Actions
Bug #18245
openEnabling OAuth is too dangerous
Status:
New
Priority:
Normal
Assignee:
-
Category:
Users, Roles and Permissions
Target version:
-
Description
The current OAuth implementation in Foreman allows access to anybody with knowledge of two strings: OAuth consumer key and OAuth consumer secret.
In this sense, it is not any more secure than the typical username/password set of credentials.
But, in reality, it is a lot worse:- Unlike personal passwords, which are never shown in clear text, both the key and the secret are visible to all current admins under FOREMAN/settings#Auth
- While personal passwords can be made to automatically expire (such as by using an external LDAP-server with stricter settings), the OAuth credentials are permanent
- If mapping of OAuth-requests to existing accounts is not enabled, using this method gives the REST API scripts admin-level access to Foreman -- having once observed the credentials, a hacker can delete or alter hosts in Foreman.
- If mapping of OAuth-requests to existing accounts is enabled (by specifying a separete request-header
FOREMAN-USER
), a script can freely impersonate any user -- which is even worse than anonymous admin-access. Once authenticated with the OAuth credentials, a script can gain any user's authorization...
- Allow only read-only access to OAuth-using scripts by default, if OAuth is enabled at all.
- Allow admins to create multiple OAuth credential-pairs with different roles, limiting the capabilities of API-using scripts
Finally, OAuth or not, there should be a way to enable anonymous browsing/searching of Foreman data -- even if making any changes may still require a login. The current :login: true
in settings.yaml
is not granular enough.
Actions