Skip to content

CCD-7109 JWT Issuer Validation Disabled in Multiple Services AND CCD-7110 Server-Side Request Forgery and Credential Leakage via Callback URLs #230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
patelila wants to merge 5 commits into
base: master
Choose a base branch
from
Open

CCD-7109 JWT Issuer Validation Disabled in Multiple Services AND CCD-7110 Server-Side Request Forgery and Credential Leakage via Callback URLs #230

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b5d10f9
Add README notes for OIDC issuer and callback host settings
patelila Mar 24, 2026
caa1123
docs: clarify JWT issuer payload decode example
patelila Mar 24, 2026
68b3976
Clarify OIDC issuer and callback settings in ccd-docker docs
patelila Mar 24, 2026
e3a7d3e
Align compose JWT issuer defaults with in-network IDAM issuer
patelila Mar 26, 2026
805cfde
same as master without my local changes
patelila Mar 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,43 @@ Ignore if we get error message ccd-network already exists while running above co
> [!CAUTION]
> Some users of zsh 'Oh My Zsh' experienced issues.
> Try switching to bash by : `chsh -s /bin/bash`

**Important environment notes:**
- `OIDC_ISSUER` must be derived from a real access token for the target environment. Do not guess it from the public OIDC discovery URL.
- `CCD_CALLBACK_ALLOWED_HOSTS` is the comma-separated allow-list of HTTPS callback target hosts CCD services may call.
- `CCD_CALLBACK_ALLOWED_HTTP_HOSTS` is the comma-separated allow-list of HTTP callback target hosts CCD services may call.
- `CCD_CALLBACK_ALLOW_PRIVATE_HOSTS` controls whether callbacks to private or local hostnames are allowed for local development.

**How to derive `OIDC_ISSUER`:**
- Do not guess the issuer from the public discovery URL alone.
- Decode only the JWT payload from a real access token for the target environment and inspect the `iss` claim.
- Do not store or document full bearer tokens. Record only the derived issuer value.

Example:
```bash
TOKEN='eyJ...'
PAYLOAD=$(printf '%s' "$TOKEN" | cut -d '.' -f2)
python3 - <<'PY' "$PAYLOAD"
import base64, json, sys
payload = sys.argv[1]
payload += '=' * (-len(payload) % 4)
print(json.loads(base64.urlsafe_b64decode(payload))["iss"])
PY
```
- JWTs are `header.payload.signature`.
- The second segment is base64url-encoded JSON.
- This decodes the payload only. It does not verify the signature.
The following services in `ccd-docker` compose set both `IDAM_OIDC_URL` and `OIDC_ISSUER`:

| Service |
| --- |
| `ccd-data-store-api` |
| `ccd-definition-store-api` |
| `cpo-case-payment-orders-api` |
| `ts-translation-service` |
| `ccd-case-document-am-api` |

`VERIFY_OIDC_ISSUER=true` is not set in this repo's compose YAML. Use it only in service repos that include a live issuer verifier, where it enables a pre-check that fetches a real test token and fails fast if its `iss` claim does not exactly match `OIDC_ISSUER`.

