Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is loading an OpenID Provider in an iframe a bad idea if the provider and RP are on the same domain?

There are plenty of questions here where someone wants to load an OpenID provider's login page in an iframe rather than redirecting and having the provider control the entire look & feel of the login page. For very solid security reasons (primarily anti-phishing) this is a big no-no, prohibited, and most OpenID providers refuse to load within an iframe.

I have been presented with a situation where OpenID is being used within a single organization's set of web sites and applications. The OpenID provider has a whitelist of RPs and will only respond to those RPs. There is a desire to extensively customize the login page at the provider based on which RP sent the user to it. (If there are strong security arguments against doing this as well, I'd like to know about them as well.)

A proposed solution to this is to simply allow the RPs to present the login page in an iframe, so they can put whatever design around the login box they want. In this scenario only the "Username" "Password" fields and "Login" "Forgot Password" "Register New Account" buttons would be hosted at the Provider, the rest of the page would be at the RP and still have the RP's address in the title bar. Not optimal, yes, but the argument is that "it's a different subdomain, but the same 2nd level domain, so it's still okay."

I don't understand how this could be the case - having very different login pages for different applications still leaves users more vurnerable to phishing and other attacks. Am I incorrect in this conclusion? Every question on SO about this appears to be about using an external or public Provider, and the counterargument I'm encountering is that those concerns don't apply in a private Provider limited to sites on the same domain.

like image 953
Thaeli Avatar asked Mar 11 '12 03:03

Thaeli


People also ask

Is OpenID harmful?

OpenID itself is secure, however due to its decentralised nature it often assumes that three servers are "trusted". If these servers are not trustworthy then your security is gone.

What is Rp in OIDC?

OpenID Connect (OIDC) is a protocol that allow web applications (also called relying parties, or RP) to authenticate users with an external server called the OpenID Connect Provider (OP).

What is an OpenID Connect provider?

oidc-provider is an OpenID Provider(OP) implementation for node. js servers. It provides a mountable or standalone implementation of the specifications including a variety of optional features (encryption, JWT Client Authz, Dynamic Registration, PKCE, and more…).

Is OpenID Connect Safe?

OpenID Connect, its predecessors, and other public-key-encryption-based authentication frameworks guarantee the security of the complete internet by having the responsibility for user identity verification in the hands of the most trusted and reliable service providers.


1 Answers

The general concerns about having OpenID within an iframe do have some validity even if you role your own provider. If any of your components are vulnerable to script injections there's a risk that they could compromise your users credentials since you could access iframe data from the parent window.

The normal recommendation to redirect (optionally in a pop-up) would limit this risk since the attacker now need to inject into the OpenID login page where you presumable have no script injections flaws.

like image 154
MyGGaN Avatar answered Sep 20 '22 18:09

MyGGaN