Unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect
query string.
For example:
- Project is configured with OpenID or OAuth2
- Project is configured with cache enabled
- User tries to login via SSO link, but without redirect
query string
- After successful login, credentials are cached
- If an unauthenticated user tries to login via SSO link, it will return the credentials of the other last user
The SSO link is something like https://directus.example.com/auth/login/openid/callback
, where openid
is the name of the OpenID provider configured in Directus
This happens because on that endpoint for both OpenId and Oauth2 Directus is using the respond
middleware, which by default will try to cache GET requests that met some conditions. Although, those conditions do not include this scenario, when an unauthenticated request returns user credentials.
For OpenID, this can be seen here:
https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459
And for OAuth2 can be seen here
https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428
CACHE_ENABLED
to trueCACHE_STORE
to redis
for reliable results (if using memory with multiple nodes, it may only happen sometimes, due to cache being different for different nodes)REDIS
with redis string or redis host, port, user, etc.AUTH_PROVIDERS
to openid
PUBLIC_URL
to the the main URL of your project . For example, PUBLIC_URL: http://localhost:8055
AUTH_OPENID_CLIENT_ID
, AUTH_OPENID_CLIENT_SECRET
, AUTH_OPENID_ISSUER_URL
with proper OpenID configurationshttp://localhost:8055/auth/login/openid/callback
http://localhost:8055/auth/login/openid/callback
access_token
propertyhttp://localhost:8055/auth/login/openid/callback
and see you have the same credentials, even though you don't have any session because you are in anonymous modeAll projects using OpenID or OAuth 2, that does not include redirect
query string on loggin in users.