Details
-
Bug
-
Resolution: Won't Fix
-
Low
-
None
-
2.3.4, 2.3.5, 2.3.6
-
None
Description
The crowd HTTP authentication library (i.e. the one using REST) sends an IP address when requesting an SSO token. An IPv6 address may have a zone id in the address (e.g. fe80::1%lo0, fe80::21f:5bff:fe33:57c4%en0 on Mac). In fixing CWD-2711 in 2.3.5 and later we remove the zone id before requesting the SSO token. As the address is used in the generation of the token, it means that a SSO token generated from <=2.3.4 is incompatible with one produced from >=2.3.5 when using IPv6 addresses with zone ids.
Example:
JIRA has Crowd 2.3.6.
Confluence has Crowd 2.3.2.
- User logs into JIRA.
- JIRA sends login request to Crowd server with IP address ::1.
- JIRA logs user in and returns SSO token from Crowd in Cookie.
- User logs into Confluence on same box.
- Confluence sends SSO token to Crowd server with IP address ::1%0.
- Crowd rejects the SSO token because the IP addresses do not match.
- Confluence tells the user of the failure.
Attachments
Issue Links
- is caused by
-
CWD-2711 IPv6 token comparisons should filter out the interface
- Closed