add cookie as an option for oauth2_introspection authenticator #301
Conversation
There was a problem hiding this comment.
The schema process is a bit messy at the moment (for bc reasons). The way you solved it is correct!
I'm not sure if you are thinking about this use case, but just some points of warning:
- We do not check if the cookie is
httpOnly, thus, any XSS could set this cookie - There is no source authenticity (e.g. via signature verification), so anyone being able to set the cookie can set the token
The same of course applies to the other methods (e.g. me linking you to foo?access_token=.... or me doing an XSS that intercepts and/or injects the access token to API requests).
I'm saying that because many people think that cookies are "secure" and we should make sure to document this appropriately to avoid any misconceptions.
@aeneasr I meant the "secure" flag is set on the cookie, not that cookies are inherently secure. As with the cookie_session handler, the onus to protect against CSRF and XSS is on the application developer, not on oathkeeper, correct? |
|
Makes sense! |
|
Actually, after review, it looks like these options are not really appropriate for the client_credentials authenticator. I think this and #302 are ready to be merged as is |
Proposed changes
Adds the ability to get the OAuth2 bearer token from a cookie in addition to header or query param. This allows an http-only, secure cookie to be used for storing oauth credentials.
Checklist
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got green light (please contact
[email protected]) from the maintainers to push
the changes.
developer guide (if appropriate)
Further comments
I'm not quite sure how to properly handle the schema files, I'm guessing there is some compilation going on there that is not documented (vs just editing the
config.schema.jsonfile as I have for now).