mirror of
https://github.com/gravitational/teleport
synced 2024-10-21 01:34:01 +00:00
9135a5ade7
If an attacker can force a username change at an IdP, upon second login, the services.User object of the original user can be updated with new roles and traits. If these new roles and traits differ, the original user can have their privileges raised (or lowered). To mitigate this, encode roles and traits within the certificate and use these when fetching roles to make RBAC decisions. If roles and traits are not encoded within an certificate (for example for old style SSH certificates then fallback to using the services.User object and log a warning. |
||
---|---|---|
.. | ||
fixtures.go | ||
keys.go |