CLI logout functionality - Security issue?

112 views

cf_commanduaa

Skip to first unread message

david.webe...@gmail.com

unread,

Sep 2, 2014, 8:14:14 AM9/2/14

to vcap...@cloudfoundry.org

Dear CLI and oauth specialist,

We have the following issue at the moment.

I as user login with the CF CLI to a CF endpoint and do some stuff.

If I then logout, no call to the UAA or API endpoint is done to really invalidate the current token. Sure I have to login again to do work with the CLI.

You can test this behaviour if you enter this "export CF_TRACE=true" before you do a "cf logout".

With this situation we have a problem. If I use a man in the middle software and capture a request (for example to create a service) this request works until the token is expired, even if the user logout from the CLI.

So my problem with this behaviour is not that the request works with man in the middle, my problem is that is even works after the user did a logout.

I saw that a logout function exists: https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#logout-get-logout-do

Is this the proper way of handling a CLI logout, to just clear the CLI user data and not invalidate the token?

Side note: We don't use the standard screens from the UAA as we implemented our own login server, so we don't have this logout functionality.

Best regards

Dave

Filip Hanik

unread,

Sep 2, 2014, 4:07:01 PM9/2/14

to vcap...@cloudfoundry.org

hi Dave, your prognosis is correct. Currently the UAA leverages stateless tokens. This means, there is no way to invalidate an individual token, it is valid until it expires, or the system signing key is changed.

The UAA logout method does nothing, except destroys the HTTP session. It does not invalidate the token itself.

We have in mind some sort of distributed token cache for future needs as token claims grow, at that time it will be easy to invalidate a token, as it will be a stateful system at that point.

Now if you have your own login server, that doesn't change anything. You can take a look at the CF login server, at https://github.com/cloudfoundry/login-server.git

Filip

--
You received this message because you are subscribed to the Google Groups "Cloud Foundry Developers" group.
To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/7e3369c5-b5a1-432a-a1d5-ab18a3255226%40cloudfoundry.org.

To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.

Reply all

Reply to author

Forward

0 new messages