Details
-
Suggestion
-
Resolution: Duplicate
-
None
-
None
Description
Like already discussed in our support request (CWDSUP-7916) we see possible security issues with the current implementation of SSO in Crowd.
The Crowd REST API allows any application that can create session tokens to create this tokens without password (POST to /session?validate-password=false). The consequence in a SSO environment is, that any application authentication can be used to compromise all other applications. The application doesn't need to know neither the token nor the password for retrieve the user token. As far as I know that option is mainly for the "remember me" functionality. The parameter "validate-password=false" cannot be disabled so we need to filter all requests with this parameter in our reverse proxy to block this feature.
The real solution in our point of view is a login system where the web-application doesn't need to know the credentials, because the authentication provider is the only one which creates the tokens.
See the linked figure for details.
Attachments
Issue Links
- duplicates
-
CWD-3153 Allows redirection to Crowd for login
- Closed