Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.5.0-beta1
-
None
Description
I have received comments asking for improvements in the OAuth2 Consumer to help administrators with token security.
One of these comments I plan on submitting a patch for is to allow OAuth2Clients to be defined in a way that restricts where it will send OAuth2 tokens.
One area of concern is already addressed with the "allowModuleOverride" setting.
1) Adminstrator creates an OAuth2Client and binds Gadget X to it.
2) Gadget X changes it's <ModulePrefs> to a new authorization and/or token url endpoint
3) If allowModuleOverride==true the OAuth2 Consumer will honor the ModulePrefs and initiate the dance wherever Gadget X indicates.
4) Especially when using "client_credentials" this may be dangerous because the admin's client_id/client_secret have been sent to a potentially untrusted endpoint.
5) Today adminstrator can set allowModuleOverride=false on the OAuth2Client and be assured the dance will only be initiated on the URLs they've setup, ignoring the gadgets preferences.
Setting allowModuleOverride is sufficient to protect the client_id and client_secret. However, Gadget X can still issue a makeRequest to any URL it wants and the OAuth2 Consumer will send the access_token.
This change will allow the administrator to define the valid servers/domains for an OAuth2Client and prevent the Consumer from sending tokens anywhere outside of the specified locations. This was particularly important for clients using "client_credentials" or other flows where compromised access_tokens can open up large amounts of data on a server.
Any suggestions on how to effectively implement the token whitelist are appreciated...