[Backlogmanager] [FIWARE-JIRA] (HELP-8804) [fiware-stackoverflow] FIWARE - Keyrock tokens with general permission enabling unauthorized access to applications (security issue?)

Fernando Lopez (JIRA) jira-help-desk at jira.fiware.org
Sun May 28 20:05:00 CEST 2017

Previous message: [Backlogmanager] [FIWARE-JIRA] (HELP-8804) [fiware-stackoverflow] FIWARE - Keyrock tokens with general permission enabling unauthorized access to applications (security issue?)
Next message: [Backlogmanager] [FIWARE-JIRA] (HELP-8804) [fiware-stackoverflow] FIWARE - Keyrock tokens with general permission enabling unauthorized access to applications (security issue?)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

     [ https://jira.fiware.org/browse/HELP-8804?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Fernando Lopez updated HELP-8804:
---------------------------------
     HD-Chapter: Security
    Description: 
Created question in FIWARE Q/A platform on 08-02-2017 at 21:02
{color: red}Please, ANSWER this question AT{color} https://stackoverflow.com/questions/42123486/fiware-keyrock-tokens-with-general-permission-enabling-unauthorized-access-to


+Question:+
FIWARE - Keyrock tokens with general permission enabling unauthorized access to applications (security issue?)

+Description:+
In a local Keyrock instance, we have two users, A and B, with two different applications, AppA and AppB, respectively. Both users are distinct from the default "admin" user "idm". The Wilma PEP Proxy is configured with PEP credentials from user A. The problem is that user B can get a valid token from the Keyrock IdM and can access successfully the AppA (which, as mentioned, is registered in Wilma PEP Proxy with PEP credentials from user A).

Is this a default behavior of Keyrock+Wilma components (GE's) or is this really a security problem? I think the user B should not get access to application of user A. It seems that all tokens are general and have access to all applications independently of users. Am I missing some understanding about all this process?


  was:

Created question in FIWARE Q/A platform on 08-02-2017 at 21:02
{color: red}Please, ANSWER this question AT{color} https://stackoverflow.com/questions/42123486/fiware-keyrock-tokens-with-general-permission-enabling-unauthorized-access-to


+Question:+
FIWARE - Keyrock tokens with general permission enabling unauthorized access to applications (security issue?)

+Description:+
In a local Keyrock instance, we have two users, A and B, with two different applications, AppA and AppB, respectively. Both users are distinct from the default "admin" user "idm". The Wilma PEP Proxy is configured with PEP credentials from user A. The problem is that user B can get a valid token from the Keyrock IdM and can access successfully the AppA (which, as mentioned, is registered in Wilma PEP Proxy with PEP credentials from user A).

Is this a default behavior of Keyrock+Wilma components (GE's) or is this really a security problem? I think the user B should not get access to application of user A. It seems that all tokens are general and have access to all applications independently of users. Am I missing some understanding about all this process?


     HD-Enabler: KeyRock

> [fiware-stackoverflow] FIWARE - Keyrock tokens with general permission enabling unauthorized access to applications (security issue?)
> -------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HELP-8804
>                 URL: https://jira.fiware.org/browse/HELP-8804
>             Project: Help-Desk
>          Issue Type: Monitor
>          Components: FIWARE-TECH-HELP
>            Reporter: Backlog Manager
>            Assignee: Alvaro Alonso
>              Labels: access-control, access-token, fiware, fiware-wilma, keystone
>
> Created question in FIWARE Q/A platform on 08-02-2017 at 21:02
> {color: red}Please, ANSWER this question AT{color} https://stackoverflow.com/questions/42123486/fiware-keyrock-tokens-with-general-permission-enabling-unauthorized-access-to
> +Question:+
> FIWARE - Keyrock tokens with general permission enabling unauthorized access to applications (security issue?)
> +Description:+
> In a local Keyrock instance, we have two users, A and B, with two different applications, AppA and AppB, respectively. Both users are distinct from the default "admin" user "idm". The Wilma PEP Proxy is configured with PEP credentials from user A. The problem is that user B can get a valid token from the Keyrock IdM and can access successfully the AppA (which, as mentioned, is registered in Wilma PEP Proxy with PEP credentials from user A).
> Is this a default behavior of Keyrock+Wilma components (GE's) or is this really a security problem? I think the user B should not get access to application of user A. It seems that all tokens are general and have access to all applications independently of users. Am I missing some understanding about all this process?



--
This message was sent by Atlassian JIRA
(v6.4.1#64016)

More information about the Backlogmanager mailing list

You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy