top | item 45008913

(no title)

engcoach | 6 months ago

Is the danger here token replay? It's using Bearer tokens, so it's not sending a password over:

<https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Aut...>

Threats section for Bearer tokens: <https://datatracker.ietf.org/doc/html/rfc6750#section-5.2>

Does OAuth reuse tokens across domains? If not, doesn't this just mean it is requesting an auth token for ghrc (the "fake" domain) but it can't access any auth tokens for ghcr (the real domain)?

discuss

bmitch3020|6 months ago

Blog author (and OCI maintainer) here. The request to get a bearer token sends the password or PAT using the basic auth header, base64 encoded, but otherwise clear-text. That's the request the www-authenticate header is triggering. Once the token is received, the registry uses that to verify access, and that eventually expires. But the attacker isn't getting the token, they are requesting the credentials that would be used to acquire a bearer auth token.

unknown|6 months ago

[deleted]