[FOLIO-378] Validate tenant-ID against host header Created: 09/Nov/16  Updated: 12/Nov/18  Resolved: 22/Nov/16

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: New Feature Priority: P4
Reporter: Mike Taylor Assignee: Heikki Levanto
Resolution: Won't Do Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: 1 hour
Original estimate: Not Specified

Issue links:
Relates
relates to STRIPES-42 Send authorization header Closed
Sprint:

 Description   

Requests sent to Okapi will be on some tenant-specific hostname, and will also send a tenant-ID in the X-Okapi-Tenant header. The back-end should protect against MITM attacks by validating that the asserted tenant-ID is valid for use on the hostname.

(Before we can do this, we will need to figure out how tenant-specific hostnames are generated or configured, and how Okapi can obtain that information.)



 Comments   
Comment by Mike Taylor [ 09/Nov/16 ]

The real issue here may be that the UI ought to be sending proper encrypted/signed authentication tokens. See STRIPES-42 Closed .

Comment by Heikki Levanto [ 21/Nov/16 ]

I don't see much need to validate the HOST header. The security comes from logging in to a given tenant with valid credentials. After that, the tenant information is carried in the X-Okapi-Token, and is no longer needed. The client may try to use a differetn X-Okapi-Tenant header, but Okapi will catch that, and refuse the whole request.

If we ever set up a database of HOST names and matching tenants, this could be used for guessing the Tenant at the login time, but I don't see much need for that.

Yes, the UI should start with a login and pass the token around.

Comment by Mike Taylor [ 21/Nov/16 ]

OK, no problem. If you're happy about this, you should just close this as WONTFIX.

Generated at Thu Feb 08 23:05:19 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.