Christian Fischer created FEDIZ-232:
---------------------------------------
Summary: 'wctx' parameter mandatory but protocol does not require
Key: FEDIZ-232
URL: https://issues.apache.org/jira/browse/FEDIZ-232
Project: CXF-Fediz
Issue Type: Bug
Reporter: Christian Fischer
For logins which are not initiated by a valid session on the RP side the user
cannot be authenticated because the wctx parameter is missing or has the wrong
value.
There are at least two scenarios in which this causes a unwanted behaviour of
the system.
* First is if the IDP/login page is bookmarked and returns only later after
the session on the RP is timed out.
* Second is something similar to a IDP initiated login flow. It's not in the
WS federation protocol specification but according to our tests fediz could
easily allow that if the 'wctx' check is removed.
In the protocol specification the 'wctx' parameter is also only optional, where
fediz expects it to be always present. There is a comment with respect to CSRF
prevention but our security team didn't see the case for this since there is no
passive way of authentication is used. In fact it's the actual authentication
request that is supposed to be protected, but we don't see the need.
One option (if the CSRF case is valid) would be to at least disable the 'wctx'
state validation by setting a flag.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
