Kentor.AuthServices 0.21.2 Security Release

Kentor.AuthServices 0.21.2 has just been released to NuGet. It is a security release fixing three issues.

  1. XML External Entity Injection (affecting .NET 4.5 only)
  2. Malicious IdP can cause write to arbitrary file
  3. Flawed ReturnUrl validation leads to Open Redirect

The first two issues were reported by John Heasman, Morgan Roman and Joshua Estalilla from DocuSign. While I have dreaded the day when I would get a security issue I am extremely happy with the professionalism of the disclosure. I got the report privately, including detailed descriptions, reproduction steps and solid recommendations on how to fix it. I am very grateful you took the time to review AuthServices and find the issues and for the detailed reports.

More details on the vulernabilities will be published later.

Kentor.AuthServices v0.20.0 Released

Half a years worth of pull requests with great features have finally been baked into an official release of Kentor.AuthServices which is now available on Nuget. The most important fixes are improved active/passive handling for the Owin middleware and full support for SHA256/384/512 as it is time to leave SHA1.

First of all I would like thank all contributors and users that have had to wait for this while I’ve been on parental leave. A special thanks to Explunit who has made a lot of valuable contributions as well as reviewing pull requests and taken part in design discussions.

Breaking Changes

The public API of AuthServices is getting more and more stable, but nevertheless there are some breaking changes.

  • The Owin Middleware is now once again Passive by default
  • The Owin Middleware will act as Active during Logout, even if it is configured as passive. This can be disabled with the StrictOwinAuthenticationMode compatibility setting.
  • On .NET 4.6.2 and later AuthServices now by default generates SHA256-based signatures and only accepts SHA256 or stronger signatures.
  • The “clever” ReturnUrl expansion has been removed as it proved to create more problems than it solved.
  • ReturnUrl open redirect issue fixed.

Why Enabling SHA256 Support for XML Signatures Breaks JWT Signing

For some times there’s been bug reports to Kentor.AuthServices, IdentityServer3 and System.IdentityModel.Tokens.Jwt about enabling SHA256 XML signature support sometimes breaks JWT signing. It fails with an error of System.Security.Cryptography.CryptographicException: Invalid algorithm specified.

This has been one of those annoying bugs where everyone’s solution works perfectly by itself, but combined they fail. I closed this issue in AuthServices with a comment that “works for us, has to be IdentityServer3/System.IdentityModel.Tokens doing something strange.”. I’ve finally had some time to look deeper into this thanks to IRM that asked me to do this as a consultancy service. Without someone paying for the time, it’s hard to spend the hours needed to find the root cause of a problem like this. When I started out on this I looked at all three systems/components involved to try to understand what triggers the problem. I ended up fixing this in Kentor.AuthServices for now. The fix could also have been done in the .NET Framework, IdentityServer3 or System.IdentityModel.Tokens.Jwt. Doing it in Kentor.AuthServices was mostly a matter of convenience because I control it myself.

That means that the TL;DR of all of this is that if you update to Kentor.AuthServices 0.19.0 or later this problem is solved. If you’re interested on how to solve it if you add SHA256 support yourself, please read on.

Kentor.AuthServices 0.18.1 Breaking Changes

Today we released Kentor.AuthServices 0.18.1. It contains a number of bug fixes, but also a couple of breaking changes to a mostly internal API and logout handling.

You are affected if…

  • you build a HttpRequestData yourself, instead of using a build in ToHttpRequestData() extension method.
  • you are using Single Logout and…
    • you have a ClaimsAuthenticationManager
    • you manually create a AuthServicesClaimTypes.LogoutNameIdentifier claim
    • you filter out claims that are persisted

Most users should not be affected, but if you match any of the above please read on.

Authservices StubIdp Improvements: AttributeStatements and User Lists

This is an announcement of two new related features in the Authservices SAML2 StubIdp, AttributeStatements and user lists.

AttributeStatements

Until now the only identification related element supported by the StubIdp was the Subject NameID.
In many SAML2 installations additional data, like roles and full name, are included as AttributeStatements. This has been supported by the AuthServices library, but it has not been possible to generate testdata with the StubIdp.
Now we have implemented a dynamic list of AttributeStatements in the StubIdp.

Software Development is a Job – Coding is a Passion

I'm Anders Abel, a systems architect and developer working for Kentor in Stockholm, Sweden.

profile for Anders Abel at Stack Overflow, Q&A for professional and enthusiast programmers

Code for most posts is available on my GitHub account.

Popular Posts

Archives

Series

Powered by WordPress with the Passion for Coding theme.