Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GWT-IDE] Don't touch Keycloak under Che7 environment. #13026

Closed
wants to merge 1 commit into from
Closed

[GWT-IDE] Don't touch Keycloak under Che7 environment. #13026

wants to merge 1 commit into from

Conversation

monaka
Copy link
Member

@monaka monaka commented Mar 31, 2019

On multi-user/multi-host Che7 environments, the URL of IDE is differ from the URL of wsmaster.

So, on copying Keycloak object, web browsers throw DOMException as the cross site scripting.

In addition, Keycloak can't respond requests for getting new token.
Because the URL of IDE is not listed in redirect_url.

What does this PR do?

Pass the token (generated by Keycloak) to the IDE in <iframe> via postMessage()

What issues does this PR fix or reference?

#12585

@monaka monaka added the kind/bug Outline of a bug - must adhere to the bug report template. label Mar 31, 2019
@che-bot
Copy link
Contributor

che-bot commented Mar 31, 2019

Can one of the admins verify this patch?

2 similar comments
@che-bot
Copy link
Contributor

che-bot commented Mar 31, 2019

Can one of the admins verify this patch?

@che-bot
Copy link
Contributor

che-bot commented Mar 31, 2019

Can one of the admins verify this patch?

@monaka
Use postMessage() for avoiding cross origin scripting.
a4357db 
Signed-off-by: Masaki Muranaka <monaka@monami-ya.com>
@skabashnyuk
Copy link
Contributor

@monaka. Thank you for your efforts.

I think that the approach you've selected has some disadvantages that we should avoid.
Such kind of messaging with dashboard allow someone to create a plugin that will allow
to take away keycloak token in such way.

  • Start workspace with the malicious plugin.
  • Share a link with such code on some forums/emails/sites
  • Users who are authorized on Che dashboard may open some forums/emails/sites
  • User's browser load pages with the malicious plugin and communicate with the dashboard.
  • Malicious plugin send the keycloak token to third-party sites

In my opinion, the correct approach would be to teach GWT IDE to work without a keycloak token.

@monaka
Copy link
Member Author

monaka commented Apr 7, 2019

@skabashnyuk Agree. After some trys and errors, I got how the JWT proxy works and what is the better approach. I'm going to fix this on my forked repository.

@monaka monaka changed the title Use postMessage() for avoiding cross origin scripting. [GWT-IDE] Don't touch Keycloak under Che7 environment. Apr 7, 2019
This was referenced Apr 9, 2019
Closed
Closed
@monaka
Copy link
Member Author

monaka commented Apr 14, 2019

Close as I open #13142 (will fix the same issue as this).

@monaka monaka closed this Apr 14, 2019
@monaka monaka deleted the pr-pass-id-token-by-postMessage branch April 14, 2019 07:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
kind/bug Outline of a bug - must adhere to the bug report template.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@monaka @che-bot @skabashnyuk