Add /oauth/inspect endpoint
#12446
Add /oauth/inspect endpoint
#12446
Conversation
AlexTugarev
added
aspect: security
| @@ -175,6 +176,17 @@ export class OAuthController { | |||
| } | |||
| }); | |||
|
|
|||
| router.get("/oauth/inspect", async (req: express.Request, res: express.Response) => { | |||
| const clientId = req.query.client as string; | |||
| if (typeof clientId !== "string" || !Object.keys(inMemoryDatabase.clients).includes(clientId)) { | |||
There was a problem hiding this comment.
this definitely has the potential to provide an unguarded endpoint to scan for random clientIds.
tagging as security relevant.
There was a problem hiding this comment.
everything is already available in this repo? 🤔
There was a problem hiding this comment.
yeah client ids are already public
There was a problem hiding this comment.
I think the point Alex is making is that this allows you to enumerate all client IDs we may have. Therefore, you can estimate how big of an installation of gitpod this is, how many users it has and which exact IDs exist in the system.
There's a difference between the client ID being public and knowing exactly how many client IDs there are.
There was a problem hiding this comment.
What would be an alternative? cc @geropl
There was a problem hiding this comment.
Therefore, you can estimate how big of an installation of gitpod this is, how many users it has and which exact IDs exist in the system.
I'm not sure how you can do it though. You can only ask whether Gitpod installation supports installing ssh keys or not. You cannot get any other information from this endpoint.
There was a problem hiding this comment.
Would you be able to provide a use-case this is looking to solve? Is it to discover my own ClientID?
There was a problem hiding this comment.
Please have a look at this RFC It is a work around for how we do auth now. Also this internal Slack thread: https://gitpod.slack.com/archives/C01KGM9BH54/p1661371894310039
There was a problem hiding this comment.
@mikenikles @AlexTugarev I think there is a misunderstanding here: Clients !== API clients.
Client is a possible kind of clients we support as defined here.
everything is already available in this repo?
☝️ Enumerating those is fine I think. 🙂
|
@jeanp413 Let's open it for review? |
jeanp413
force-pushed
the
jp/oauth-inspect
branch
from
887f7e8 to
d691416
Compare
|
/unhold |
|
started the job as gitpod-build-jp-oauth-inspect.7 because the annotations in the pull request description changed |
roboquat
added
deployed: webapp
Description
Add
/oauth/inspectendpointRelated Issue(s)
Related #12254
How to test
Release Notes
Werft options: