Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-2752

Crowd client <=2.3.4 produces SSO tokens that are incompatible with >=2.3.5 on IPv6 addresses with scopes

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Fix
    • Low
    • None
    • 2.3.4, 2.3.5, 2.3.6
    • Integration/Connectors
    • None

    Description

      The crowd HTTP authentication library (i.e. the one using REST) sends an IP address when requesting an SSO token. An IPv6 address may have a zone id in the address (e.g. fe80::1%lo0, fe80::21f:5bff:fe33:57c4%en0 on Mac). In fixing CWD-2711 in 2.3.5 and later we remove the zone id before requesting the SSO token. As the address is used in the generation of the token, it means that a SSO token generated from <=2.3.4 is incompatible with one produced from >=2.3.5 when using IPv6 addresses with zone ids.

      Example:

      JIRA has Crowd 2.3.6.
      Confluence has Crowd 2.3.2.

      1. User logs into JIRA.
      2. JIRA sends login request to Crowd server with IP address ::1.
      3. JIRA logs user in and returns SSO token from Crowd in Cookie.
      1. User logs into Confluence on same box.
      2. Confluence sends SSO token to Crowd server with IP address ::1%0.
      3. Crowd rejects the SSO token because the IP addresses do not match.
      4. Confluence tells the user of the failure.

      Attachments

        Issue Links

          is caused by

          Bug - A problem which impairs or prevents the functions of the product. CWD-2711 IPv6 token comparisons should filter out the interface

          • Low - Low priority issues
          • Closed

          Activity

            People

              Unassigned Unassigned
              bbain bain
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: