Azure OAuth and OpenId Auth bypass when AppSecret and AppId values are null

1

I just came across a bug (I think) with the OpenId and OAuth provider settings. When starting UD either with OpenId or OAuth if the Client Id and/or AppSecret are left blank any authentication attempt is bypassed and you are logged into the Dashboard. Also, AdminMode is enabled (but i have AdminModeAuthorizationPolicy set)

Using the Below to set your Authentication Method

$AuthenticationMethod = New-UDAuthenticationMethod -ClientId "" -Instance https://login.microsoftonline.com -Domain "" -TenantId ""

OR

$AuthenticationMethod = New-UDAuthenticationMethod -ResponseType 'id_token token' -AppSecret '' -AppId "" -Authority 'https://login.microsoftonline.com/' -Resource 'https://management.azure.com/' -SaveTokens -PassThru

image
image785×557 16.8 KB

Then once I add back my AppId and Secret information and just reload UD I am prompted to log in as usual.

Can anyone else verify this? I am using UD 2.8.1

2

Whoa weird. Sounds like a bug. Probably should just be some validation in New-UDAuthenticaitonMehtod to prevent you from configuring it this way.

3

Agreed - I didnt even notice I did this, and was trying to figure out why I kept seeing the AdminTools as I wasn’t in my “developers” group. Then I realized that I had my Dashboard running in a new Azure Web App where all my Auth Provider information (Id, Secret, Tenant) are all stored in App Settings and referenced in UD using $env:TenantId but since it was a new Web App none of the App Settings existed.

I also noticed when I’m in the Dashboard without Authenticating none of the auth policy enforcements are in effect. I have pages that have AuthorizationPolicy set but I can still see all the pages content.

When the Auth provider is configured like that starting the dashboard does throw an error but continues to load.

image
image840×225 9.25 KB