To persist the environment variables in Linux/Mac run the following script
to add the script into your ~/.bash_profile.
Expand Down Expand Up @@ -835,6 +872,10 @@ Here are the important variables exposed in the compose files:
| USER_PROFILE_S2S_AUTHORISED_SERVICES | List of micro-services authorised to call this service, comma-separated, as registered in `service-auth-provider-api` |
| DATA_STORE_TOKEN_SECRET | Secret for generation of internal event tokens |
| APPINSIGHTS_INSTRUMENTATIONKEY | Secret for Microsoft Insights logging, can be a dummy string in local |
| OIDC_ISSUER | Enforced JWT issuer value used by services that validate IDAM access tokens. This must match the token `iss` claim for the target environment and should be derived from a real token, not guessed from the public discovery URL. |
| CCD_CALLBACK_ALLOWED_HOSTS | Comma-separated allow-list of callback target hosts that CCD services may call over HTTPS. Local defaults include `localhost`, `127.0.0.1`, and `host.docker.internal`. |
| CCD_CALLBACK_ALLOWED_HTTP_HOSTS | Comma-separated allow-list of callback target hosts that CCD services may call over HTTP. Use this only when local callback endpoints are intentionally served over plain HTTP. |
| CCD_CALLBACK_ALLOW_PRIVATE_HOSTS | Controls whether callback targets on private or local hostnames are allowed. This supports local development callbacks to host services outside the Docker network. |
| STORAGEACCOUNT_PRIMARY_CONNECTION_STRING | (If dm-store is enabled) Secret for Azure Blob Storage. It is pointing to dockerized Azure Blob Storage emulator. |
| STORAGE_CONTAINER_DOCUMENT_CONTAINER_NAME | (If dm-store is enabled) Container name for Azure Blob Storage |
| AM_DB | Access Management database name |
Expand Down
8 changes: 8 additions & 0 deletions compose/backend.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ services:
DEFINITION_STORE_S2S_AUTHORISED_SERVICES: ccd_data,ccd_gw,ccd_admin,aac_manage_case_assignment,ccd_case_disposer
USER_PROFILE_HOST: http://ccd-user-profile-api:4453
IDAM_USER_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}"
IDAM_OIDC_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}"
OIDC_ISSUER: ${OIDC_ISSUER:-http://idam:5000/o}
IDAM_S2S_URL: "${IDAM_S2S_URL:-http://service-auth-provider-api:8080}"
REFORM_SERVICE_NAME: ccd-definition-store-api
REFORM_TEAM: ccd
Expand Down Expand Up @@ -83,6 +85,7 @@ services:
IDAM_USER_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}" # For backward compatibility with older images
IDAM_API_BASE_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}"
IDAM_OIDC_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}"
OIDC_ISSUER: ${OIDC_ISSUER:-http://idam:5000/o}
IDAM_S2S_URL: "${IDAM_S2S_URL:-http://service-auth-provider-api:8080}"
IDAM_OAUTH2_DATA_STORE_CLIENT_SECRET: idam_data_store_client_secret
REFORM_SERVICE_NAME: ccd-data-store-api
Expand All @@ -101,6 +104,11 @@ services:
MIGRATIONS_ENDPOINT_ENABLED: "${MIGRATIONS_ENDPOINT_ENABLED:-true}"
REFERENCE_DATA_API_URL: "${REFERENCE_DATA_API_URL:-http://ccd-test-stubs-service:5555}"
ROLE_ASSIGNMENT_URL: "${ROLE_ASSIGNMENT_URL:-http://am-role-assignment-service:4096}"
TEST_STUB_SERVICE_BASE_URL: "http://host.docker.internal:5555"
BEFTA_TEST_STUB_SERVICE_BASE_URL: "http://localhost:5555"
CCD_CALLBACK_ALLOWED_HOSTS: "localhost,127.0.0.1,host.docker.internal"
CCD_CALLBACK_ALLOWED_HTTP_HOSTS: "localhost,127.0.0.1,host.docker.internal"
CCD_CALLBACK_ALLOW_PRIVATE_HOSTS: "localhost,127.0.0.1,host.docker.internal"
### other env vars can be added here as needed #############
# ENABLE_CASE_GROUP_ACCESS_FILTERING: "true"
# DATA_STORE_TX_TIMEOUT_DEFAULT: 120 # in seconds
Expand Down
1 change: 1 addition & 0 deletions compose/case-document-am.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ services:
CASE_DOCUMENT_S2S_AUTHORISED_SERVICES: ccd_case_document_am_api,ccd_gw,xui_webapp,ccd_data,bulk_scan_processor,bulk_scan_orchestrator
IDAM_API_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}"
IDAM_OIDC_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}"
OIDC_ISSUER: ${OIDC_ISSUER:-http://idam:5000/o}
S2S_URL: http://service-auth-provider-api:8080
DM_STORE_BASE_URL: http://dm-store:8080
CCD_DATA_STORE_API_BASE_URL: http://ccd-data-store-api:4452
Expand Down
1 change: 1 addition & 0 deletions compose/case-payment-orders.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ services:
CPO_S2S_AUTHORISED_SERVICES: xui_webapp,payment_app
IDAM_API_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}"
IDAM_OIDC_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}"
OIDC_ISSUER: ${OIDC_ISSUER:-http://idam:5000/o}
S2S_URL: http://service-auth-provider-api:8080
# override default 'xui_webapp' permissions with values that support the FTA tests
S2S_AUTHORIZATIONS_XUI_ID: xui_webapp
Expand Down
1 change: 1 addition & 0 deletions compose/ts-translation-service.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ services:
TS_TRANSLATION_SERVICE_DB_PASSWORD: ${DB_PASSWORD}
IDAM_API_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}"
IDAM_OIDC_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}"
OIDC_ISSUER: ${OIDC_ISSUER:-http://idam:5000/o}
TS_TRANSLATION_SERVICE_S2S_AUTHORISED_SERVICES: xui_webapp,ccd_admin,ccd_definition
S2S_URL: http://service-auth-provider-api:8080
REFORM_SERVICE_NAME: ts-translation-service
Expand Down