5

Found this official ACS demo http://www.fabrikamshipping.com/ while researching on ACS.
In the app itself, when logging in with one of the providers ( I chose Google ), I can see in the browser history the URL that contains the claims returned from ACS. It's the URL that starts with :

https://fabrikamshipping.accesscontrol.windows.net/v2/openid?context=pr%3dwsfederation%26rm%3dhttp%253a%252f%252ffabrikamshipping%252fcons...

Going to this URL logs me in the app, even after clearing all browser cache and cookies.
So if I log in to the app from some public computer, and then log out, my account is exposed by going to this URL in the browser history.

I know this is the standart way that ACS Identity handling works.
What am I missing here ?

Yaron Levi
  • 12,535
  • 16
  • 69
  • 118

2 Answers2

1

You are not missing. This URL will log you in, even all cookies are cleared. However, when going on public computer you have to be more careful about your credentials. Clearing history will wipe this URL from browsers history.

Also, I don't actually see the claims URL in my history.

Another way of protecting your personal data is using "In Private Browsing session" for the browser of your choice. Note that it is very hard for someone to see, not to mention remembering that URL. You got it, because you copied from the browser at the moment of redirecting.

astaykov
  • 30,768
  • 3
  • 70
  • 86
  • Try using chrome, and you will see the URL in the history. Still, I can't accept this. How can anybody use ACS Identity when it has such a big security hole. If I won't use ACS, and implement my own Google and Facebook login such a security hole won't exist - users can go to my site on a public computer and won't have to remember to enter it in a private mode. – Yaron Levi Feb 06 '12 at 08:43
  • Hm, Actually to continue the talk. It appears to be just a "log-out" issue. When using Claims authentiation and you use identity provider, the claims URL you got will only work if you have an existing session with the chosen Identity provider. If you log-out of the identity provider - the URL got will not log you in with the application. – astaykov Feb 08 '12 at 08:00
  • 1
    have you tried it yourself ? I log in to fabrikamshipping.com. Then log out from my Google account, and clear all browser cache and cookies just to make sure. Close the browser. Open it again, and go to the Claims URL - you're in. – Yaron Levi Feb 08 '12 at 10:51
  • wired. I tried exactly the same and I could log-in back to the fabrikam shipping :| – astaykov Feb 08 '12 at 12:23
  • Very wired. Also, it seems like a common issue. Look at this post, http://rmencia.wordpress.com/2010/05/05/federated-signin-requires-federated-signout/ . Look at what he says at the end of the post, The Second Catch. It's the problem we are experiencing. (Pressing the back button brings you to the Claims URL we are talking about) – Yaron Levi Feb 08 '12 at 14:46
0

I opened the same thread in Azure official forums :

http://social.msdn.microsoft.com/Forums/en-US/windowsazuresecurity/thread/8f35d6d7-fe0d-4589-9502-54c85714979a

It seems like a known issue. I will update the answer here as soon as a solution will be provided.

Yaron Levi
  • 12,535
  • 16
  • 69
  • 118