notes/cisco_ft_securex_registration.org
This commit is contained in:
parent
5e0cfa37d1
commit
ee4db4e42b
1 changed files with 20 additions and 4 deletions
|
@ -373,15 +373,31 @@ The clojure code for the route should roughly look like:
|
||||||
As we now have a session, we should take care about a few details:
|
As we now have a session, we should take care about a few details:
|
||||||
|
|
||||||
***** Important Security Remarks
|
***** Important Security Remarks
|
||||||
- should we keep track of the =origin=?
|
|
||||||
YES this is a security risk to prevent an attack with a redirect to the
|
|
||||||
wrong endpoint. So the redirect should be handled by the backend.
|
|
||||||
The =origin= should be put in the JWT.
|
|
||||||
- should we prevent a user identity to create multiple accounts?
|
- should we prevent a user identity to create multiple accounts?
|
||||||
I don't think so. Not in the first round at least.
|
I don't think so. Not in the first round at least.
|
||||||
It will probably be easy to add a =created-by= metas in the org, and prevent
|
It will probably be easy to add a =created-by= metas in the org, and prevent
|
||||||
duplicates (or put a maximal number of authorized enabled orgs)
|
duplicates (or put a maximal number of authorized enabled orgs)
|
||||||
|
****** Should we keep track of the =origin=?
|
||||||
|
|
||||||
|
When a user login there is always an =origin= parameter (by default it will
|
||||||
|
point to SecureX).
|
||||||
|
But a user can login and create an account and should ultimately be
|
||||||
|
redirected to the correct URL (product).
|
||||||
|
Currently, the user can be redirected to:
|
||||||
|
|
||||||
|
- SecureX
|
||||||
|
- CTR
|
||||||
|
- Orbital
|
||||||
|
|
||||||
|
We should put the =origin= in the JWT and we should take care that the origin
|
||||||
|
has been checked via the =allowed-login-origins=.
|
||||||
|
|
||||||
|
The question about should we return a 301 to the =create-new-account= is open.
|
||||||
|
But this is probably a good idea to let only the backend take care of the
|
||||||
|
security of the redirection.
|
||||||
|
Note this is a very important security concern otherwise an attack in the
|
||||||
|
redirection code might send the credentials to an attacker quite easily.
|
||||||
**** List Matching Accounts - ref ::
|
**** List Matching Accounts - ref ::
|
||||||
https://github.com/advthreat/iroh/issues/6270 #+begin_src http GET
|
https://github.com/advthreat/iroh/issues/6270 #+begin_src http GET
|
||||||
/iroh/iroh-auth-ui/matching-accounts
|
/iroh/iroh-auth-ui/matching-accounts
|
||||||
|
|
Loading…
Reference in a new issue