Implement enhanced security mode
Description
Environment
None
Potential Workaround
None
Checklist
hideTestRail: Results
Activity
Show:

Steve Ellis October 6, 2023 at 6:19 PM
I went with 's idea. I think it is an improvement.

Julian Ladisch October 5, 2023 at 8:40 AM
This design doesn't follow GDPR requirements of security by design and security by default.
Better design:
{{LEGACY_TOKEN_TENANTS }}defaults to * for Poppy and none from Quesnelia on.
It can be set to empty string (for none), * (for all) or a comma separated tenant list to enable the legacy tokens.
Done
Details
Details
Assignee

Reporter

Labels
Priority
Development Team
Core: Platform
Release
Poppy (R2 2023)
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs
Created October 2, 2023 at 12:45 PM
Updated October 9, 2023 at 4:34 PM
Resolved October 6, 2023 at 6:14 PM
TestRail: Cases
TestRail: Runs
Enhanced security mode is a feature for Poppy that will allow tenants to opt in to an enhanced security mode (ES mode). ES mode in mod-authtoken will be configured through an environment variable called
ENHANCED_SECURITY_TENANTS
. This optional variable will contain a comma separated list of tenant ids for which ES mode will be enabled. If a request to the legacy token signing endpoint (/token
) arrives in mod-auth for a tenant which is included in the ES mode environment variable, mod-authtoken will respond with a 404. This will be consumed by clients such as mod-login or mod-login-saml which will respond with their own error code when legacy endpoints such asauthn/login
are requested when ES mode is present.ES mode enforces RTR for tenants that want the security benefits of it in Poppy since mod-auth will not issue non-expiring legacy tokens for tenants where ES mode is enabled.
Interested parties: