Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Flows should be aborted on policy errors #11708

Open
mzhaase opened this issue Oct 17, 2024 · 2 comments
Open

Flows should be aborted on policy errors #11708

mzhaase opened this issue Oct 17, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@mzhaase
Copy link

mzhaase commented Oct 17, 2024

Is your feature request related to a problem? Please describe.
When creating a flow that uses an expression policy, an error in the policy causes the last step of the flow to be executed. This can be a potential security issue.

If a policy throws an error, the intended behavior of the flow is undefined. The only safe default is to abort the flow. In my experiments, I had for example users being created although the policy should have prevented it, due to a policy error.

Describe the solution you'd like
The default for any created flow should be to abort if there is a policy error.
@mzhaase mzhaase added the enhancement New feature or request label Oct 17, 2024
@BeryJu
Copy link
Member

BeryJu commented Oct 17, 2024

When a policy throws an error the behaviour is not undefined, you can configure the policy result when a policy fails in the binding here:
image

@mzhaase
Copy link
Author

mzhaase commented Oct 17, 2024

By undefined I mean authentik cannot know what should happen. Therefore the default should be "Don't pass".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mzhaase @BeryJu