In order to implement a single login solution, I’m looking for a way to automatically trigger OAuth2 authentication when accessing Zammad login page.
With Zamad 2.9, accessing Zammad login page using its URL suffixed with “/auth/OAuth2” was enough to trigger the OAuth2 authentication. When clicking this link, a user who had previously authenticated against the SSO was automatically logged in Zammad.
Since Zammad 3.0 and this specific change introducing CSRF protection, the Zammad login page does a HTTP POST with an authenticity-token. Clicking the previous link now triggers a “no route matches [GET] /auth/OAuth2”, as described here.
Is there a way to get a behaviour similar to he 2.9 one ?
Thanks a lot for your help !
Infos:
Used Zammad version: 3.0
Used Zammad installation source: source
Operating system: Debian
Browser + version: Firefox 69
Expected behavior:
Trigger OAuth2 authentication by appending /auth/OAuth2 to the login page URL
Actual behavior:
Getting a 404 resource not found page with Zammad 3.0 instead of the OAuth2 authentication one with Zammad 2.9
Steps to reproduce the behavior:
Append /auth/OAuth2 to the Zammad URL and access it
Personally I don’t think that this is possible, because you’ll need the CSRF-Token for security reasons. @thorsteneckel might have a better clue than I do here.
Thanks for your answer, I’m always amazed by your reactivity.
For now, I modified the Zammad login page (login.jst.eco) so that when a “autologin” parameter is specified, the OAuth2 authentication form is automatically submitted.
Hey @nicolas! You’re right - the oAuth login via GET is not available anymore because of security concerns. We changed that behavior with this commit because of CVE-2015-9284 which was affecting one of our dependencies. The commit message contains a lot of information about the background and what the attack vector is. This is why we won’t support GET requests for oAuth anymore.
Hope that helps in any way… I’m happy to answer any follow up questions.
Hi @thorsteneckel ! Thank you very much for your detailed explanation. The autologin we were using definitely matches the described vulnerability, and I didn’t realize it could be used as an attack.
The hard part will now to explain the issue to my boss
Maybe the upcoming SSO solutions will work for your use case? It will be possible to sign users in via Kerberos or SAML (Keycloak, etc.). Hopefully your boss will understand that it’s in the interest of security of your and your customers data
That will be really interesting, we are indeed using Keycloak as an OIDC SSO Solution. Since it also provides SAML support, I will keep an eye on the upcoming SSO evolutions.
You’re making a great product, I’m amazed by the quality of your work, either on the technical aspect or features one !
Maybe the upcoming SSO solutions will work for your use case? It will be possible to sign users in via Kerberos or SAML (Keycloak, etc.). Hopefully your boss will understand that it’s in the interest of security of your and your customers data 