fix(auth): require an access-token type on the OIDC bearer path (supersedes #1077)#1078
Open
seonghobae wants to merge 6 commits into
Open
fix(auth): require an access-token type on the OIDC bearer path (supersedes #1077)#1078seonghobae wants to merge 6 commits into
seonghobae wants to merge 6 commits into
Conversation
The OIDC verifier accepted any RS256 token whose signature, issuer, and audience matched, without checking token type. Since an OIDC ID token carries aud == client_id, a frontend ID token could be replayed as an API access token (RFC 8725 §3.11 / Strix HIGH, CVSS 8.8). naruon's API credential is the OIDC access token (the frontend sends token_response.access_token). Require the token to be marked as an access token — Keycloak body typ="Bearer" or RFC 9068 header typ="at+jwt" — and reject ID-token material (Keycloak typ="ID") and unmarked tokens. Regression tests replay an ID-token-shaped token and assert 401; they fail on the prior code and pass here. OIDC access-token fixtures updated to carry the realistic typ="Bearer". Supersedes #1077, whose inverse approach rejected scope-bearing Keycloak access tokens (breaking SSO login) while still admitting ID tokens. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
9 tasks
Contributor
|
PR governance metadata gate is not ready for
|
Contributor
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Contributor
OpenCode Review Overview
Changed-File Evidence Mapflowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Backend (3 files)"]
S1 --> I1["API and service runtime"]
I1 --> R1["Review risk: Backend (3 files)"]
R1 --> V1["backend tests"]
Evidence --> S2["Changed file: docker-compose.infra.yml"]
S2 --> I2["repository behavior"]
I2 --> R2["Review risk: Changed file: docker-compose.infra.yml"]
R2 --> V2["required checks"]
Evidence --> S3["Frontend: screenshot.cjs"]
S3 --> I3["browser runtime and bundle"]
I3 --> R3["Review risk: Frontend: screenshot.cjs"]
R3 --> V3["frontend tests"]
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Fix the Strix HIGH (CVSS 8.8) "OIDC ID tokens accepted as API bearer sessions without token-type validation" in
backend/api/auth.py, and add regression tests.The OIDC verifier accepted any RS256 token whose signature, issuer, and
audmatchedOIDC_CLIENT_ID, with no token-type check. An OIDC ID token carriesaud == client_id, so a frontend ID token could be replayed directly as an API access token (RFC 8725 §3.11).Why this direction
naruon's API credential is the OIDC access token, not the ID token:
frontend/src/app/auth/oidc/callback/route.ts:112andfrontend/src/app/auth/session/route.ts:288sendtoken_response.access_tokenas the bearer. There is noid_tokencredential path anywhere in the frontend.docker-compose.infra.yml,docker-compose.gateway.yml). Keycloak access tokens carry bodytyp: "Bearer"; ID tokens carrytyp: "ID".So the fix requires the token to be marked as an access token — Keycloak body
typ: "Bearer", or RFC 9068 headertyp: "at+jwt"— and rejects ID-token material and unmarked tokens.Change
_require_oidc_access_token(header, payload)on the OIDC decode path; rejects anything not marked as an access token.typ: "ID"), the unmarked PoC shape, and a header-idvariant all assert 401; an RFC 9068at+jwtaccess token is accepted. The reject tests fail on the prior code and pass here.typ: "Bearer".Verification
pytest tests/test_auth_real.py→ 94 passed.auth.pytodevelopmakes the new reject tests fail (proves they're load-bearing).ruff checkclean.Supersedes #1077
#1077 took the inverse approach (treat the ID token as the credential, reject
scope/scp). Run against a realistic Keycloak access token, #1077 rejects it (breaks every SSO login) and accepts the ID token (leaves the vuln open). #1077 has been converted to draft; please close it in favor of this PR.🤖 Generated with Claude Code