Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security providers should not automatically propagate security #2275

Closed
tomas-langer opened this issue Aug 20, 2020 · 4 comments · Fixed by #2357
Closed

Security providers should not automatically propagate security #2275

tomas-langer opened this issue Aug 20, 2020 · 4 comments · Fixed by #2357
Assignees
@tomas-langer
Labels
enhancement New feature or request P3 security
Milestone
2.1.0

Comments

@tomas-langer
Copy link
Member

Environment Details

  • Helidon Version: 2

Problem Description

Unless a provider is configured as an explicit outbound provider, propagation of security should not be enabled.
In other words - we need to have an explicit configuration for outbound security to work.

Now we add outbound by default, causing unintended propagation of user's identity to third party services.
There are several ways how to disable this, though maybe the default behavior should be not to propagate.
@tomas-langer tomas-langer added enhancement New feature or request security labels Aug 20, 2020
@m0mus m0mus added the P3 label Aug 20, 2020
@tomas-langer tomas-langer self-assigned this Sep 4, 2020
@tomas-langer
Copy link
Member Author

OidcProvider - outbound security is disabled by default already.

@tomas-langer
Copy link
Member Author

JwtProvider should only propagate when an outbound target is defined

@tomas-langer
Copy link
Member Author

HttpBasicAuthProvider automatically propagates in all cases - this should be modified

@tomas-langer
Copy link
Member Author

GoogleTokenProvider and HeaderAtnProvider both propagate automatically - this should be modified.

I think all providers should only propagate when an outbound target is defined in configuration. An outbound target can always have any host used to enable propagation to any outbound target.

@tomas-langer tomas-langer added this to the 2.1.0 milestone Sep 9, 2020
@tomas-langer tomas-langer mentioned this issue Sep 14, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tomas-langer tomas-langer

Labels
enhancement New feature or request P3 security
Projects
Backlog
Archived in project
Milestone
2.1.0
Development

Successfully merging a pull request may close this issue.

Disable automatic propagation from security providers tomas-langer/helidon
2 participants
@m0mus @tomas-langer