[Security:high] oidc authorization codes are not tied to their RP
Concerned version
Version: %2.0.0
Summary
Configure two OIDC relaying parties
- rp1, allowed to all users
- rp2, restricted to admins through a security rule in LLNG
Then, as any user, obtain an OIDC authorization code for rp1, using rp2's redirect_uri
You can use this code to access rp2 without being admin
Cause
That happens because we haven't implemented this part of the OIDC spec:
OpenID Connect spec, 3.1.3.2. Token Request Validation
Ensure the Authorization Code was issued to the authenticated Client.
Consequences
Authorization bypass on OIDC services, on applications that do not perform their own access control.
In order to be vulnerable, rp1 must not have any declared redirect URIs
Possible fixes
We should store the client_id in the code session and verify it before emitting an access token
Edited by Yadd