[MEDIUM] OCIS disables OIDC access token verification #23

New issue

Open

opened 2026-05-05 15:44:47 -05:00 by pjennings · 0 comments

pjennings commented 2026-05-05 15:44:47 -05:00

Owner

Copy link

Labels: area:security, area:containers, priority:medium, type:bug

Description

In modules/secrets.example/apps3.nix:
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD = 'none'

This disables OIDC access token verification for ownCloud Infinite Scale.

Impact

Forged OIDC tokens could be used to gain unauthorized access to OCIS cloud storage. Any user who can craft a JWT could impersonate any user.

Recommended Fix

Set PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD to 'jwt' and configure proper JWKS endpoint validation against the Authentik issuer.

**Labels:** area:security, area:containers, priority:medium, type:bug ## Description In modules/secrets.example/apps3.nix: PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD = 'none' This disables OIDC access token verification for ownCloud Infinite Scale. ## Impact Forged OIDC tokens could be used to gain unauthorized access to OCIS cloud storage. Any user who can craft a JWT could impersonate any user. ## Recommended Fix Set PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD to 'jwt' and configure proper JWKS endpoint validation against the Authentik issuer.

pjennings added this to the Security: Medium and Low Findings milestone 2026-05-06 16:47:26 -05:00

pjennings added the

area:security

priority:medium

type:bug

status:blocked

labels 2026-05-06 16:49:25 -05:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

indev

No results found.

Labels

Clear labels   

area:documentation

Documentation, inventory, runbooks

  

area:infrastructure

Infrastructure services and hardware

  

area:network

Network, firewall, and connectivity

  

area:security

Security vulnerabilities and findings

  

priority:critical

Fix immediately — active risk

  

priority:high

Fix within 1-2 weeks

  

priority:low

Backlog — hardening and best practices

  

priority:medium

Fix within 1 month

  

status:blocked

Blocked on dependency or decision

  

type:bug

Misconfiguration or broken behavior

  

type:deployment

New service or system deployment

  

type:enhancement

Improvement or hardening

  

type:investigation

Needs research or identification

No labels

area:documentation

area:infrastructure

area:network

area:security

priority:critical

priority:high

priority:low

priority:medium

status:blocked

type:bug

type:deployment

type:enhancement

type:investigation

Milestone

Clear milestone

No items

No milestone

Security: Medium and Low Findings

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

reinitialized.net/infrastructure#23

No description provided.