17.4.1.13.1.2. Securing internal loginapp services

Security Advisory

Please read this section carefully. Failing to adequately protect internal services may result in insecure setups! 

After successfully verifying a remember-me cookie, the user has an authenticated session and receives his roles from the database/directory (+ optional static roles from the configuration). The set of roles implies a certain access level to target applications and internal Loginapp services.

  • Check if "remember-me authentication" is an adequate security level for the target applications. If not, make sure access to corresponding target applications requires additional roles (e.g. via 10.4. step-up).
     
  • Check if "remember-me authentication" is an adequate security level for internal Loginapp services. If not, restrict access to corresponding services in Loginapp >> Application Settings >> Internal Services. 
    • The following internal service should usually not be accessible after only "remember-me authentication" (not a comprehensive list):
      • Password change self-service
      • Various token migration self-services (migrate to SMS, Cronto, etc.)
      • User profile self-service
      • Delete user self-service
      • User representation