Skip to content

Tokens without password should not trigger changed password invalidation#29122

Merged
ChristophWurst merged 1 commit intomasterfrom
bugfix/noid/apache-auth-apptoken
Oct 11, 2021
Merged

Tokens without password should not trigger changed password invalidation#29122
ChristophWurst merged 1 commit intomasterfrom
bugfix/noid/apache-auth-apptoken

Conversation

@juliusknorr
Copy link
Member

@juliusknorr juliusknorr commented Oct 7, 2021

Before this app passwords that were generated through a login method that doesn't provide a password (e.g. when using an oidc id token as bearer auth header) did invalidate themselves on the first use (after the 5 minute offset for token checking).

Steps to reproduce:

  • Setup user_oidc and enable bearer token validation for oidc tokens
  • Request an app password through curl -X GET "https://nextcloud.local/ocs/v1.php/core/getapppassword" -H "OCS-APIRequest: true" -H "Accept: application/json" -H "Authorization: Bearer OIDC_ID_TOKEN"
  • Wait for 5 minutes
  • Request any endpoint with the app password
  • Any follow up request would fail before as markPasswordInvalid gets called for the app password

This is similar to #27886 but gets only triggered when using an IApacheBackend where an empty string is set in

server/lib/private/legacy/OC_User.php

Line 193 in 57a816a

'password' => '',
. This will then lead to a token being generated with an empty string as password instead of a password which should not trigger a comparison with the real password when either SAML with LDAP as a user backend or a passwordless user backend like oidc is used.

@juliusknorr juliusknorr added bug 3. to review Waiting for reviews labels Oct 7, 2021
@juliusknorr juliusknorr added this to the Nextcloud 23 milestone Oct 7, 2021
@juliusknorr juliusknorr requested review from a team, CarlSchwan, PVince81, blizzz and julien-nc and removed request for a team October 7, 2021 18:17
@juliusknorr juliusknorr force-pushed the bugfix/noid/apache-auth-apptoken branch from 7dff30e to 508fe18 Compare October 7, 2021 18:18
PVince81
PVince81 approved these changes Oct 8, 2021
View reviewed changes
Copy link
Member

@PVince81 PVince81 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense 👍

@ChristophWurst ChristophWurst merged commit 4a1a9d6 into master Oct 11, 2021
@ChristophWurst ChristophWurst deleted the bugfix/noid/apache-auth-apptoken branch October 11, 2021 08:54
@juliusknorr
Copy link
Member Author

juliusknorr commented Oct 11, 2021

/backport to stable22

@juliusknorr
Copy link
Member Author

juliusknorr commented Oct 11, 2021

/backport to stable21

@backportbot-nextcloud backportbot-nextcloud bot mentioned this pull request Oct 11, 2021
Merged
@backportbot-nextcloud backportbot-nextcloud bot mentioned this pull request Oct 11, 2021
Merged
@MichaIng
Copy link
Member

MichaIng commented Oct 11, 2021

/backport to stable20

@backportbot-nextcloud backportbot-nextcloud bot mentioned this pull request Oct 11, 2021
Merged
@julien-nc julien-nc mentioned this pull request Oct 12, 2021
Merged
@MichaIng MichaIng mentioned this pull request Oct 25, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PVince81 PVince81 PVince81 approved these changes

@ChristophWurst ChristophWurst ChristophWurst approved these changes

@blizzz blizzz Awaiting requested review from blizzz

@julien-nc julien-nc Awaiting requested review from julien-nc

@CarlSchwan CarlSchwan Awaiting requested review from CarlSchwan

Assignees

No one assigned

Labels

3. to review Waiting for reviews bug

Projects

None yet

Milestone

Nextcloud 23

Development

Successfully merging this pull request may close these issues.

4 participants

@juliusknorr @MichaIng @PVince81 @ChristophWurst