Comments (7)
michielbdejong
commented on August 11, 2024
For webid-oidc this is not a problem, because the token that the web app obtains is specific to both webid and app origin. A web app can only obtain a token that is tied to its own origin.
For webid-tls, I don't know, I'll find out!
from web-access-control-spec.
elf-pavlik
commented on August 11, 2024
Do you refer to aud field in ID Token? I don't know how exactly NSS uses it to verify client's origin, maybe @dmitrizagidulin can link to relevant code. I think of a case where NSS acts just as a Resource Server and app/client gets ID Token from some other OP which as I understand handles the client registration.
from web-access-control-spec.
jaxoncreed
commented on August 11, 2024
This is a reason to move towards client-id based origin tokens. User client id as the origin
from web-access-control-spec.
elf-pavlik
commented on August 11, 2024
solid/webid-oidc-spec#12 should address it, I will close this one once it gets resolved
from web-access-control-spec.
gobengo
commented on August 11, 2024
I have lots of OIDC context, but limited web-access-control.
I threw out a straw man of removing from the spec this (since it might be adding a MUST that allows unauthorized access via proxy)
When an Origin header is present then BOTH the authenticated agent AND the origin MUST be allowed access
Dmitri mentioned that would face resistance as such. But a better alternative should be developed, then this language removed.
A followup proposal that should be less controversial is to add a warning to the spec right before that MUST
WARNING: This normative language is at-risk of removal because it can be exploited. See this issue (link needed) for progress on a safe alternative.
from web-access-control-spec.
timbl
commented on August 11, 2024
If a bad proxy does not forward the Origin header, then the CORS security is broken by the bad proxy. Donβt use or implement bad proxies. This does not change WAC.
from web-access-control-spec.
elf-pavlik
commented on August 11, 2024
I'm describing here possibility of application running in a web browser intentionally using properly implemented proxy which by design allows it to advertise whatever Origin party providing the application wants that application to claim on requests.
Party providing (hosting) the application, is the same party which controls the proxy.
from web-access-control-spec.
Related Issues (20)
- Use WAC ontology for authorizing authentication HOT 4
- Proposed Fix to: Loss of Access with lower level ACL (Effective ACL Resource Algorithm) HOT 18
- More explicit names for `acl:accessTo` and `acl:default` predicats HOT 1
- Is N3 patch allowed for Append access? HOT 4
- Is create an append operation? HOT 8
- Bad numbering of Access Privileges section HOT 1
- More examples needed
- Access Mode Extensions HOT 3
- Use of Latin Abbreviations HOT 1
- Add time constraints to WAC rules HOT 4
- Express what expectations users should have of acl:AuthenticatedAgent HOT 11
- Consider adding acl:originGroup HOT 3
- Security implications of ACL resources on different servers HOT 5
- Atomicity of creating a resource and its ACL HOT 2
- Dependent resources / explicit inheritance across containers HOT 7
- Clarify whether ACL needs normalization
- deprecate acl:Control, replace with ... HOT 2
- Edge cases require all implementations to couple authorization and storage HOT 36
- Append to container for resources creation not reflected in current text HOT 1
- Effective ACL Resource discovery requires 2n+1 requests HOT 28
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from web-access-control-spec.