If user select his own tenant but not have yet registered into it. After user has logged in for example in microsoft login page user is returned to register page. In register page user can change his username and email but also can change tenant. If user knows any other tenant which have self registration in use user can change to that tenant and then click register button. This way it is possible to go into wrong tenant. User can for example go to host tenant by clearing tenant in dialog.
Is this real problem and can you reproduce it?
Auth server is separated.
13 Answer(s)
-
0
hi
If a user knows the name of a tenant, they can also switch tenants before external login. Maybe this isn't a problem.
Thanks
-
0
But if you change tenant before login it uses that users external login settings where user has no permissions. But in my descripted scenario user selects own tenant where he/she hasn't yet registered and login using that tenants external login settings. After external login where user has been verified by its own tenant settings user can change to other tenant and register himself to that tenant without any verification that user has rights to that tenant. Other tenant names can be guess quite easily because in our company we have many reference customers in our website where user can find company names.
-
0
hi
Users cannot be restricted from registering when they know the tenant name.
We can restrict switching tenants after external login, but they can still switch tenants before logging in
Thanks.
-
0
Yep that is what it should that user can change before login but after user has logged in third party(Microsoft) user should to be able to change tenant. Are you going to change this when? Because this is quite big security risk.
-
0
hi
We can add the current info when external logging in and then check it afterward.
But this seems meaningless because he can completely switch to the target tenant before logging in.
Thanks..
-
0
Yes but still user can select first his own tenant where he/she has permission to login. Then after that login user change to other tenant and goes to wrong tenant where he was not authorized.
If user change tenant to other before login then he cannot even login to third party auth provider and there is no problem.
-
0
ok, we will add the current info when external logging in and then check it afterward.
Thanks
-
0
So is this going to be fixed when? And is change coming only to 9 version or also to 8 version? And how big security risk do you think this is? Because for my perspective it is quite big.
-
0
hi
I will share the code, so you can also use it in version 8.
-
0
So we need to take auth code to our repo. We have tried to avoid that to ease versio upgrades. But maybe we this is only temporal solution and after we update to 9 there is already that fix and we can remove our custom code. What is minimum amount of code/module we need to take and override? Do we need to override only login and registration pages and is it possible to only override them and not take whole auth server code base?
-
0
hi
I will share the code later. You only need to override one or two class model Thanks,
-
0
hi
Please send an email to liming.ma@volosoft.com
I will share the code change with you.
Thanks
-
0
hi
Is your problem solved?
Thanks
