desk at jira.fiware.org
Thu Mar 30 11:02:00 CEST 2017

Previous message: [Backlogmanager] [FIWARE-JIRA] (HELP-8455) [fiware-stackoverflow] FIWARE-Keyrock: Why are the OAuth2 credentials related to apps if they do not control access?
Next message: [Backlogmanager] [FIWARE-JIRA] (HELP-8455) [fiware-stackoverflow] FIWARE-Keyrock: Why are the OAuth2 credentials related to apps if they do not control access?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

     [ https://jira.fiware.org/browse/HELP-8455?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alvaro Alonso updated HELP-8455:
--------------------------------
    Status: Answered  (was: In Progress)

> [fiware-stackoverflow] FIWARE-Keyrock: Why are the OAuth2 credentials related to apps if they do not control access?
> --------------------------------------------------------------------------------------------------------------------
>
>                 Key: HELP-8455
>                 URL: https://jira.fiware.org/browse/HELP-8455
>             Project: Help-Desk
>          Issue Type: Monitor
>          Components: FIWARE-TECH-HELP
>            Reporter: Backlog Manager
>            Assignee: Alvaro Alonso
>              Labels: access-token, fiware, fiware-wilma, identity-management, oauth-2.0
>
> Created question in FIWARE Q/A platform on 28-03-2017 at 22:03
> {color: red}Please, ANSWER this question AT{color} http://stackoverflow.com/questions/43079778/fiware-keyrock-why-are-the-oauth2-credentials-related-to-apps-if-they-do-not-co
> +Question:+
> FIWARE-Keyrock: Why are the OAuth2 credentials related to apps if they do not control access?
> +Description:+
> We have a scenario where I want to protect a service X with Wilma PEP Proxy. The service X is registered in Keyrock. The Wilma PEP Proxy contains the PEP credentials generated in Keyrock for service X. An application Y gets access to service X with the proper OAuth2 credentials generated for this specific service (client_id and client_secret). It is ok. But there is a problem: an application Z also gets access to the service X with different OAuth2 credentials (not the service X credentials)!! 
> If this is possible, why do we have applications with specific OAuth2 credentials generated in Keyrock if they do not control anything?! It does not make sense!
> It is a big security issue, because one intruder can register some application in Keyrock and with tokens generated for this specific application (with its own OAuth2 credentials) this intruder can access all the applications registered in this Keyrock instance!



--
This message was sent by Atlassian JIRA
(v6.4.1#64016)

Previous message: [Backlogmanager] [FIWARE-JIRA] (HELP-8455) [fiware-stackoverflow] FIWARE-Keyrock: Why are the OAuth2 credentials related to apps if they do not control access?
Next message: [Backlogmanager] [FIWARE-JIRA] (HELP-8455) [fiware-stackoverflow] FIWARE-Keyrock: Why are the OAuth2 credentials related to apps if they do not control access?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Backlogmanager mailing list

You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy