IBM Security Verify

Hi All,

we noticed that WebSEAL accepts invalid tokens e.g. timed out tokens. Not every time but sometimes. And if you try over a longer period it will be rejected. I couldn't find out how to control this behavior and also if there is a deterministic rule on it. I could imagine that this is a caching issue but for me this is not acceptable for a security appliance. Can anybody confirm that this works as designed? Otherwise I'd raise a PMR on that. We are on 10.0.1.0.

Cheers,
Jens

------------------------------
Jens Petersen
------------------------------

Original Message:
Sent: 10/13/2021 9:36:00 AM
From: Jens Petersen
Subject: WebSEAL Accepts invalid OAuth Tokens

Hi All,

we noticed that WebSEAL accepts invalid tokens e.g. timed out tokens. Not every time but sometimes. And if you try over a longer period it will be rejected. I couldn't find out how to control this behavior and also if there is a deterministic rule on it. I could imagine that this is a caching issue but for me this is not acceptable for a security appliance. Can anybody confirm that this works as designed? Otherwise I'd raise a PMR on that. We are on 10.0.1.0.

Cheers,
Jens

------------------------------
Jens Petersen
------------------------------

Hi Scott,

Thank you for your anwer. We use [oauth-auth] configuration. I collected the pdweb.oauth logs and I could see, that if I do a request with a new token, then webseal sends an RST request to check the token and bekomes a RequestSecurityTokenResponse with information about the token. So the WebSEAL knows, that the token is valid, knows the user and can build the session for the request.
Next time I send a request with the same token, the webseal ( in most cases) doesn't send an RST request to prove the token, it accepts the request and sends it to the backend instead. If token bekomes invalid, the WebSEAL can't know it, because it doesn't prove the token every time. For that reason the result of the RST responce must be cached. It makes sence, since it would be too expensive to check the token for every request, but I could use an invalid token for at least several minutes bevor I stopped testing. I could imagine, that WebSEAL consider the token to be valid for a time of the session or for a lifetime of the token, but sometimes WebSEAL notices that the token is not valid anymore immediatelly.

Could you say, which rules follows the WebSEAL to determine that it's time to check the token?

Best Regards,
Ivan




------------------------------
Ivan Yartsev
------------------------------

Original Message:
Sent: Wed October 13, 2021 05:09 PM
From: Scott Exton
Subject: WebSEAL Accepts invalid OAuth Tokens

Jens,

 

How is WebSEAL configured to consume the tokens?  There are actually 3 options available, oauth-eas, oauth-auth and oauth introspection.

 

I know that oauth-eas implements caching, and you can disable the cache by changing the '[oauth-eas] cache-size' configuration entry. 

 

I don't believe that the other two mechanisms implement any caching, but authenticated sessions do get created.  However, the session lifetime should correspond to the OAuth token lifetime.

 

I hope that this helps.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

 

Original Message:
Sent: 10/13/2021 9:36:00 AM
From: Jens Petersen
Subject: WebSEAL Accepts invalid OAuth Tokens

Hi All,

we noticed that WebSEAL accepts invalid tokens e.g. timed out tokens. Not every time but sometimes. And if you try over a longer period it will be rejected. I couldn't find out how to control this behavior and also if there is a deterministic rule on it. I could imagine that this is a caching issue but for me this is not acceptable for a security appliance. Can anybody confirm that this works as designed? Otherwise I'd raise a PMR on that. We are on 10.0.1.0.

Cheers,
Jens

------------------------------
Jens Petersen
------------------------------

Original Message:
Sent: 10/14/2021 9:39:00 AM
From: Ivan Yartsev
Subject: RE: WebSEAL Accepts invalid OAuth Tokens

Hi Scott,

Thank you for your anwer. We use [oauth-auth] configuration. I collected the pdweb.oauth logs and I could see, that if I do a request with a new token, then webseal sends an RST request to check the token and bekomes a RequestSecurityTokenResponse with information about the token. So the WebSEAL knows, that the token is valid, knows the user and can build the session for the request.
Next time I send a request with the same token, the webseal ( in most cases) doesn't send an RST request to prove the token, it accepts the request and sends it to the backend instead. If token bekomes invalid, the WebSEAL can't know it, because it doesn't prove the token every time. For that reason the result of the RST responce must be cached. It makes sence, since it would be too expensive to check the token for every request, but I could use an invalid token for at least several minutes bevor I stopped testing. I could imagine, that WebSEAL consider the token to be valid for a time of the session or for a lifetime of the token, but sometimes WebSEAL notices that the token is not valid anymore immediatelly.

Could you say, which rules follows the WebSEAL to determine that it's time to check the token?

Best Regards,
Ivan




------------------------------
Ivan Yartsev
------------------------------

Original Message:
Sent: Wed October 13, 2021 05:09 PM
From: Scott Exton
Subject: WebSEAL Accepts invalid OAuth Tokens

Jens,

 

How is WebSEAL configured to consume the tokens?  There are actually 3 options available, oauth-eas, oauth-auth and oauth introspection.

 

I know that oauth-eas implements caching, and you can disable the cache by changing the '[oauth-eas] cache-size' configuration entry. 

 

I don't believe that the other two mechanisms implement any caching, but authenticated sessions do get created.  However, the session lifetime should correspond to the OAuth token lifetime.

 

I hope that this helps.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

 

Original Message:
Sent: 10/13/2021 9:36:00 AM
From: Jens Petersen
Subject: WebSEAL Accepts invalid OAuth Tokens

Hi All,

we noticed that WebSEAL accepts invalid tokens e.g. timed out tokens. Not every time but sometimes. And if you try over a longer period it will be rejected. I couldn't find out how to control this behavior and also if there is a deterministic rule on it. I could imagine that this is a caching issue but for me this is not acceptable for a security appliance. Can anybody confirm that this works as designed? Otherwise I'd raise a PMR on that. We are on 10.0.1.0.

Cheers,
Jens

------------------------------
Jens Petersen
------------------------------

Hi Scott,

thanks for clarification. That's what I thought it should work. As Ivan pointed out at least in 10.0.1.0 it doesn't. You can use the token even when the lifetime is expired. Unfortunately it's not just a few seconds but at least several minutes. And on top it's not deterministic as sometimes the session is canceled with end of token lifetime and sometimes - more often - not.

I guess we need to raise a PMR to get that fixed.

Thanks,
Jens

------------------------------
Jens Petersen
------------------------------

Original Message:
Sent: Thu October 14, 2021 04:56 PM
From: Scott Exton
Subject: WebSEAL Accepts invalid OAuth Tokens

Ivan,

 

When using 'oauth-auth' the OAuth token is used to create the session.  The session lifetime is set based on the initial expiry time of the token.  In this case WebSEAL will continue to use the same OAuth token until the token has expired.  So, more specifically - the rules are: the token lifetime controls how long WebSEAL will 'cache' the token (and the session will remain valid) and WebSEAL will continue to allow the token to be used until the session is terminated, or the token/session expires.

 

I hope that this helps.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

 

Original Message:
Sent: 10/14/2021 9:39:00 AM
From: Ivan Yartsev
Subject: RE: WebSEAL Accepts invalid OAuth Tokens

Hi Scott,

Thank you for your anwer. We use [oauth-auth] configuration. I collected the pdweb.oauth logs and I could see, that if I do a request with a new token, then webseal sends an RST request to check the token and bekomes a RequestSecurityTokenResponse with information about the token. So the WebSEAL knows, that the token is valid, knows the user and can build the session for the request.
Next time I send a request with the same token, the webseal ( in most cases) doesn't send an RST request to prove the token, it accepts the request and sends it to the backend instead. If token bekomes invalid, the WebSEAL can't know it, because it doesn't prove the token every time. For that reason the result of the RST responce must be cached. It makes sence, since it would be too expensive to check the token for every request, but I could use an invalid token for at least several minutes bevor I stopped testing. I could imagine, that WebSEAL consider the token to be valid for a time of the session or for a lifetime of the token, but sometimes WebSEAL notices that the token is not valid anymore immediatelly.

Could you say, which rules follows the WebSEAL to determine that it's time to check the token?

Best Regards,
Ivan




------------------------------
Ivan Yartsev

Original Message:
Sent: Wed October 13, 2021 05:09 PM
From: Scott Exton
Subject: WebSEAL Accepts invalid OAuth Tokens

Jens,

 

How is WebSEAL configured to consume the tokens?  There are actually 3 options available, oauth-eas, oauth-auth and oauth introspection.

 

I know that oauth-eas implements caching, and you can disable the cache by changing the '[oauth-eas] cache-size' configuration entry. 

 

I don't believe that the other two mechanisms implement any caching, but authenticated sessions do get created.  However, the session lifetime should correspond to the OAuth token lifetime.

 

I hope that this helps.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

 

Original Message:
Sent: 10/13/2021 9:36:00 AM
From: Jens Petersen
Subject: WebSEAL Accepts invalid OAuth Tokens

Hi All,

we noticed that WebSEAL accepts invalid tokens e.g. timed out tokens. Not every time but sometimes. And if you try over a longer period it will be rejected. I couldn't find out how to control this behavior and also if there is a deterministic rule on it. I could imagine that this is a caching issue but for me this is not acceptable for a security appliance. Can anybody confirm that this works as designed? Otherwise I'd raise a PMR on that. We are on 10.0.1.0.

Cheers,
Jens

------------------------------
Jens Petersen
------------------------------