Session cookie not bound to service
It is currently possible to use the oauth proxys session cookie value from e.g. cloud.cccv.de (which anyone has access to) and use it to authenticate with e.g. prometheus.monitoring.cccv.de (which almost no one has access to) or any other service secured with the oauth proxy. This can be used to circumvent the permission checks based on uffds required_group
option.
Background: We run a single oauth proxy instance on sso.cccv.de. All services that rely on it (like cloud.cccv.de and prometheus.monitoring.cccv.de) proxy-pass requests to sso.cccv.de. Since the proxys session cookie is generated/set by the same instance with the same configuration and consequently the same SECRET_KEY
value, all of the authenticated session cookies are signed with the same secret key.
OAuth proxy fails to store and verify service-identifying information (e.g. the client id) in the session cookie.