notes/cisco_ft_securex_registration.org

notes/cisco_ft_securex_registration.org

@@ -373,15 +373,31 @@ The clojure code for the route should roughly look like:
 As we now have a session, we should take care about a few details:
 
 ***** Important Security Remarks
-- should we keep track of the =origin=?
-  YES this is a security risk to prevent an attack with a redirect to the
-  wrong endpoint. So the redirect should be handled by the backend.
-  The =origin= should be put in the JWT.
+
 - should we prevent a user identity to create multiple accounts?
   I don't think so. Not in the first round at least.
   It will probably be easy to add a =created-by= metas in the org, and prevent
   duplicates (or put a maximal number of authorized enabled orgs)
+****** Should we keep track of the =origin=?
 
+When a user login there is always an =origin= parameter (by default it will
+point to SecureX).
+But a user can login and create an account and should ultimately be
+redirected to the correct URL (product).
+Currently, the user can be redirected to:
+
+- SecureX
+- CTR
+- Orbital
+
+We should put the =origin= in the JWT and we should take care that the origin
+has been checked via the =allowed-login-origins=.
+
+The question about should we return a 301 to the =create-new-account= is open.
+But this is probably a good idea to let only the backend take care of the
+security of the redirection.
+Note this is a very important security concern otherwise an attack in the
+redirection code might send the credentials to an attacker quite easily.
 **** List Matching Accounts - ref ::
 https://github.com/advthreat/iroh/issues/6270 #+begin_src http GET
 /iroh/iroh-auth-ui/matching-accounts